OpenLDAP Everywhere

Step-by-step instructions for sharing e-mail directories, having a unified login and sharing files in a mixed environment.
Unified Linux Login with LDAP

By storing user account information in LDAP, you can use the same user name and password at any Linux console. To start, you must decide which user names should be entered in LDAP. Here is our user scheme for UID/GIDs:

  • System accounts: UID < 500

  • Real people in LDAP: 499 < UID < 10,000

  • Local users, groups (not in LDAP) > 10,000

This user scheme allows for 9,500 LDAP user and group entries, while allowing local per-system users and groups that do not interfere with LDAP UID/GIDs.

Create Local Computer User Entries

An entry for a local computer user is identified by the login name as “uid”. Local computer users are members of ou=people: dn: uid=gomerp,ou=people,dc=foo,dc=com.

The full entry contains the attributes needed to control account access:

dn: uid=gomerp,ou=people,dc=foo,dc=com
uid: gomerp
cn: Gomer Pyle
givenname: Gomer
sn: Pyle
mail:
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: kerberosSecurityObject
objectClass: shadowAccount
userPassword: useradd_ldap_flag
shadowLastChange: 11547
shadowMax: 99999
shadowFlag: 0
krbname:
loginShell: /bin/bash
uidNumber: 531
gidNumber: 531
homeDirectory: /h/gomerp
gecos: Gomer Pyle

To make this easier, OpenLDAP ships with migration utilities that can extract the user account information; see /usr/share/openldap/migration. The first thing you need to do is edit migrate_common.ph:

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "foo.com";
# Default base
$DEFAULT_BASE = "dc=foo,dc=com";
# turn this on to support more general object classes
# such as person.
$EXTENDED_SCHEMA = 1;
Then, extract the user account information:
/usr/share/openldap/migration/migrate_passwd.pl \
/etc/passwod >people.ldif
Once this is done, review the resulting LDIF file. You should remove entries for system accounts such as root and for local system users that do not need to appear in LDAP. Finally, add the user entries to LDAP:
ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f people.ldif
As always, test your work with an ldapsearch that retrieves all entries:
ldapsearch -x -b "dc=foo,dc=com"
"(objectclass=*)"
Because the computer users belong to ou=people, you may now look up their e-mail addresses within your mail client.

Create Group Entries

You need to make a group entry for each group that is shared between multiple Linux computers. Each user also needs a group entry for the user private group. A group entry is identified by “cn”, and each group belongs to ou=group, for example:

dn: cn=gomerp,ou=group,dc=foo,dc=com

A user private group would look like this:

dn: cn=gomerp,ou=group,dc=foo,dc=com
objectClass: posixGroup
objectClass: top
cn: gomerp
userPassword: {crypt}x
gidNumber: 531
While a shared group would look like:
dn: cn=web_dev,ou=group,dc=foo,dc=com
objectClass: posixGroup
objectClass: top
cn: web_dev
gidNumber: 502
memberUid: gomerp
memberUid: goober
memberUid: barneyf
After creating the group entry, extract the group information:
/usr/share/openldap/migration/migrate_passwd.pl \
/etc/group >group.ldif
Review the resulting LDIF file, removing entries for system groups and for local system users that do not need to appear in LDAP. Then, add the group entries to LDAP:
ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f group.ldif
Test your work with an ldapsearch that retrieves all group entries:
ldapsearch -x -b 'dc=foo,cd=com'

Configure Automount to Share Home Directories (and NFS Shares)

With unified login, users have a single home directory shared via NFS. To keep things simple, we host our home directories from ldapserver.foo.com and share /home via NFS. NFS is outside the scope of this article, but here is a line from /etc/exports that works.

/home *.foo.com(rw)

Linux LDAP clients mount the user's home directory at login, using automount and NFS. The LDAP use of automount is a replacement for NIS (Network Information Service) automount maps. Replace the automount maps for auto.master, auto.home and auto.misc.

We also create a new organizational unit for auto.master:

dn: ou=auto.master,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.master

An auto.master entry is identified by “cn”. The automountInformation attribute instructs automount to look for the map in LDAP:

dn: cn=/h, ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.home,
    dc=foo,dc=com
cn: /h
While we're at it, let's create an auto.master entry for other NFS shared directories:
dn: cn=/share, ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.misc,
    dc=foo,dc=com
cn: /share
Create the automount entries in LDIF format and save as auto.master.ldif:
dn: ou=auto.master,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.master
dn: cn=/h, ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.home,
    dc=foo,dc=com
cn: /h
dn: cn=/share, ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.misc,
    dc=foo,dc=com
cn: /share
Add the auto.master entries to LDAP:
ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f auto.master.ldif
Next, we create a new organizational unit for auto.home, ou=auto.home. A home directory entry is identified by “cn”:
dn: cn=gomerp,ou=auto.home,dc=foo,dc=com
Create auto.home entries for each user in LDIF format and save as auto.home.ldif:
dn: ou=auto.home,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.home
dn: cn=gomerp,ou=auto.home,dc=foo,dc=com
objectClass: automount
automountInformation:
    ldapserver.foo.com:/home/gomerp
cn: super3
Add the auto.home entries to LDAP:
ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f auto.home.ldif
When automounted from a Linux LDAP client, your home directory (ldapserver.foo.com:/home/gomerp) is mounted on /h/gomerp. Other NFS shares may be entered in LDAP and automounted as they are needed. The auto.misc organizational unit holds these automount maps, which have the form ou=auto.misc.

We've already created an auto.master entry for /share, as indicated above. Now, create entries for NFS shares under auto.misc, and save them as auto.misc.ldif:

dn: ou=auto.misc,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.misc
dn: cn=redhat,ou=auto.misc,dc=foo,dc=com
objectClass: automount
automountInformation:
    bigdisk.foo.com:/pub/redhat
cn: redhat
dn: cn=engineering,ou=auto.misc,dc=foo,dc=com
objectClass: automount
automountInformation:
    bigdisk.foo.com:/data/engineering
cn: engineering

Add the auto.misc entries to LDAP:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f auto.misc.ldif
When automounted from a Linux LDAP client, your shared directory bigdisk.foo.com:/data/engineering is mounted on /share/engineering.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

If i want to use fstab to

Anonymous's picture

If i want to use fstab to mount homeDirectory. what i must do ?

(HOST ldapserver.foo.com
BASE dc=foo,dc=com)

automount using LDAP

sergeyK's picture

Hello guys,

It seems that RedHat automount uses cn property to identify username. Is there any way to change it to uid as authentication does?

Thank you in advance!

/SergeyK

Woo, using Perl for crypt and salting... WHY?

gfolkert's picture

perl -e "print crypt('passwd','salt_string',);"

Why would one do this, when slappasswd is available? It comes with openldap.

# slappasswd -h
slappasswd: option requires an argument -- h
Usage: slappasswd [options]
-h hash password scheme
-s secret new password
-c format crypt(3) salt format
-u generate RFC2307 values (default)
-v increase verbosity
-T file read file for new password

By default it uses SSHA. Easier and less prone to error.
--
greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets used at the local large parking lot.

--
greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little mod

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState