“UbuntuHelp:LDAP-Samba PDC (for Linux and Windows)”的版本间的差异
来自Ubuntu中文
小 |
小 |
||
(未显示同一用户的1个中间版本) | |||
第1行: | 第1行: | ||
− | {{From|https://help.ubuntu.com/community/LDAP-Samba | + | {{From|https://help.ubuntu.com/community/LDAP-Samba%20PDC%20(for%20Linux%20and%20Windows)}} |
{{Languages|UbuntuHelp:LDAP-Samba PDC (for Linux and Windows)}} | {{Languages|UbuntuHelp:LDAP-Samba PDC (for Linux and Windows)}} | ||
− | + | '''DO NOT USE THESE INSTRUCTIONS. THEY ARE DANGEROUS AND UNTESTED''' | |
− | + | == 1. Introduction == | |
− | + | This Howto discusses how to setup a Linux authentication and file server for both Linux and Windows clients. The OS's that we tested on are Ubuntu v6.06 and Windows XP SP2. LDAP and Samba Primary Domain Controller (PDC) are used to manage both Linux and Windows accounts. When an account is created on the server, the user can log into the account from either a Linux or a Windows client. | |
− | + | === 1.1. Overview === | |
− | + | After countless hours of searching, we were unable to find a straightforward Howto for setting up a Linux authentication and file server for both Linux and Windows clients. We were only able to find bits of information scattered throughout many different howtos and websites. What we have done here is to combine these various howtos into one simple to use howto. This howto does not give much detail explanation as to why things are done the way they are, but just give simple step by step instructions to get the server and clients working. | |
− | + | === 1.2. End results === | |
− | + | After this Howto is finished, you should be able to: | |
− | + | * Setup a Linux authentication and file server | |
− | + | * Connect a client to the server | |
− | + | * Authenticate users from Linux clients | |
− | + | * Authenticate users from Windows clients | |
− | + | * Have working user roaming profiles | |
− | + | * Provide mapped drives | |
− | + | * Ability to use the same files from both Linux and Windows clients | |
− | + | === 1.3. Software needed === | |
− | + | List of software to install: | |
− | + | ==== 1.3.1. Server ==== | |
− | + | * gvim (optional) | |
− | + | * heimdal-kdc | |
− | + | * ldap-utils | |
− | + | * libnss-ldap | |
− | + | * libpam-cracklib | |
− | + | * libpam-foreground | |
− | + | * libpam-ldap | |
− | + | * libpam-modules | |
− | + | * migrationtools | |
− | + | * nfs-common | |
− | + | * nfs-kernel-server | |
− | + | * phpldapadmin | |
− | + | * samba | |
− | + | * samba-common | |
− | + | * samba-doc (optional) | |
− | + | * slapd | |
− | + | * smbclient | |
− | + | * smbldap-tools | |
− | + | * ssh (optional) | |
− | + | * ssh-askpass-gnome (optional) | |
− | + | * ssl-cert (optional) | |
− | + | ==== 1.3.2. Unix client ==== | |
− | + | * libnss-ldap | |
− | + | * libpam-cracklib | |
− | + | * libpam-ldap | |
− | + | * nfs-common | |
− | + | ==== 1.3.3. Windows client ==== | |
− | + | * Windows XP | |
− | + | === 1.4. Configuration file list === | |
− | + | List of configuration files that will be modified: | |
− | + | ==== 1.4.1. Server ==== | |
− | + | * /etc/exports | |
− | + | * /etc/ldap.conf | |
− | + | * /etc/libnss-ldap.conf | |
− | // | + | * /etc/nsswitch.conf |
− | + | * /etc/pam.conf | |
− | + | * /etc/pam_ldap.conf | |
− | + | * /etc/pam_ldap.secret | |
− | // | + | * /etc/ldap/ldap.conf |
− | + | * /etc/ldap/slapd.conf | |
− | + | * /etc/ldap/schema/samba.schema | |
− | + | * /etc/pam.d/common-account | |
− | // | + | * /etc/pam.d/common-auth |
− | + | * /etc/pam.d/common-password | |
− | + | * /etc/pam.d/common-session | |
− | + | * /etc/phpldapadmin/config.php | |
− | // | + | * /usr/share/migrationtools/migrate_common.ph |
− | + | * /etc/samba/smb.conf | |
− | + | * /etc/smbldap-tools/smbldap.conf | |
− | + | * /etc/smbldap-tools/smbldap_bind.conf | |
− | + | * /etc/network/interfaces | |
− | + | ==== 1.4.2. Unix client ==== | |
− | + | * /etc/ldap.conf | |
− | + | * /etc/libnss-ldap.conf | |
− | + | * /etc/nsswitch.conf | |
− | + | * /etc/pam_ldap.conf | |
− | + | * /etc/ldap/ldap.conf | |
− | //- | + | * /etc/fstab |
− | + | * /etc/pam_ldap.secret | |
− | + | * /etc/pam.d/common-account | |
− | + | * /etc/pam.d/common-auth | |
− | + | * /etc/pam.d/common-password | |
− | + | * /etc/pam.d/common-session | |
− | + | ==== 1.4.3. Windows client ==== | |
− | + | * None | |
− | + | == 2. Server Setup == | |
− | + | This section provides the step by step instructions to set up the Linux server. | |
− | + | === 2.1. Base system === | |
− | < | + | Install Ubuntu on the server machine if you have not yet done so. You can download Ubuntu [http://www.ubuntu.com/download here]. Download the Desktop version if you like to work with a graphical user interface, or the Server version if you want to work in a command oriented mode. I suggest using the Desktop version if you are a novice. The downloaded file is an ISO disk image. You will need a special program to write this image file onto a CD. Click [https://help.ubuntu.com/community/BurningIsoHowto here] for instruction on how to burn an ISO disk image to CD. |
− | < | + | === 2.2. Installing the server software === |
− | < | + | We will now install the server software listed in Section 1.3.1 [https://help.ubuntu.com/community/LDAP-Samba_PDC_%28for_Linux_and_Windows%29#head-50ebd53fccaade92ccf6ffea489008e190328922 Here]. |
− | < | + | # Log into your server using an account with administrative priviledges. |
− | </ | + | # From the menu at the top, click on '''System | Administration | Synaptic Package Manager''' |
− | + | # From the Synaptic Package Manager menu, click on '''Settings | Repositories''' | |
− | + | ## Select all of the entries with the letters '''LTS''' | |
− | + | ## Click on Close | |
− | + | 1.#4 Back in the Synaptic Package Manager window, click on '''All''' in the left pane. All of the available packages will be listed alphabetically in the right pane. | |
− | < | + | # Click on any item in the right pane. |
− | + | Tip: If the window for the list in the right pane is too small, drag the bottom border down to make the window larger. | |
− | + | 1.#6 Mark all of the files listed in Section 1.3.1 to install. | |
− | + | # Type the first few letters of the file that you want. It will jump to the beginning of the files starting with those letters. | |
− | < | + | # Click on the square box on the left of the file that you want to mark. |
− | < | + | # In the drop down menu, click on '''Mark for Installation'''. If the file is already install, or is already marked for installation, then you do not need to do anything. |
− | < | + | 1.#7 After you have marked all of the files, click on Apply. |
− | + | # In the Summary window, click on Apply again. | |
− | + | # Watch the progress bar as the packages are begin installed. Some of the package installations will require user intervention. | |
− | < | + | ## Configuring slapd |
− | < | + | Type in the admin password, and click Forward. |
− | + | # Once the installation is completed, you can close the Synaptic Package Manager. | |
− | + | === 2.3. Editing the server configuration files === | |
− | + | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=keys.png | |
− | + | ==== OpenLdap ==== | |
− | + | # Download all of the server configuration files from https://help.ubuntu.com/community/LDAP-Samba PDC (for Linux and Windows)?action=AttachFile&do=get&target=LDAPServer.tar.gz to a temporary directory if you have not already done so. | |
− | + | # Open a terminal window to edit the configuration files. | |
− | + | # Log into the root account and change to the ldap directory. | |
− | + | <pre><nowiki> | |
− | + | $ sudo bash | |
− | + | Password: <enter root password> | |
− | </ | + | # cd /etc/ldap |
− | < | + | </nowiki></pre> |
− | + | # Copy all of the downloaded files from the temporary directory to /etc. You can use either the GUI interface or the command. | |
− | + | <pre><nowiki> | |
− | + | # cp -r <temporary directory> /etc | |
− | + | </nowiki></pre> | |
− | + | # Edit the ''/etc/ldap/slapd.conf'' file using the gvim editor (or whatever text editor you prefer). | |
− | + | ## Replace all occurrances of the string ''dc=yourdomain,dc=edu'' to your actual domain name. For example, ldap.lasierra.edu will be dc=ldap,dc=lasierra,dc=edu | |
− | // | + | {|border="1" cellspacing="0" |
− | </ | + | | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png ''The LDAP domain structure is arbitrary, it can be anything you wish, even dc=example,dc=com. Just make sure you maintain consistancy'' |
− | + | |} | |
− | + | <pre><nowiki> | |
− | + | # gvim slapd.conf | |
− | < | + | </nowiki></pre> |
− | < | + | # Get the encrypted root password by typing ''slappasswd –h {Md5}'' |
− | + | <pre><nowiki> | |
− | + | # slappasswd –h {Md5} | |
− | </ | + | New Password: <enter root password> |
− | < | + | Re-enter new password: <enter root password> |
− | + | <Encrypted password string> | |
− | + | </nowiki></pre> | |
− | </ | + | # Copy the encrypted root password string to slapd.conf by issuing the echo command next. Replace the encrypted password string between the quotes with the actual encrypted password string that you obtained in the previous step. |
− | < | + | <pre><nowiki> |
− | < | + | # echo rootpw ‘encrypted password string’ >> /etc/ldap/slapd.conf |
− | + | </nowiki></pre> | |
− | + | ---- | |
− | < | + | # Edit the ''/etc/ldap.conf'' file (NOTE: There are two different ldap.conf one in /etc, and one in /etc/ldap) |
− | + | ## Once again replace all occurrances of ''dc=yourdomain,dc=edu'' to your domain name. | |
− | + | <pre><nowiki> | |
− | + | #/etc/ldap.conf | |
− | + | suffix "dc=yourdomain,dc=edu" | |
− | + | uri ldap://localhost/ | |
− | + | pam_password exop | |
− | </ | + | ldap_version 3 |
− | </ | + | pam_filter objectclass=posixAccount |
− | < | + | pam_login_attribute uid |
− | + | pam_member_attribute memberuid | |
− | </ | + | nss_base_passwd ou=Computers,dc=yourdomain,dc=edu |
− | + | nss_base_passwd ou=People,dc=yourdomain,dc=edu | |
− | + | nss_base_shadow ou=People,dc=yourdomain,dc=edu | |
− | < | + | nss_base_group ou=Group,dc=yourdomain,dc=edu |
− | </ | + | nss_base_hosts ou=Hosts,dc=yourdomain,dc=edu |
− | + | bind_policy soft | |
− | </ | + | </nowiki></pre> |
− | + | ---- | |
− | + | # Edit the ''/etc/ldap/ldap.conf'' file. Enter your own BASE, HOST, URI. | |
− | + | <pre><nowiki> | |
− | + | #/etc/ldap/ldap.conf | |
− | + | BASE dc=yourdomain,dc=edu | |
− | < | + | HOST 127.0.0.1 |
− | < | + | URI ldap://localhost/ |
− | + | </nowiki></pre> | |
− | + | ---- | |
− | < | + | # You Should now test your LDAP configuration by the following command |
− | + | ## You will be promted with a "Configuration File Testing Succeded" if everything went correctly. | |
− | < | + | ## Restart LDAP. |
− | < | + | ## Check that you can search the LDAP database and make sure there are no Errors. |
− | < | + | <pre><nowiki> |
− | < | + | #slaptest |
− | < | + | #/etc/init.d/slapd restart |
− | </ | + | #ldapsearch -x -D "cn=root,dc=yourdomain,dc=edu" -W |
− | < | + | </nowiki></pre> |
− | < | + | ---- |
− | < | + | ==== Migrating Data ==== |
− | < | + | # Migrate Existing User and Group Data |
− | < | + | ## Edit ''/usr/share/migrationtools/migrate_common.ph |
− | < | + | <pre><nowiki> |
− | < | + | export ETC_SHADOW=/etc/shadow |
− | < | + | #gvim /usr/share/migrationtools/migrate_common.ph |
− | + | </nowiki></pre> | |
− | + | a.#2 Change the following two lines to look like this (With your corresponding domain) | |
− | + | <pre><nowiki> | |
− | < | + | $DEFAULT_BASE = "dc=yourdomain,dc=edu"; |
− | < | + | $EXTENDED_SCHEMA = 1; |
− | < | + | </nowiki></pre> |
