Home

OpenLDAP Everywhere

Issue 104

From Issue #104
December 2002

Dec 01, 2002  By Craig Swanson and Matt Lung
 in
Step-by-step instructions for sharing e-mail directories, having a unified login and sharing files in a mixed environment.
Unified Linux Login with LDAP

By storing user account information in LDAP, you can use the same user name and password at any Linux console. To start, you must decide which user names should be entered in LDAP. Here is our user scheme for UID/GIDs:

  • System accounts: UID < 500

  • Real people in LDAP: 499 < UID < 10,000

  • Local users, groups (not in LDAP) > 10,000

This user scheme allows for 9,500 LDAP user and group entries, while allowing local per-system users and groups that do not interfere with LDAP UID/GIDs.

Create Local Computer User Entries

An entry for a local computer user is identified by the login name as “uid”. Local computer users are members of ou=people: dn: uid=gomerp,ou=people,dc=foo,dc=com.

The full entry contains the attributes needed to control account access:

dn: uid=gomerp,ou=people,dc=foo,dc=com
uid: gomerp
cn: Gomer Pyle
givenname: Gomer
sn: Pyle
mail:
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: kerberosSecurityObject
objectClass: shadowAccount
userPassword: useradd_ldap_flag
shadowLastChange: 11547
shadowMax: 99999
shadowFlag: 0
krbname:
loginShell: /bin/bash
uidNumber: 531
gidNumber: 531
homeDirectory: /h/gomerp
gecos: Gomer Pyle

To make this easier, OpenLDAP ships with migration utilities that can extract the user account information; see /usr/share/openldap/migration. The first thing you need to do is edit migrate_common.ph: 

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "foo.com";
# Default base
$DEFAULT_BASE = "dc=foo,dc=com";
# turn this on to support more general object classes
# such as person.
$EXTENDED_SCHEMA = 1;
Then, extract the user account information: 
/usr/share/openldap/migration/migrate_passwd.pl \
/etc/passwod >people.ldif
Once this is done, review the resulting LDIF file. You should remove entries for system accounts such as root and for local system users that do not need to appear in LDAP. Finally, add the user entries to LDAP: 
ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f people.ldif
As always, test your work with an ldapsearch that retrieves all entries: 
ldapsearch -x -b "dc=foo,dc=com"
"(objectclass=*)"
Because the computer users belong to ou=people, you may now look up their e-mail addresses within your mail client.

Create Group Entries

You need to make a group entry for each group that is shared between multiple Linux computers. Each user also needs a group entry for the user private group. A group entry is identified by “cn”, and each group belongs to ou=group, for example:

dn: cn=gomerp,ou=group,dc=foo,dc=com

A user private group would look like this: 

dn: cn=gomerp,ou=group,dc=foo,dc=com
objectClass: posixGroup
objectClass: top
cn: gomerp
userPassword: {crypt}x
gidNumber: 531
While a shared group would look like: 
dn: cn=web_dev,ou=group,dc=foo,dc=com
objectClass: posixGroup
objectClass: top
cn: web_dev
gidNumber: 502
memberUid: gomerp
memberUid: goober
memberUid: barneyf
After creating the group entry, extract the group information: 
/usr/share/openldap/migration/migrate_passwd.pl \
/etc/group >group.ldif
Review the resulting LDIF file, removing entries for system groups and for local system users that do not need to appear in LDAP. Then, add the group entries to LDAP: 
ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f group.ldif
Test your work with an ldapsearch that retrieves all group entries: 
ldapsearch -x -b 'dc=foo,cd=com'

Configure Automount to Share Home Directories (and NFS Shares)

With unified login, users have a single home directory shared via NFS. To keep things simple, we host our home directories from ldapserver.foo.com and share /home via NFS. NFS is outside the scope of this article, but here is a line from /etc/exports that works.

/home *.foo.com(rw)

Linux LDAP clients mount the user's home directory at login, using automount and NFS. The LDAP use of automount is a replacement for NIS (Network Information Service) automount maps. Replace the automount maps for auto.master, auto.home and auto.misc.

We also create a new organizational unit for auto.master:

dn: ou=auto.master,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.master

An auto.master entry is identified by “cn”. The automountInformation attribute instructs automount to look for the map in LDAP: 

dn: cn=/h, ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.home,
    dc=foo,dc=com
cn: /h
While we're at it, let's create an auto.master entry for other NFS shared directories: 
dn: cn=/share, ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.misc,
    dc=foo,dc=com
cn: /share
Create the automount entries in LDIF format and save as auto.master.ldif: 
dn: ou=auto.master,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.master
dn: cn=/h, ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.home,
    dc=foo,dc=com
cn: /h
dn: cn=/share, ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.misc,
    dc=foo,dc=com
cn: /share
Add the auto.master entries to LDAP: 
ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f auto.master.ldif
Next, we create a new organizational unit for auto.home, ou=auto.home. A home directory entry is identified by “cn”: 
dn: cn=gomerp,ou=auto.home,dc=foo,dc=com
Create auto.home entries for each user in LDIF format and save as auto.home.ldif: 
dn: ou=auto.home,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.home
dn: cn=gomerp,ou=auto.home,dc=foo,dc=com
objectClass: automount
automountInformation:
    ldapserver.foo.com:/home/gomerp
cn: super3
Add the auto.home entries to LDAP: 
ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f auto.home.ldif
When automounted from a Linux LDAP client, your home directory (ldapserver.foo.com:/home/gomerp) is mounted on /h/gomerp. Other NFS shares may be entered in LDAP and automounted as they are needed. The auto.misc organizational unit holds these automount maps, which have the form ou=auto.misc.

We've already created an auto.master entry for /share, as indicated above. Now, create entries for NFS shares under auto.misc, and save them as auto.misc.ldif:

dn: ou=auto.misc,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.misc
dn: cn=redhat,ou=auto.misc,dc=foo,dc=com
objectClass: automount
automountInformation:
    bigdisk.foo.com:/pub/redhat
cn: redhat
dn: cn=engineering,ou=auto.misc,dc=foo,dc=com
objectClass: automount
automountInformation:
    bigdisk.foo.com:/data/engineering
cn: engineering

Add the auto.misc entries to LDAP: 

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f auto.misc.ldif
When automounted from a Linux LDAP client, your shared directory bigdisk.foo.com:/data/engineering is mounted on /share/engineering.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

If i want to use fstab to

Anonymous's picture
Submitted by Anonymous (not verified) on Mon, 04/27/2009 - 04:35.

If i want to use fstab to mount homeDirectory. what i must do ?

(HOST ldapserver.foo.com
BASE dc=foo,dc=com)

automount using LDAP

sergeyK's picture
Submitted by sergeyK (not verified) on Thu, 10/23/2008 - 18:47.

Hello guys,

It seems that RedHat automount uses cn property to identify username. Is there any way to change it to uid as authentication does?

Thank you in advance!

/SergeyK

Woo, using Perl for crypt and salting... WHY?

gfolkert's picture
Submitted by gfolkert on Mon, 01/16/2006 - 09:03.

perl -e "print crypt('passwd','salt_string',);"

Why would one do this, when slappasswd is available? It comes with openldap.

# slappasswd -h
slappasswd: option requires an argument -- h
Usage: slappasswd [options]
-h hash password scheme
-s secret new password
-c format crypt(3) salt format
-u generate RFC2307 values (default)
-v increase verbosity
-T file read file for new password

By default it uses SSHA. Easier and less prone to error.
--
greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets used at the local large parking lot.

--
greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little mod

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions