Loading
OpenLDAP Everywhere Revisited
Samba 3 offers new capabilites for a unified directory for all clients. Get mail, file sharing and more all working together with the latest software.
Add the top-level entries to the directory with ldapadd:
ldapadd -x -D 'cn=manager,dc=foo,dc=com' \ -W -f top.ldif
Then, test your work with an ldapsearch command that retrieves all entries:
ldapsearch -x -b 'dc=foo,dc=com'
At this point, we have enough structure in LDAP to put it to real use. We start by sharing our e-mail contacts. To simplify the process, you may be able to export your e-mail address book in LDIF format. For example, in Mozilla Thunderbird, you can export in LDIF from the Tools menu on the Address Book window. You do need to process the resulting file so it looks like our contacts example below. We suggest using Perl for the task.
Contacts are identified uniquely by their e-mail addresses. Here is the dn for a contact:
dn: uid=someone@somewhere.com,ou=contacts, ↪ou=people,dc=foo,dc=com.
With all of the attributes, the full entry for a contact looks like:
dn: uid=someone@somewhere.com,ou=contacts, ↪ou=people,dc=foo,dc=com mail: someone@somewhere.com uid: someone@somewhere.com givenName: Someone sn: Youknow cn: Someone Youknow objectClass: person objectClass: top objectClass: inetOrgPerson
Separate each contact entry with a blank line and save it to a file called contacts.ldif. Add the contacts to the directory with ldapadd:
ldapadd -x -D 'cn=manager,dc=foo,dc=com' \ -W -f contacts.ldif
Then, test with an ldapsearch command, as shown above.
Figure 2. To use the company address book, fill in the information on your server in Thunderbird's Directory Server Properties.
Next, we configure Mozilla Thunderbird to use the new LDAP server (Figure 2). From the Tools menu in Thunderbird, select Options. In the Composition tab, select Directory Server, Edit Directories and then Add. Fill in the Directory Server Properties with:
Name: FOO Server: ldapserver.foo.com base DN: ou=people,dc=foo,dc=com
In the Advanced tab, increase the number of results returned to fit your directory size. For foo.com, we selected 1,000 results.
Test your settings by composing a message to one of your contacts in your LDAP directory. The address should auto-complete as you type. Another test is to search the LDAP directory from within the Thunderbird Mail Address Book. Search in the FOO address book for “Name or Email contains: *”. That should return all of the contacts entries.
By storing user account information in LDAP, you can use the same user name and password at any Linux console. To start, you must decide which user names should be entered in LDAP. Table 1 shows our user scheme for UID/GIDs.
Table 1. User Scheme for UID/GIDs
| Type of account | UID |
|---|---|
| System accounts | UID < 500 |
| Samba special accounts | 499 < UID < 1,000 |
| Unified login accounts | 999 < UID < 10,000 |
| Local users and groups, not in LDAP | > 10,000 |
This user scheme allows for 9,000 LDAP unified login entries, while also allowing local users and groups that do not interfere with LDAP UIDs and GIDs. The user scheme also allows for the accounts required by the Samba Primary Domain Controller.
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
- New Products
- Linux Systems Administrator
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Web & UI Developer (JavaScript & j Query)
- Designing Electronics with Linux
- Dynamic DNS—an Object Lesson in Problem Solving
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- another very interesting
1 hour 19 min ago - Reply to comment | Linux Journal
3 hours 12 min ago - Reply to comment | Linux Journal
10 hours 6 min ago - Reply to comment | Linux Journal
10 hours 22 min ago - Favorite (and easily brute-forced) pw's
12 hours 13 min ago - Have you tried Boxen? It's a
18 hours 5 min ago - seo services in india
22 hours 37 min ago - For KDE install kio-mtp
22 hours 38 min ago - Evernote is much more...
1 day 38 min ago - Reply to comment | Linux Journal
1 day 9 hours ago
Poll
Comments
IT IS VERY USEFUL TO SOLVE PROBLEM
GOOD. It was very useful to solve the problem,
Thank you very much
LDBM and RedHat OpenLDAP Version
There are two things wrong with this article:
(1) It shows a setup using the LDBM databse. This is very unfortunate, since LDBM is not "data safe" and will happily corrupt or lose data without informing you. See http://www.openldap.org/faq/data/cache/756.html for more information on the problems with LDBM.
(2) It shows usage of the RedHat distributed version of OpenLDAP. RedHat traditionally does a very poor job of packaging OpenLDAP, and this remains the case to this day. In addition, 2.2.13 is a very old release at this point, on a historic version of OpenLDAP. 2.3 is the current release branch, with 2.3.20 the current stable release. There are at least 2 DOS vulnerabilities in the 2.2.13 OpenLDAP release, as well as hundreds of bugs that were fixed since then.
If you are using RedHat, and want to use OpenLDAP without updating the local RedHat OpenLDAP libraries, I suggest using CDS3 silver, available for *free* from Symas.com. CDS3 is a packaged version of OpenLDAP 2.3 with *additional* features over OpenLDAP.
--Quanah
--
Quanah Gibson-Mount
Product Engineer
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
So long and thanks for all the spam?
We appreciate the spam disguised as useful info, really.
Since CDS silver free
Since CDS silver is a free packaging of OpenLDAP 2.3, I don't see this as spam, any more than me posting to let you know that I provide my own packages of OpenLDAP 2.3
Of course, both Quanah and I have vested interests in recommending that users (1) don't use ldbm, and (2) use 2.3 ... because we both end up helping the unfortunate users who get stuck after following advice like in this article on the openldap-software mailing list.
Since you don't ... well you can say whatever you like about both of these posts and we won't care.
Although you do help people
Although you do help people Buchan and provide great packages, Quanah is more likely to insult people for not paying for support if the post actually makes it to the OpenLDAP list. It is extremely difficult to get any helpful support for OpenLDAP if you're not a guru or the topic is not absolutely, strictly limited to only OpenLDAP of the latest release.
Samba Schema
I can't seem to find Samba Schema mentioned in "include /etc/openldap/schema/samba.schema" line. Can someone explain a little more on whether I really need samba schema and where I can download it? Thanks.
Location of samba schema
In Debian this schema can be found in /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz, you can copy and extract this file into the schema directory. Samba doc's have to be installed of course.
You do need it. Try
You do need it. Try googling for "samba.schema", or on your server "locate samba.schema"
automountMap vs. nisMap
Very useful article. I used their earlier articles as a guide to setting up OpenLDAP in my area, along with ones by Mick Bauer, and I couldn't have done it without them.
I only have one comment: the use of the automountMap objectClass. If you use the migrate_automount.pl script in recent versions of OpenLDAP, it uses the nisMap objectClass and nisMapName to describe automounts. I am not sure if one or the other is deprecated or both are supported.