− | < | + | a.#3 Change Directory to /usr/share/migrationtools and run the following commands |
− | < | + | <pre><nowiki> |
− | < | + | #cd /usr/share/migrationtools |
− | < | + | # ./migrate_base.pl > /tmp/base.ldif |
− | + | # ./migrate_group.pl /etc/group /tmp/group.ldif | |
− | < | + | # ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif |
− | + | # ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif | |
− | </ | + | # ldapadd -x -D "cn=root,dc=yourdomain,dc=edu" -W -f /tmp/base.ldif |
− | </ | + | # ldapadd -x -D "cn=root,dc=yourdomain,dc=edu" -W -f /tmp/group.ldif |
− | </ | + | # ldapadd -vxc -D "cn=root,dc=yourdomain,dc=edu" -W -f /tmp/passwd.ldif |
− | < | + | # ldapadd -x -D "cn=root,dc=yourdomain,dc=edu" -W -f /tmp/hosts.ldif |
− | < | + | </nowiki></pre> |
− | < | + | a.#4 Restart LDAP or the Server |
− | </ | + | <pre><nowiki> |
− | < | + | #/etc/init.d/slapd restart |
− | < | + | OR |
− | < | + | #reboot |
− | < | + | </nowiki></pre> |
− | </ | + | # Check the LDAP install and Database by browsing to http://localhost/phpldapadmin |
− | </ | + | ## Log in with user: cn=root,dc=yourdomain,dc=edu and the ldap root password |
− | < | + | a.#2 If after you log in there is a "dc=no domain" then you must configure phpldapadmin |
− | </ | + | <pre><nowiki> |
− | </ | + | # gvim /etc/phpldapadmin/config.php |
− | < | + | </nowiki></pre> |
− | + | a.#3 Look for the "dc=no domain" and add "dc=yourdomain,dc=edu" instead and log in again. | |
− | < | + | (You need to make sure PHP is setup on the server for this to work. sudo a2enmod php5 followed by sudo /etc/init.d/apache2 restart.) |
− | < | + | ---- |
− | + | ==== NFS (Network File System) ==== | |
− | < | + | # Now we can edit the NFS (Network File System) on the server |
− | + | ## Edit /etc/exports | |
− | </ | + | <pre><nowiki> |
− | + | #gvim /etc/exports | |
− | + | </nowiki></pre> | |
− | + | a.#2 NFS uses the following format for directories: | |
− | + | <pre><nowiki> | |
− | + | directory machineA(option,option) machineB(option,option) | |
− | + | </nowiki></pre> | |
− | + | Where: | |
− | + | * directory = directory to export (e.g. /mnt/hdb1) | |
− | + | * machine(A|B) = machines allowed to mount this exported directory (see below) | |
− | + | * option = options for the exporting (see below) | |
− | + | <pre><nowiki> | |
− | + | By IP address: | |
− | + | /opt/media 192.168.0.100(async,no_subtree_check,rw) 192.168.0.101(async,no_subtree_check,rw) | |
− | + | By DNS name: | |
− | + | /opt/media spunkster(async,no_subtree_check,rw) nivvy(async,no_subtree_check,rw) | |
− | + | Or by IP range: | |
− | + | /opt/media 192.168.0.0/255.255.255.0(async,no_subtree_check,rw) | |
− | + | </nowiki></pre> | |
− | + | a.#3 You may find more information about other options by the following command | |
+ | <pre><nowiki> | ||
+ | #man exports | ||
+ | </nowiki></pre> | ||
+ | ---- | ||
+ | ==== Static IP ==== | ||
+ | # You should also change your IP address on your server to be static | ||
+ | ## Edit /etc/network/interfaces and change ''dchp'' to ''static'' for your workin interface, usually eth0 | ||
+ | <pre><nowiki> | ||
+ | #gvim /etc/network/interfaces | ||
+ | </nowiki></pre> | ||
+ | <pre><nowiki> | ||
+ | iface eth0 inet static | ||
+ | address 10.1.31.4 | ||
+ | netmask 255.255.255.0 | ||
+ | network 10.1.31.0 | ||
+ | broadcast 10.1.31.255 | ||
+ | gateway 10.1.31.1 | ||
+ | </nowiki></pre> | ||
+ | a.#2 Restart your Network Interfaces | ||
+ | <pre><nowiki> | ||
+ | #/etc/init.d/networking restart | ||
+ | </nowiki></pre> | ||
+ | a.#3 Test NFS from a Linux client | ||
+ | <pre><nowiki> | ||
+ | #mkdir test | ||
+ | #mount 10.1.31.4:/nfs test | ||
+ | #umount 10.1.31.4:/nfs | ||
+ | </nowiki></pre> | ||
+ | a.#4 If errors occured make sure that on the NFS server ''/etc/exports'' has the right IP Address range for your client's IP. | ||
+ | ---- | ||
+ | {|border="1" cellspacing="0" | ||
+ | | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=dont.png '''Not Finished''' | ||
+ | |} | ||
+ | == 3. Linux Client Setup == | ||
+ | This section provides the step by step instructions to set up the Linux client(s). | ||
+ | === 3.1. Base system === | ||
+ | Install https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconUbuntu.png on the client machine(s) if you have not yet done so. The base system for the client(s) is identical to the base system for the server. Refer to Section 2.1 for installing the base system. | ||
+ | === 3.2. Installing the client software === | ||
+ | We will now install the client software listed in Section 1.3.2. The procedure for installing these software is identical to that for the server. The only difference is in the software that are to be installed. | ||
+ | Start up the Synaptic Package Manager and install the packages as listed in Section 1.3.2 [https://help.ubuntu.com/community/LDAP-Samba_PDC_%28for_Linux_and_Windows%29#head-7faa8552b1d7a25715960be07468a1532cc59ef8 Here]. | ||
+ | === 3.3. Editing the client configuration files === | ||
+ | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=keys.png | ||
+ | # Download all of the server configuration files from https://help.ubuntu.com/community/LDAP-Samba PDC (for Linux and Windows)?action=AttachFile&do=get&target=LDAPClient.tar.gz to a temporary directory if you have not already done so. | ||
+ | # Open a terminal window to edit the configuration files. | ||
+ | # Log into the root account and change to the ldap directory. | ||
+ | <pre><nowiki> | ||
+ | $ sudo bash | ||
+ | Password: <enter root password> | ||
+ | # cd /etc/ldap | ||
+ | </nowiki></pre> | ||
+ | # Copy all of the downloaded files from the temporary directory to /etc. You can use either the GUI interface or the command. | ||
+ | <pre><nowiki> | ||
+ | # cp | ||
+ | </nowiki></pre> | ||
