Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Ok, I will get right to the point.
I have been assigned a project that includes setting up all our users on a LDAP server. I have been reading up on all sorts of documentation.
What I want to know is for the people out there who have installed LDAP, did you compile it from source from let's say, www.openldap.org or did you use a RPM package of some sort?
Reason I ask is that, as I learn here, depending on what version you use will decide on where the config files go. For instance, if you use RPMS, the slapd.conf file will be installed into /etc/openldap.
If you use the source and compile according to the guide at www.openldap.org, by default it installs it into /usr/local/openldap.
Now, if you use RPMS, you can stop and start using init scripts. If you use source, you can use the /usr/local/openldap/libexec/slapd start and stop command.
First, is there a difference? Is one better than the other?
Secondly, I wanted to use some tools of sort to help along with setting up along the way. I came across two tools that look promising:
Let me start out with my intentions for using LDAP. We would like to setup our LDAP server to be used as authentication server. This project was given to me and I do not think my manager realizes just how long this may take. I have been plugging away at it, but it really is quite in depth and requires a lot of time and patience.
This is what I did:
I just happened to be going to www.devshed.com and noticed they had a two part series on LDAP. I bascially, read both articles and followed their instructions to a 'T'.
It seems kind of odd though when I read their instructions and what is going on with my machine. Reason I saw so is that, the full path to my slapd.conf is very long:
Which is ok, but I really dont like it.
Another thing. I currently have to use the full path to stop and start LDAP. I would prefer to use init scripts to stop and start so I can get a visually ok or failed when I stop and start.
Lastly, in the HOW-TO, they reference that the slapd.conf file should be in /etc/openldap. Not so in my case, mine is in the path listed above.
At this point, I was able to make some basic entries, do some searches and contact the LDAP server with a Eudora client, remotely.
At this point, I almost feel like I should completely start over, and clean up my Linux server so I will not have any "left overs" sort a speak. I will discuss that later.
Right now though, I can connect to the LDAP server from my workstation using Eudora and perform some basic queries to find information.
However, if I try to use the tool(s) I listed above, I cannot seem to connect. For instance, I get a 'Protocol error' when I try and connect to the server with both tools: One is a local client (directory administrator) the other is a remote client (LDAP Administrator).
In answer to your questions, I did setup a rootdn account with a basic name and password. I am still testing and feeling my way around.
Also, where would I find some of the connection logs for LDAP? /var/messages?
Directory Administrator might be trying to use SASL authentication instead of plain text, it's been awhile since I used that tool.. Maybe check the properities and see what its trying to use for login authentication.
IMHO where you install LDAP to is of no matter. be it
in /etc/openldap or in /usr/local/somepathverydeep/openldap
It's all the same in the end.
As far as an init script, you could always write one =)
For user authentication you are going to also need to go to www.padl.com and get the migration scripts and pam_ldap.
www.openldap.org has a pretty good faq system with a lot of information on what you are trying to do.
Being that they are all on windows you have quite a large task ahead of you.
You first need to configure samba to act as a domain contoler/logon server. You also need to setup samba to get all of the account information from LDAP. You need to pass this option to samba at compile time (sounds like a reinstall of samba for you from source).
You then need to install pam_ldap from www.padl.com.
Next is adding all of the Computer/Domain accounts for the users and the computers they use.
There is a script that comes with the samba source that will add the samba user as well as a system user at the same time. You will need to use this to add your users from now on.
If you want users to be able to change there password, then you have more scripts to setup.
How many workstations is this for? I assume this is a work thing?
You can make a logon server without using LDAP, which will make things easier for you.
Is their a specific reason you want to use LDAP here? If so you might want to check the samba mailing lists, im not sure LDAP/Samba is ready for production use.
You also need to setup NSCD to answer all the requests for the getpw*(), getsh*() and getgr*() system calls.
This is a very involved task, I've done all this before. It is almost more trouble than it's worth in the end.
I'll see if I can dig up some links for you in a bit, dinner is almost ready =)