OpenLDAP Everywhere Revisited
Listing 3. Create the top of the LDAP tree, top.ldif, manually in the simple key: value LDIF format.
dn: dc=foo,dc=com objectClass: dcObject objectClass: organization o: Foo Company dc: foo dn:ou=People,dc=foo,dc=com objectClass: organizationalUnit ou: People dn:ou=Groups,dc=foo,dc=com objectClass: organizationalUnit ou: Groups dn:ou=contacts,ou=people,dc=foo,dc=com associatedDomain: foo.com ou: contacts ou: people objectClass: organizationalUnit objectClass: domainRelatedObject
Add the top-level entries to the directory with ldapadd:
ldapadd -x -D 'cn=manager,dc=foo,dc=com' \ -W -f top.ldif
Then, test your work with an ldapsearch command that retrieves all entries:
ldapsearch -x -b 'dc=foo,dc=com'
At this point, we have enough structure in LDAP to put it to real use. We start by sharing our e-mail contacts. To simplify the process, you may be able to export your e-mail address book in LDIF format. For example, in Mozilla Thunderbird, you can export in LDIF from the Tools menu on the Address Book window. You do need to process the resulting file so it looks like our contacts example below. We suggest using Perl for the task.
Contacts are identified uniquely by their e-mail addresses. Here is the dn for a contact:
dn: firstname.lastname@example.org,ou=contacts, ↪ou=people,dc=foo,dc=com.
With all of the attributes, the full entry for a contact looks like:
dn: email@example.com,ou=contacts, ↪ou=people,dc=foo,dc=com mail: firstname.lastname@example.org uid: email@example.com givenName: Someone sn: Youknow cn: Someone Youknow objectClass: person objectClass: top objectClass: inetOrgPerson
Separate each contact entry with a blank line and save it to a file called contacts.ldif. Add the contacts to the directory with ldapadd:
ldapadd -x -D 'cn=manager,dc=foo,dc=com' \ -W -f contacts.ldif
Then, test with an ldapsearch command, as shown above.
Next, we configure Mozilla Thunderbird to use the new LDAP server (Figure 2). From the Tools menu in Thunderbird, select Options. In the Composition tab, select Directory Server, Edit Directories and then Add. Fill in the Directory Server Properties with:
Name: FOO Server: ldapserver.foo.com base DN: ou=people,dc=foo,dc=com
In the Advanced tab, increase the number of results returned to fit your directory size. For foo.com, we selected 1,000 results.
Test your settings by composing a message to one of your contacts in your LDAP directory. The address should auto-complete as you type. Another test is to search the LDAP directory from within the Thunderbird Mail Address Book. Search in the FOO address book for “Name or Email contains: *”. That should return all of the contacts entries.
By storing user account information in LDAP, you can use the same user name and password at any Linux console. To start, you must decide which user names should be entered in LDAP. Table 1 shows our user scheme for UID/GIDs.
Table 1. User Scheme for UID/GIDs
|Type of account||UID|
|System accounts||UID < 500|
|Samba special accounts||499 < UID < 1,000|
|Unified login accounts||999 < UID < 10,000|
|Local users and groups, not in LDAP||> 10,000|
This user scheme allows for 9,000 LDAP unified login entries, while also allowing local users and groups that do not interfere with LDAP UIDs and GIDs. The user scheme also allows for the accounts required by the Samba Primary Domain Controller.
2 hours 16 min ago
- Thanks for clearing that up.
7 hours 40 min ago
- Nice coding on the cake. I
19 hours 12 min ago
- Baker's identity
1 day 1 min ago
- Uber jealous
1 day 4 hours ago
- Reality is disapointing
1 day 15 hours ago
- Máy sấy quần áo
1 day 18 hours ago
- Services on GlusterFS
1 day 18 hours ago
- Reply to comment | Linux Journal
1 day 20 hours ago
- Definitely cool stuff here
1 day 21 hours ago