+ | # Edit the ''ldap.conf'' file using the gvim editor (or whatever text editor you prefer). | ||
+ | <pre><nowiki> | ||
+ | # gvim slapd.conf | ||
+ | </nowiki></pre> | ||
+ | # Enter your own Base, Host, and URI for LDAP: | ||
+ | <pre><nowiki> | ||
+ | #/etc/ldap/ldap.conf | ||
+ | BASE dc=mcsauth,dc=edu | ||
+ | HOST 10.1.31.4 | ||
+ | URI ldap://10.1.31.4/ | ||
+ | </nowiki></pre> | ||
+ | ---- | ||
+ | # Now Change Directory to /etc | ||
+ | # Edit ''ldap.conf'' (NOTE: There are two different ldap.conf one in /etc, and one in /etc/ldap) | ||
+ | <pre><nowiki> | ||
+ | # cd /etc | ||
+ | # gvim ldap.conf | ||
+ | </nowiki></pre> | ||
+ | <pre><nowiki> | ||
+ | #/etc/ldap.conf | ||
+ | suffix "dc=mcsauth,dc=edu" | ||
+ | uri ldap://10.1.31.4/ | ||
+ | pam_password exop | ||
+ | ldap_version 3 | ||
+ | pam_filter objectclass=posixAccount | ||
+ | pam_login_attribute uid | ||
+ | pam_member_attribute memberuid | ||
+ | nss_base_passwd ou=People,dc=mcsauth,dc=edu | ||
+ | nss_base_shadow ou=People,dc=mcsauth,dc=edu | ||
+ | nss_base_group ou=Group,dc=mcsauth,dc=edu | ||
+ | nss_base_hosts ou=Hosts,dc=mcsauth,dc=edu | ||
+ | bind_policy soft | ||
+ | </nowiki></pre> | ||
+ | ---- | ||
+ | # Now edit ''libnss-ldap.conf'', Enter your Host, Base and Ldap Version | ||
+ | <pre><nowiki> | ||
+ | #gvim libnss-ldap.conf | ||
+ | </nowiki></pre> | ||
+ | <pre><nowiki> | ||
+ | #/etc/libnss-ldap.conf | ||
+ | host 10.1.31.4 | ||
+ | base dc=mcsauth,dc=edu | ||
+ | ldap_version 3 | ||
+ | </nowiki></pre> | ||
+ | ---- | ||
+ | # Now edit ''pam_ldap.conf'', Enter your Host, Base, Ldap Version and root account | ||
+ | <pre><nowiki> | ||
+ | #gvim libnss-ldap.conf | ||
+ | </nowiki></pre> | ||
+ | <pre><nowiki> | ||
+ | #/etc/libnss-ldap.conf | ||
+ | host 10.1.31.4 | ||
+ | base dc=mcsauth,dc=edu | ||
+ | ldap_version 3 | ||
+ | rootbinddn cn=root,dc=mcsauth,dc=edu | ||
+ | pam_password crypt | ||
+ | </nowiki></pre> | ||
+ | ---- | ||
+ | # You now want to enter your ''ldap root'' password into ''pam_ldap.secret'' | ||
+ | # https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=important.png This file will contain your root password in clear text, it is '''very''' important you change it's permission so that only root can see it. | ||
+ | <pre><nowiki> | ||
+ | # gvim pam_ldap.secret | ||
+ | </nowiki></pre> | ||
+ | <pre><nowiki> | ||
+ | #/etc/pam_ldap.secret | ||
+ | <YOUR ROOT PASSWORD HERE> | ||
+ | </nowiki></pre> | ||
+ | <pre><nowiki> | ||
+ | #chmod 600 /etc/pam_ldap.secret | ||
+ | </nowiki></pre> | ||
+ | ---- | ||
+ | # Now edit ''nsswitch.conf'', This file should be left this way | ||
+ | <pre><nowiki> | ||
+ | #gvim nsswitch.conf | ||
+ | </nowiki></pre> | ||
+ | <pre><nowiki> | ||
+ | #/etc/nsswitch.conf | ||
+ | passwd: compat | ||
+ | shadow: compat | ||
+ | group: compat | ||
+ | passwd: db files ldap | ||
+ | shadow: db files ldap | ||
+ | group: db files ldap | ||
+ | hosts: files wins dns | ||
+ | networks: files dns | ||
+ | services: db files | ||
+ | protocols: db files | ||
+ | rpc: db files | ||
+ | ethers: db files | ||
+ | netmasks: files | ||
+ | netgroup: files nis | ||
+ | bootparams: files | ||
+ | automount: files | ||
+ | aliases: files | ||
+ | </nowiki></pre> | ||
+ | ---- | ||
+ | # Now Change Directory to /etc/pam.d | ||
+ | # This directory contains several files but we only need to concentrate on four of them: | ||
+ | #* common-account | ||
+ | #** common-auth | ||
+ | #** common-password | ||
+ | #** common-session | ||
+ | # Now Edit ''common-account'' | ||
+ | <pre><nowiki> | ||
+ | #/etc/pam.d/common-account | ||
+ | account requisite pam_unix.so | ||
+ | account sufficient pam_localuser.so | ||
+ | account required pam_ldap.so | ||
+ | </nowiki></pre> | ||
+ | 1.#4 Now Edit ''common-auth'' | ||
+ | <pre><nowiki> | ||
+ | #/etc/pam.d/common-auth | ||
+ | auth required pam_env.so | ||
+ | auth sufficient pam_unix.so likeauth nullok shadow | ||
+ | auth sufficient pam_ldap.so use_first_pass | ||
+ | auth required pam_deny.so | ||
+ | </nowiki></pre> | ||
+ | 1.#5 Now Edit ''common-password'' | ||
+ | <pre><nowiki> | ||
+ | #/etc/pam.d/common-password | ||
+ | password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 | ||
+ | password sufficient pam_unix.so nullok md5 shadow use_authtok | ||
+ | password sufficient pam_ldap.so use_authtok use_first_pass | ||
+ | password required pam_deny.so | ||
+ | </nowiki></pre> | ||
+ | 1.#6 Now Edit ''common-session'' | ||
+ | <pre><nowiki> | ||
+ | #/etc/pam.d/common-session | ||
+ | session required pam_limits.so | ||
+ | session required pam_unix.so | ||
+ | session required pam_mkhomedir.so skel=/etc/skel/ umask=0027 | ||
+ | session optional pam_ldap.so | ||
+ | </nowiki></pre> | ||
+ | ---- | ||
+ | # Lastly we edit ''fstab'' file in /etc so that you mount NFS on bootup. | ||
+ | # Add this to the end of the fstab file under each column (remember to change the IP to your NFS server) | ||
+ | <pre><nowiki> | ||
+ | #/etc/fstab | ||
+ | # <file system> <mount point> <type> <options> <dump> <pass> | ||
+ | 10.1.31.4:/nfs /nfs nfs rw 0 0 | ||
+ | </nowiki></pre> | ||
+ | # You may optionally test that the NFS mount is working | ||
+ | <pre><nowiki> | ||
+ | #mkdir test | ||
+ | #mount 10.1.31.4:/nfs test | ||
+ | #umount 10.1.31.4:/nfs | ||
+ | </nowiki></pre> | ||
+ | 1.#2 If errors occured make sure that on the NFS server ''/etc/exports'' has the right IP Address range for your client's IP. | ||
+ | ---- | ||
+ | {|border="1" cellspacing="0" | ||
+ | | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=stop.png '''Restart Computer''' | ||
+ | |} | ||
+ | == 4. Windows Client Setup == | ||
+ | No Configuration files are needed for Windows Clients, just follow these steps: | ||
+ | # Log in to a Local Administrator account | ||
+ | # Click Start | Control Center | System | Network Identification | Change | ||
+ | # Click on the Radial Button for Domain and enter the Ldap Samba Domain Name. | ||
+ | {|border="1" cellspacing="0" | ||
+ | | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png ''You can find this in your to http://localhost/phpldapadmin under SambaDomainName.'' | ||
+ | |} | ||
+ | # If everything succeded you will be promted for an authorized user and password (Usually ldap root and ldap password) | ||
+ | # Windows will welcome you to the new domain. | ||
+ | {|border="1" cellspacing="0" | ||
+ | | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=stop.png '''Restart Computer''' | ||
+ | |} | ||
+ | == F.A.Q. == | ||
+ | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconFAQ.png | ||
+ | You can Ask Questions in this Section by Editing this part of the Page. We will try to answer them promptly. | ||
+ | {|border="1" cellspacing="0" | ||
+ | | Q: Do You have to use NFS for user Data? || A: No, You may use any other type of storage, even local storage on each client if you wish, but "roaming profiles" for Linux won't work. | ||
+ | |- | ||
+ | | Q: Having trouble importing the passwd.ldif. I get "ldap_add: Invalid syntax (21) additional info: objectClass: value #5 invalid per syntax" after every single user it attempts to add. When viewing phpLDAPadmin, there are no entries in ou=People. EDIT: yes, i am using -vxc, no root is added, groups are migrated properly. Could this be a problem with my passwd using crypt and your setup using MD5? Also another thing I noticed is that it seems to be tripping up on the 5th value per user (value #5?) which is sn. sn, cn and givenName all seem to be encrypted (cn:: QmFyYiBCZWxsaWdpbw== givenName:: QmFyYg== sn:: QmVsbGlnaW8= is an example) Finally I noticed (as you can see from that paste) that cn, sn, and givenName all have :: after them instead of : on every user.. is this correct? I have a feeling this could get out of hand, maybe it is better transfered to email? Let me know, and thanks for the help. I want to contribute to this page once I get past this bump.. we are going to be deploying ubuntu+openldap+samba at work. || A: The documentation is still not complete, but when doing "ldap_add" are you passing "-vxc" as arguments? At the very least you should have "root" as an entry. You may also manually add users, migration_tools is not required. Do the entries in group get migrated?. I can try to see what could be wrong as soon as I go back to my office to have a machine to play with. | ||
+ | |- | ||
+ | | ||Also worth mentioning that the "#5" refers to the fifth value for the particular attribute (counting the first one as "#0", by the way) -- <code><nowiki>objectClass</nowiki></code> in this case -- not to the fifth line of the overall entry. | ||
+ | |- | ||
+ | | Q: Me too, value #5 invalid... I have objectclass entry #6 like: <objectClass: krb5Principal> and an entry like <krb5PrincipalName: root@MYDOMAIN.NET> . If i delete this 2 entries the import goes well. Is it ok to delete them? After this, all work|| A: Same answer for previous question, install package heimdal-kdc to get the kerberos schemas installed in /etc/ldap/schema, otherwise ldap_add doesn't know about krb5Principal or krb5PrincipalName. If you have already add the items, use the same command line with ldap_modify instead. | ||
+ | |- | ||
+ | | Q: The link to LDAPServer.tar.gz doesn't seem to be working. Is it still available somewhere? | ||
+ | |- | ||
+ | | Q: I had problems installing the heimdal-kdc package. Investigation showed that the problem was a lack of a dnsdomainname: on my system, <code><nowiki>hostname -d</nowiki></code> gives <code><nowiki>hostname: Unknown host</nowiki></code>. I "fixed" this by temporarily setting a domainname (<code><nowiki>hostname <hostname>.somedomain</nowiki></code>) before running <code><nowiki>apt-get install heimdal-kdc</nowiki></code>. Not sure what the wider implications of this are, or whether this was a good fix. Certainly one side effect is the inability to open any new windows on the X system until you put the name back to its previous state. I also had to manually add the <code><nowiki>include /etc/ldap/schema/hdb.schema</nowiki></code> line into slapd.conf. Not sure if this is related to my installation problems, or to the inability to download <code><nowiki>LDAPServer.tar.gz</nowiki></code>, or just the way the installs work... | ||
+ | |- | ||
+ | |To use the migrationtools, I needed this schema: http://www.stanford.edu/services/directory/openldap/configuration/krb5-kdc.schema. It did _NOT_ get installed when installing heimdal-kdc. I needed to install it by hand (copy it onto the server and put it into /etc/ldap/slapd.conf). | ||
+ | |} | ||
+ | == Links == | ||
+ | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconGlobe.png | ||
+ | [http://gentoo-wiki.com/HOWTO_Share_Directories_via_NFS] | ||
+ | [http://gentoo-wiki.com/HOWTO_Implement_Samba_as_your_PDC] | ||
+ | [http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC] | ||
+ | [http://www.gentoo.org/doc/en/ldap-howto.xml] | ||
+ | [http://people.debian.org/~torsten/ldapnss.html] | ||
+ | ---- | ||
+ | [[category:CategoryDocumentation]] [[category:CategoryCleanup]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2007年12月3日 (一) 19:11的最新版本
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
DO NOT USE THESE INSTRUCTIONS. THEY ARE DANGEROUS AND UNTESTED
目录
1. Introduction
This Howto discusses how to setup a Linux authentication and file server for both Linux and Windows clients. The OS's that we tested on are Ubuntu v6.06 and Windows XP SP2. LDAP and Samba Primary Domain Controller (PDC) are used to manage both Linux and Windows accounts. When an account is created on the server, the user can log into the account from either a Linux or a Windows client.
