Ubuntu 10.04
Install LDAP Server
2010/07/31
  Build LDAP Server in order to share users' accounts among local networks.

[1] Install openldap
root@master:~#
aptitude -y install slapd ldap-utils


root@master:~#
sysv-rc-conf slapd on

root@master:~#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

root@master:~#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

root@master:~#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

root@master:~#
vi backend.ldif


# create new

# replace to your domain on the line "note"

# ex: server.world ⇒ dc=server,dc=world

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=server,dc=world
# note

olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=server,dc=world
# note

olcRootPW: password
# specify password

olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=server,dc=world" write by anonymous auth by self write by * none  
# note

olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=server,dc=world" write by * read  
# note


root@master:~#
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

adding new entry "olcDatabase=hdb,cn=config"

root@master:~#
vi frontend.ldif


# create new

# replace to your domain on the line "note"

# ex: server.world ⇒ dc=server,dc=world

dn: dc=server,dc=world
# note

objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server
description: LDAP Server

dn: cn=admin,dc=server,dc=world
# note

objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: password
# specify password


dn: ou=people,dc=server,dc=world
# note

objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=server,dc=world
# note

objectClass: organizationalUnit
ou: groups


root@master:~#
ldapadd -x -D cn=admin,dc=server,dc=world -W -f frontend.ldif

Enter LDAP Password:
# admin password

adding new entry "dc=server,dc=world"

adding new entry "cn=admin,dc=server,dc=world"

adding new entry "ou=people,dc=server,dc=world"

adding new entry "ou=groups,dc=server,dc=world"
[2] Add new users to LDAP
root@master:~#
vi user.ldif


# add a user "lucid" for an example

dn: uid=lucid,ou=people,dc=server,dc=world
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: lucid
sn: ubuntu
givenName: lucid
cn: lucid ubuntu
displayName: lucid ubuntu
uidNumber: 1000
gidNumber: 1000
userPassword: password
# specify password

gecos: lucid ubuntu
loginShell: /bin/bash
homeDirectory: /home/lucid
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 99999
shadowLastChange: 14809


root@master:~#
ldapadd -x -D cn=admin,dc=server,dc=world -W -f user.ldif

Enter LDAP Password:
# admin password

adding new entry "uid=lucid,ou=people,dc=server,dc=world"

root@master:~#
vi group.ldif


# add a group "lucid" for an example

dn: cn=lucid,ou=groups,dc=server,dc=world
objectClass: posixGroup
cn: lucid
gidNumber: 1000


root@master:~#
ldapadd -x -D cn=admin,dc=server,dc=world -W -f group.ldif

Enter LDAP Password:
# admin password

adding new entry "cn=lucid,ou=groups,dc=server,dc=world"
[3] Add existing users in local to LDAP
root@master:~#
vi ldapuser.sh


# extract local users who have 4-digit UID

# an example

#!/bin/bash

SUFFIX='dc=server,dc=world'
LDIF='ldapuser.ldif'

for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/"`
do
    UID1=`echo $line | cut -d: -f1`
    NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
    if [ ! "$NAME" ]
    then
        NAME=$UID1
    else
        NAME=`echo $NAME | sed -e "s/%/ /"`
    fi
    SN=`echo $NAME | awk '{print $2}'`
    if [ ! "$SN" ]
    then
        SN=$NAME
    fi
    GIVEN=`echo $NAME | awk '{print $1}'`
    UID2=`echo $line | cut -d: -f3`
    GID=`echo $line | cut -d: -f4`
    PASS=`grep $UID1 /etc/shadow | cut -d: -f2`
    SHELL=`echo $line | cut -d: -f7`
    HOME=`echo $line | cut -d: -f6`
    EXPIRE=`passwd -S $UID1 | awk '{print $7}'`
    FLAG=`grep $UID1 /etc/shadow | cut -d: -f9`
    if [ ! "$FLAG" ]
    then
        FLAG="0"
    fi
    WARN=`passwd -S $UID1 | awk '{print $6}'`
    MIN=`passwd -S $UID1 | awk '{print $4}'`
    MAX=`passwd -S $UID1 | awk '{print $5}'`
    LAST=`grep $UID1 /etc/shadow | cut -d: -f3`

