Configuring LDAP

This is just a test. It is AOC specific. The eventual goal is to provide a unified usernamespace accross NRAO sites in the UNIX environment. LDAP may be able to do this with the referral ObjectClass.

Notes
Configure Client
Configure Server
Populate Directory

Notes

To find the base dn of your ldap database
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
To dump the entire directory nisMapName=auto_users
ldapsearch -x -b 'dc=aoc,dc=nrao,dc=edu' -z 0 '(objectclass=*)'
To lookup a specific user (use -C to chase referrals)
ldapsearch -x -b 'ou=People,dc=aoc,dc=nrao,dc=edu' -z 0 '(uid=krowe)'
ldap is apparently case-insensitive. rpc is Rpc is rPC

if you don't want people to see the encrypted passwd add the following to /etc/openldap/slapd.conf

  access to dn=".*,dc=aoc,dc=nrao,dc=edu" attr=userPassword
      by self write
      by * auth

  access to dn=".*,dc=aoc,dc=nrao,dc=edu"
      by * read

by using ldap instead of NIS we loose netgroups. This will break things like /etc/exports.
The current method of just running the Makefile periodicly has problems. The process wipes the database and rebuilds it from flat files. During this time, some information is unavailable. For example, I cannot finger users while the passwd database is being rebuilt. A better solution is necessary. I would still like to use ldapmodrdn to build a tmp database and then switch in one swell (hopefully atomic) foop.
The make process is also very slow, taking upwards of 27 minutes for a full rebuild.

Configure Client

Here are all the changes that need to be made to a Red Hat 9 client in order to bind to our test ldap server.

/etc/nsswitch.conf: replace "nis" with "ldap" except for hosts which should be "files dns"
/etc/ldap.conf: host ldap.aoc.nrao.edu; base dc=aoc,dc=nrao,dc=edu
/etc/openldap/ldap.conf: HOST ldap.aoc.nrao.edu; BASE dc=aoc,dc=nrao,dc=edu
/etc/auto.master: /users ldap:ldap.aoc.nrao.edu:nisMapName=auto.users,dc=aoc,dc=nrao,dc=edu --timeout 300; /home ldap:ldap.aoc.nrao.edu:nisMapName=auto.home,dc=aoc,dc=nrao,dc=edu --timeout 300; /DATA ldap:ldap.aoc.nrao.edu:nisMapName=auto.DATA,dc=aoc,dc=nrao,dc=edu --timeout 300
chkconfig ypbind off

Configure Server

I exported, as root, /var/yp/etc from zia (our NIS master) to the ldap server (a linux box) read-only and mounted it as /nis_master.

redhat9 comes with the PADL scripts, in /usr/share/openlda/migration, to convert NIS files into ldif files for stuffing into ldap. I have tweaked these scripts to require the correct migrate_common.ph and a couple needed actual fixing. Place these scripts in /opt/services/ldap/bin.

Place this Makefile in /opt/services/ldap, and use it to populate the ldap directory.

Place this aoc.nrao.edu.ldif file in /opt/services/ldap/etc and edit it as appropriate. If you change the name, be sure to change the LDIF variable in the Makefile.

/etc/openldap/slapd.conf: suffix "dc=aoc,dc=nrao,dc=edu"; rootdn "cn=Manager,dc=aoc,dc=nrao,dc=edu"; rootpw secret; sizelimit 2048 # max entries returned by a search
/opt/services/ldap/bin/migrate_common.ph: $DEFAULT_MAIL_DOMAIN = "aoc.nrao.edu";; $DEFAULT_BASE = "dc=aoc,dc=nrao,dc=edu";
/etc/ldap.conf: host 127.0.0.1; base dc=aoc,dc=nrao,dc=edu
/etc/openldap/ldap.conf: HOST 127.0.0.1; BASE dc=aoc,dc=nrao,dc=edu

chkconfig --level 35 ldap on

/etc/init.d/ldap start

K. Scott Rowe