1.1. Overview
After countless hours of searching, we were unable to find a straightforward Howto for setting up a Linux authentication and file server for both Linux and Windows clients. We were only able to find bits of information scattered throughout many different howtos and websites. What we have done here is to combine these various howtos into one simple to use howto. This howto does not give much detail explanation as to why things are done the way they are, but just give simple step by step instructions to get the server and clients working.
1.2. End results
After this Howto is finished, you should be able to:
- Setup a Linux authentication and file server
- Connect a client to the server
- Authenticate users from Linux clients
- Authenticate users from Windows clients
- Have working user roaming profiles
- Provide mapped drives
- Ability to use the same files from both Linux and Windows clients
1.3. Software needed
List of software to install:
1.3.1. Server
- gvim (optional)
- heimdal-kdc
- ldap-utils
- libnss-ldap
- libpam-cracklib
- libpam-foreground
- libpam-ldap
- libpam-modules
- migrationtools
- nfs-common
- nfs-kernel-server
- phpldapadmin
- samba
- samba-common
- samba-doc (optional)
- slapd
- smbclient
- smbldap-tools
- ssh (optional)
- ssh-askpass-gnome (optional)
- ssl-cert (optional)
1.3.2. Unix client
- libnss-ldap
- libpam-cracklib
- libpam-ldap
- nfs-common
1.3.3. Windows client
- Windows XP
1.4. Configuration file list
List of configuration files that will be modified:
1.4.1. Server
- /etc/exports
- /etc/ldap.conf
- /etc/libnss-ldap.conf
- /etc/nsswitch.conf
- /etc/pam.conf
- /etc/pam_ldap.conf
- /etc/pam_ldap.secret
- /etc/ldap/ldap.conf
- /etc/ldap/slapd.conf
- /etc/ldap/schema/samba.schema
- /etc/pam.d/common-account
- /etc/pam.d/common-auth
- /etc/pam.d/common-password
- /etc/pam.d/common-session
- /etc/phpldapadmin/config.php
- /usr/share/migrationtools/migrate_common.ph
- /etc/samba/smb.conf
- /etc/smbldap-tools/smbldap.conf
- /etc/smbldap-tools/smbldap_bind.conf
- /etc/network/interfaces
1.4.2. Unix client
- /etc/ldap.conf
- /etc/libnss-ldap.conf
- /etc/nsswitch.conf
- /etc/pam_ldap.conf
- /etc/ldap/ldap.conf
- /etc/fstab
- /etc/pam_ldap.secret
- /etc/pam.d/common-account
- /etc/pam.d/common-auth
- /etc/pam.d/common-password
- /etc/pam.d/common-session
1.4.3. Windows client
- None
2. Server Setup
This section provides the step by step instructions to set up the Linux server.
2.1. Base system
Install Ubuntu on the server machine if you have not yet done so. You can download Ubuntu here. Download the Desktop version if you like to work with a graphical user interface, or the Server version if you want to work in a command oriented mode. I suggest using the Desktop version if you are a novice. The downloaded file is an ISO disk image. You will need a special program to write this image file onto a CD. Click here for instruction on how to burn an ISO disk image to CD.
2.2. Installing the server software
We will now install the server software listed in Section 1.3.1 Here.
- Log into your server using an account with administrative priviledges.
- From the menu at the top, click on System | Administration | Synaptic Package Manager
- From the Synaptic Package Manager menu, click on Settings | Repositories
- Select all of the entries with the letters LTS
- Click on Close
1.#4 Back in the Synaptic Package Manager window, click on All in the left pane. All of the available packages will be listed alphabetically in the right pane.
- Click on any item in the right pane.
Tip: If the window for the list in the right pane is too small, drag the bottom border down to make the window larger. 1.#6 Mark all of the files listed in Section 1.3.1 to install.
- Type the first few letters of the file that you want. It will jump to the beginning of the files starting with those letters.
- Click on the square box on the left of the file that you want to mark.
- In the drop down menu, click on Mark for Installation. If the file is already install, or is already marked for installation, then you do not need to do anything.
1.#7 After you have marked all of the files, click on Apply.
- In the Summary window, click on Apply again.
- Watch the progress bar as the packages are begin installed. Some of the package installations will require user intervention.
- Configuring slapd
Type in the admin password, and click Forward.
- Once the installation is completed, you can close the Synaptic Package Manager.
2.3. Editing the server configuration files
OpenLdap
- Download all of the server configuration files from https://help.ubuntu.com/community/LDAP-Samba PDC (for Linux and Windows)?action=AttachFile&do=get&target=LDAPServer.tar.gz to a temporary directory if you have not already done so.
- Open a terminal window to edit the configuration files.
- Log into the root account and change to the ldap directory.
$ sudo bash Password: <enter root password> # cd /etc/ldap
- Copy all of the downloaded files from the temporary directory to /etc. You can use either the GUI interface or the command.
# cp -r <temporary directory> /etc
- Edit the /etc/ldap/slapd.conf file using the gvim editor (or whatever text editor you prefer).
- Replace all occurrances of the string dc=yourdomain,dc=edu to your actual domain name. For example, ldap.lasierra.edu will be dc=ldap,dc=lasierra,dc=edu
The LDAP domain structure is arbitrary, it can be anything you wish, even dc=example,dc=com. Just make sure you maintain consistancy |
# gvim slapd.conf
- Get the encrypted root password by typing slappasswd –h {Md5}
# slappasswd –h {Md5} New Password: <enter root password> Re-enter new password: <enter root password> <Encrypted password string>
- Copy the encrypted root password string to slapd.conf by issuing the echo command next. Replace the encrypted password string between the quotes with the actual encrypted password string that you obtained in the previous step.
