Assuming you configured your Debian system and especially apt correctly just running
apt-get install slapd ldap-utils
as root should be enough to download and install the Debian package of the OpenLDAP server and the related client tools. The installation will ask you a few questions but for our needs the defaults should be good enough. For reference the questions for my test system named "rootstrap.galaxy" and my answers are listed here:
| Question | Answer |
|---|---|
| Omit configuration (low) | no (default) |
| Domain name (medium) | galaxy (default) |
| Organization name (medium) | Galaxy Network |
| Admin password (high) | chaiGa7u (from pwgen) |
| Verify password (high) | chaiGa7u |
| Remove DB on purge (low) | no |
| Allow LDAPv2 protocol (medium) | no |
After installation you should be able to list the directory base and the administrator entry using
ldapsearch -x -b _base_
where base is dc=sample,dc=domain,dc=de in case you passed sample.domain.de to the domain name question during slapd installation. In my case base is just dc=galaxy. Note: The data you can get in this way is also available from anywhere on the net if your system's port 389 is open to the outside.
Of course you can configure slapd to make sure this does not happen. For now I'll expect that you have a firewall to configure to guard your LDAP data.
So far the LDAP server is quite boring because there is no data in it. While you could add all your data manually you'd probably want to convert the available account information to put it into the server. For this you'll need to install another package:
apt-get install migrationtools
After this and checking /etc/migrationtools/migrate_common.ph (I changed $IGNOREUIDBELOW and $IGNOREGIDBELOW) you only need to run
cd /usr/share/migrationtools ETC_SERVICES=/dev/null ETC_ALIASES=/dev/null ./migrate_all_online.sh
and answer some questions:
| Question | Answer |
|---|---|
| X.500 naming context | dc=galaxy |
| LDAP server hostname | localhost |
| manager DN | cn=admin,dc=galaxy (default) |
| bind credentials | chaiGa7u |
| create DUAConfigProfile | no |
Note that converting /etc/aliases and /etc/services led to problems on my test system. The LDAP output for /etc/aliases is not yet standardised and the schemas in OpenLDAP do not support it currently. For services the problem was that there were likely named services on different ports as well as aliases only different in case which stopped the migration because of a duplicate entry.
I don't really think that services and protocols needs to be converted to LDAP anyway. For a central list of services and protocols you can still add those few manually and the standard services are not going to change that fast anyway.
Converting the mail aliases is a completely different beast and will be dependend on the mail server used anyway so please consult that relevant documentation if you want to do it.
For big databases you might want to migrate the data with the LDAP server offline which is quite a bit faster. For this you need to edit /etc/migrationtools/migrate_common.ph and change at least the value of $DEFAULT_BASE (I used dc=galaxy). Also the script has a little bug in that it tries to create the top of the directory again so you'd need the line which calls migrate_base.pl to say
$PERL migrate_base.pl -n > $DB
Now we need to tell the system to use the data in the LDAP server. For this we need another package:
apt-get install libnss-ldap
The installation asks us for the server host as expected (127.0.0.1) and the search base (here: dc=galaxy). The LDAP protocol used should be version 3 and the database does not require login for our setup. As we did not give any passwords the configuration file can be left world readable.
Now it's time to activate the LDAP functionality. I use the following settings for /etc/nsswitch.conf:
passwd: ldap compat group: ldap compat shadow: ldap compat
Everything else is not touched but adding ldap in front can't really be a problem.
Name lookup alone buys us almost nothing since nobody can login using the data in LDAP now. What we need for that is
apt-get install libpam-ldap
and the following answers to the debconf questions:
| Question | Answer |
|---|---|
| Make local root db admin | yes |
| DB requires login | no |
| Root login account | cn=admin,dc=galaxy |
| Root login passwd | chaiGa7u |
| Local crypt to use | crypt |
To enable the usage of that package we need to change some files in /etc/pam.d, namely common-account, common-auth and common-password. Normally they have one relevant line each saying something like
account required pam_unix.so
which has to be changed to
account sufficient pam_ldap.so account required pam_unix.so try_first_pass
in each of those files. common-session goes unchanged.
This change tells PAM to try validating against the LDAP database first and checking the local user database after that. Using only pam_ldap.so would work as well if any user is migrated into the LDAP directory but that way a crash of the LDAP server will disable all logins.
Given that each user name in a directory listing is looked up using the name service switch and with our configuration thus from an LDAP server the system might get quite slow. You can work around this by just installing the Name Server Cache Daemon:
apt-get install nscd
Thanks for reading this far. I hope somebody finds this small article useful. I'd like to get any (positive as negative) feedback to improve this and please tell me if you got it running.
Torsten Landschoff <torsten@debian.org>
| Package | Version |
|---|---|
| slapd | 2.1.23-1 |
| ldap-utils | 2.1.23-1 |
| migrationtools | 45-1 |
| libnss-ldap | 211-4 |
| libpam-ldap | 164-2 |
| nscd | 2.3.2.ds1-11 |
This document was generated using AFT v5.092