    echo "dn: uid=$UID1,ou=people,$SUFFIX" >> $LDIF
    echo "objectClass: inetOrgPerson" >> $LDIF
    echo "objectClass: posixAccount" >> $LDIF
    echo "objectClass: shadowAccount" >> $LDIF
    echo "uid: $UID1" >> $LDIF
    echo "sn: $SN" >> $LDIF
    echo "givenName: $GIVEN" >> $LDIF
    echo "cn: $NAME" >> $LDIF
    echo "displayName: $NAME" >> $LDIF
    echo "uidNumber: $UID2" >> $LDIF
    echo "gidNumber: $GID" >> $LDIF
    echo "userPassword: {crypt}$PASS" >> $LDIF
    echo "gecos: $NAME" >> $LDIF
    echo "loginShell: $SHELL" >> $LDIF
    echo "homeDirectory: $HOME" >> $LDIF
    echo "shadowExpire: $EXPIRE" >> $LDIF
    echo "shadowFlag: $FLAG" >> $LDIF
    echo "shadowWarning: $WARN" >> $LDIF
    echo "shadowMin: $MIN" >> $LDIF
    echo "shadowMax: $MAX" >> $LDIF
    echo "shadowLastChange: $LAST" >> $LDIF
    echo >> $LDIF
done


root@master:~#
sh ldapuser.sh

root@master:~#
ldapadd -x -D cn=admin,dc=server,dc=world -W -f ldapuser.ldif

Enter LDAP Password:
# admin password

adding new entry "uid=lucid,ou=people,dc=server,dc=world"

adding new entry "uid=ubuntu,ou=people,dc=server,dc=world"

adding new entry "uid=fedora,ou=people,dc=server,dc=world"

adding new entry "uid=suse,ou=people,dc=server,dc=world"

adding new entry "uid=cent,ou=people,dc=server,dc=world"

adding new entry "uid=debian,ou=people,dc=server,dc=world"
[4] Add existing groups in local to LDAP
root@master:~#
vi ldapgroup.sh


# extract local groups who have 4-digit UID

# an example

#!/bin/bash

SUFFIX='dc=server,dc=world'
LDIF='ldapgroup.ldif'

for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/group`
do
    CN=`echo $line | cut -d: -f1`
    GID=`echo $line | cut -d: -f3`
    echo "dn: cn=$CN,ou=groups,$SUFFIX" >> $LDIF
    echo "objectClass: posixGroup" >> $LDIF
    echo "cn: $CN" >> $LDIF
    echo "gidNumber: $GID" >> $LDIF
    echo >> $LDIF
done


root@master:~#
sh ldapgroup.sh

root@master:~#
ldapadd -x -D cn=admin,dc=server,dc=world -W -f ldapgroup.ldif

Enter LDAP Password:
# admin password

adding new entry "cn=lucid,ou=groups,dc=server,dc=world"

adding new entry "cn=ubuntu,ou=groups,dc=server,dc=world"

adding new entry "cn=fedora,ou=groups,dc=server,dc=world"

adding new entry "cn=suse,ou=groups,dc=server,dc=world"

adding new entry "cn=cent,ou=groups,dc=server,dc=world"

adding new entry "cn=debian,ou=groups,dc=server,dc=world"
[5] If you'd like to delete User or Group in LDAP, Do as below.
root@master:~#
ldapdelete -x -W -D 'cn=admin,dc=server,dc=world' "uid=lucid,ou=people,dc=server,dc=world"

Enter LDAP Password:
root@master:~#
ldapdelete -x -W -D 'cn=admin,dc=server,dc=world' "cn=lucid,ou=groups,dc=server,dc=world"

Enter LDAP Password:
 
Tweet