# echo rootpw ‘encrypted password string’ >> /etc/ldap/slapd.conf
- Edit the /etc/ldap.conf file (NOTE: There are two different ldap.conf one in /etc, and one in /etc/ldap)
- Once again replace all occurrances of dc=yourdomain,dc=edu to your domain name.
#/etc/ldap.conf suffix "dc=yourdomain,dc=edu" uri ldap://localhost/ pam_password exop ldap_version 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=Computers,dc=yourdomain,dc=edu nss_base_passwd ou=People,dc=yourdomain,dc=edu nss_base_shadow ou=People,dc=yourdomain,dc=edu nss_base_group ou=Group,dc=yourdomain,dc=edu nss_base_hosts ou=Hosts,dc=yourdomain,dc=edu bind_policy soft
- Edit the /etc/ldap/ldap.conf file. Enter your own BASE, HOST, URI.
#/etc/ldap/ldap.conf BASE dc=yourdomain,dc=edu HOST 127.0.0.1 URI ldap://localhost/
- You Should now test your LDAP configuration by the following command
- You will be promted with a "Configuration File Testing Succeded" if everything went correctly.
- Restart LDAP.
- Check that you can search the LDAP database and make sure there are no Errors.
#slaptest #/etc/init.d/slapd restart #ldapsearch -x -D "cn=root,dc=yourdomain,dc=edu" -W
Migrating Data
- Migrate Existing User and Group Data
- Edit /usr/share/migrationtools/migrate_common.ph
export ETC_SHADOW=/etc/shadow #gvim /usr/share/migrationtools/migrate_common.ph
a.#2 Change the following two lines to look like this (With your corresponding domain)
$DEFAULT_BASE = "dc=yourdomain,dc=edu"; $EXTENDED_SCHEMA = 1;
a.#3 Change Directory to /usr/share/migrationtools and run the following commands
#cd /usr/share/migrationtools # ./migrate_base.pl > /tmp/base.ldif # ./migrate_group.pl /etc/group /tmp/group.ldif # ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif # ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif # ldapadd -x -D "cn=root,dc=yourdomain,dc=edu" -W -f /tmp/base.ldif # ldapadd -x -D "cn=root,dc=yourdomain,dc=edu" -W -f /tmp/group.ldif # ldapadd -vxc -D "cn=root,dc=yourdomain,dc=edu" -W -f /tmp/passwd.ldif # ldapadd -x -D "cn=root,dc=yourdomain,dc=edu" -W -f /tmp/hosts.ldif
a.#4 Restart LDAP or the Server
#/etc/init.d/slapd restart OR #reboot
- Check the LDAP install and Database by browsing to http://localhost/phpldapadmin
- Log in with user: cn=root,dc=yourdomain,dc=edu and the ldap root password
a.#2 If after you log in there is a "dc=no domain" then you must configure phpldapadmin
# gvim /etc/phpldapadmin/config.php
a.#3 Look for the "dc=no domain" and add "dc=yourdomain,dc=edu" instead and log in again. (You need to make sure PHP is setup on the server for this to work. sudo a2enmod php5 followed by sudo /etc/init.d/apache2 restart.)
NFS (Network File System)
- Now we can edit the NFS (Network File System) on the server
- Edit /etc/exports
#gvim /etc/exports
a.#2 NFS uses the following format for directories:
directory machineA(option,option) machineB(option,option)
Where:
- directory = directory to export (e.g. /mnt/hdb1)
- machine(A|B) = machines allowed to mount this exported directory (see below)
- option = options for the exporting (see below)
By IP address: /opt/media 192.168.0.100(async,no_subtree_check,rw) 192.168.0.101(async,no_subtree_check,rw) By DNS name: /opt/media spunkster(async,no_subtree_check,rw) nivvy(async,no_subtree_check,rw) Or by IP range: /opt/media 192.168.0.0/255.255.255.0(async,no_subtree_check,rw)
a.#3 You may find more information about other options by the following command
#man exports
Static IP
- You should also change your IP address on your server to be static
- Edit /etc/network/interfaces and change dchp to static for your workin interface, usually eth0
#gvim /etc/network/interfaces
iface eth0 inet static address 10.1.31.4 netmask 255.255.255.0 network 10.1.31.0 broadcast 10.1.31.255 gateway 10.1.31.1
a.#2 Restart your Network Interfaces
#/etc/init.d/networking restart
a.#3 Test NFS from a Linux client
#mkdir test #mount 10.1.31.4:/nfs test #umount 10.1.31.4:/nfs
a.#4 If errors occured make sure that on the NFS server /etc/exports has the right IP Address range for your client's IP.
Not Finished |
3. Linux Client Setup
This section provides the step by step instructions to set up the Linux client(s).
3.1. Base system
Install on the client machine(s) if you have not yet done so. The base system for the client(s) is identical to the base system for the server. Refer to Section 2.1 for installing the base system.
3.2. Installing the client software
We will now install the client software listed in Section 1.3.2. The procedure for installing these software is identical to that for the server. The only difference is in the software that are to be installed. Start up the Synaptic Package Manager and install the packages as listed in Section 1.3.2 Here.
3.3. Editing the client configuration files
- Download all of the server configuration files from https://help.ubuntu.com/community/LDAP-Samba PDC (for Linux and Windows)?action=AttachFile&do=get&target=LDAPClient.tar.gz to a temporary directory if you have not already done so.
- Open a terminal window to edit the configuration files.
- Log into the root account and change to the ldap directory.
$ sudo bash Password: <enter root password> # cd /etc/ldap
- Copy all of the downloaded files from the temporary directory to /etc. You can use either the GUI interface or the command.
# cp
- Edit the ldap.conf file using the gvim editor (or whatever text editor you prefer).
# gvim slapd.conf
- Enter your own Base, Host, and URI for LDAP:
#/etc/ldap/ldap.conf BASE dc=mcsauth,dc=edu HOST 10.1.31.4 URI ldap://10.1.31.4/
- Now Change Directory to /etc
- Edit ldap.conf (NOTE: There are two different ldap.conf one in /etc, and one in /etc/ldap)
# cd /etc # gvim ldap.conf
#/etc/ldap.conf suffix "dc=mcsauth,dc=edu" uri ldap://10.1.31.4/ pam_password exop ldap_version 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=People,dc=mcsauth,dc=edu nss_base_shadow ou=People,dc=mcsauth,dc=edu nss_base_group ou=Group,dc=mcsauth,dc=edu nss_base_hosts ou=Hosts,dc=mcsauth,dc=edu bind_policy soft
- Now edit libnss-ldap.conf, Enter your Host, Base and Ldap Version
#gvim libnss-ldap.conf
#/etc/libnss-ldap.conf host 10.1.31.4 base dc=mcsauth,dc=edu ldap_version 3
- Now edit pam_ldap.conf, Enter your Host, Base, Ldap Version and root account
#gvim libnss-ldap.conf
#/etc/libnss-ldap.conf host 10.1.31.4 base dc=mcsauth,dc=edu ldap_version 3 rootbinddn cn=root,dc=mcsauth,dc=edu pam_password crypt
- You now want to enter your ldap root password into pam_ldap.secret
- This file will contain your root password in clear text, it is very important you change it's permission so that only root can see it.
# gvim pam_ldap.secret
#/etc/pam_ldap.secret <YOUR ROOT PASSWORD HERE>
#chmod 600 /etc/pam_ldap.secret
- Now edit nsswitch.conf, This file should be left this way
#gvim nsswitch.conf
#/etc/nsswitch.conf passwd: compat shadow: compat group: compat passwd: db files ldap shadow: db files ldap group: db files ldap hosts: files wins dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files nis bootparams: files automount: files aliases: files
- Now Change Directory to /etc/pam.d
- This directory contains several files but we only need to concentrate on four of them:
- common-account
- common-auth
- common-password
- common-session
- common-account
- Now Edit common-account
#/etc/pam.d/common-account account requisite pam_unix.so account sufficient pam_localuser.so account required pam_ldap.so
1.#4 Now Edit common-auth
#/etc/pam.d/common-auth auth required pam_env.so auth sufficient pam_unix.so likeauth nullok shadow auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
1.#5 Now Edit common-password
#/etc/pam.d/common-password password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_authtok use_first_pass password required pam_deny.so
1.#6 Now Edit common-session
#/etc/pam.d/common-session session required pam_limits.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0027 session optional pam_ldap.so
- Lastly we edit fstab file in /etc so that you mount NFS on bootup.
- Add this to the end of the fstab file under each column (remember to change the IP to your NFS server)
#/etc/fstab # <file system> <mount point> <type> <options> <dump> <pass> 10.1.31.4:/nfs /nfs nfs rw 0 0
- You may optionally test that the NFS mount is working
#mkdir test #mount 10.1.31.4:/nfs test #umount 10.1.31.4:/nfs
1.#2 If errors occured make sure that on the NFS server /etc/exports has the right IP Address range for your client's IP.
Restart Computer |
4. Windows Client Setup
No Configuration files are needed for Windows Clients, just follow these steps:
- Log in to a Local Administrator account
- Click Start | Control Center | System | Network Identification | Change
- Click on the Radial Button for Domain and enter the Ldap Samba Domain Name.
You can find this in your to http://localhost/phpldapadmin under SambaDomainName. |
- If everything succeded you will be promted for an authorized user and password (Usually ldap root and ldap password)
- Windows will welcome you to the new domain.
Restart Computer |
F.A.Q.
You can Ask Questions in this Section by Editing this part of the Page. We will try to answer them promptly.
Q: Do You have to use NFS for user Data? | A: No, You may use any other type of storage, even local storage on each client if you wish, but "roaming profiles" for Linux won't work. |
Q: Having trouble importing the passwd.ldif. I get "ldap_add: Invalid syntax (21) additional info: objectClass: value #5 invalid per syntax" after every single user it attempts to add. When viewing phpLDAPadmin, there are no entries in ou=People. EDIT: yes, i am using -vxc, no root is added, groups are migrated properly. Could this be a problem with my passwd using crypt and your setup using MD5? Also another thing I noticed is that it seems to be tripping up on the 5th value per user (value #5?) which is sn. sn, cn and givenName all seem to be encrypted (cn:: QmFyYiBCZWxsaWdpbw== givenName:: QmFyYg== sn:: QmVsbGlnaW8= is an example) Finally I noticed (as you can see from that paste) that cn, sn, and givenName all have :: after them instead of : on every user.. is this correct? I have a feeling this could get out of hand, maybe it is better transfered to email? Let me know, and thanks for the help. I want to contribute to this page once I get past this bump.. we are going to be deploying ubuntu+openldap+samba at work. | A: The documentation is still not complete, but when doing "ldap_add" are you passing "-vxc" as arguments? At the very least you should have "root" as an entry. You may also manually add users, migration_tools is not required. Do the entries in group get migrated?. I can try to see what could be wrong as soon as I go back to my office to have a machine to play with. |
Also worth mentioning that the "#5" refers to the fifth value for the particular attribute (counting the first one as "#0", by the way) -- objectClass in this case -- not to the fifth line of the overall entry.
| |
Q: Me too, value #5 invalid... I have objectclass entry #6 like: <objectClass: krb5Principal> and an entry like <krb5PrincipalName: root@MYDOMAIN.NET> . If i delete this 2 entries the import goes well. Is it ok to delete them? After this, all work | A: Same answer for previous question, install package heimdal-kdc to get the kerberos schemas installed in /etc/ldap/schema, otherwise ldap_add doesn't know about krb5Principal or krb5PrincipalName. If you have already add the items, use the same command line with ldap_modify instead. |
Q: The link to LDAPServer.tar.gz doesn't seem to be working. Is it still available somewhere? | |
Q: I had problems installing the heimdal-kdc package. Investigation showed that the problem was a lack of a dnsdomainname: on my system, hostname -d gives hostname: Unknown host . I "fixed" this by temporarily setting a domainname (hostname <hostname>.somedomain ) before running apt-get install heimdal-kdc . Not sure what the wider implications of this are, or whether this was a good fix. Certainly one side effect is the inability to open any new windows on the X system until you put the name back to its previous state. I also had to manually add the include /etc/ldap/schema/hdb.schema line into slapd.conf. Not sure if this is related to my installation problems, or to the inability to download LDAPServer.tar.gz , or just the way the installs work...
| |
To use the migrationtools, I needed this schema: http://www.stanford.edu/services/directory/openldap/configuration/krb5-kdc.schema. It did _NOT_ get installed when installing heimdal-kdc. I needed to install it by hand (copy it onto the server and put it into /etc/ldap/slapd.conf). |