Migrating to LDAP What is LDAP? Fedora Directory Server LdapImport LDAP Tools
What is LDAP? Lightweight Directory Access Protocol Common on-wire protocol – ASN.1 Common export format – LDIF Common replication format – LDUP Tree structure form of objects via “DNs”
DN “Distinguished Name” dc=babel,dc=com,dc=au ou=People,dc=babel,dc=com,dc=au uid=del,ou=People,dc=babel,dc=com,dc=au
LDAP Protocols LDAP – Common Protocol on wire LDIF -- Common object and schema management format Different implementations have varying degrees of compliance.
LDAP vs DBMS Directory has one schema, one “row” type (“object”). RDBMS has many tables. Directory is optimised for read, slow for writes. Directory has an adaptable and mutable schema format – good for storing information about “people”. Access protocol – LDAP vs SQL
Replication One or more LDAP servers can participate. Single-master or multi-master implementations (OpenLDAP vs FDS). Common on-wire replication protocol – LDUP. Replication between different directory types can be problematic.
LDAP Schema Common format for specifying schemae – LDIF (implementations vary). Fixed vs in-directory schema. IANA assignments.
Schema Replication Schema replication may or may not be supported. FDS only replicates 99user.ldif schema changes if entered via LDAP. OpenLDAP – no schema replication.
LDAP Applications Authentication – PAM, Samba. Name Space Services – NSS, Samba.
PAM PAM – Pluggable Authentication Modules PAM handles authentication only. PAM Authentication == LDAP “bind”.
NSS NSS – Name Service Switch NSS handles “name” services, including user names, home directories, etc. LDAP supports NSS and PAM via modules. Ensure module load order is correct and valid. Like “network-aware” passwd & group files.
LDAP and NSS Human accounts under ou=People,... Groups under ou=Groups,... authconfig /etc/nsswitch.conf /etc/ldap.conf
FDS http://directory.fedoraproject.org/ 4 Way multi-master replication Scalable Extensive Documentation In-directory management (schema etc) – no restart needed to change schema or ACIs
Components LDAP – Fedora Directory Server LdapImport
Installing FDS Post-installation setup: /opt/fedora-ds/setup/setup Installation Instructions:http://www.redhat.com/docs/manuals/dir- server/install/7.1/ Performance Tuning Notes:http://directory.fedoraproject.org/wiki/Performance_Tuning Installation Scripts:http://wiki.babel.com.au/edit.php?area=Linux_Projects&page=FedoraDirectoryS erver Post-installation setup: /opt/fedora-ds/setup/setup Verification: ldapsearch -x -s base -b “” “objectclass=*”
Indexes The server doesn't come with an index on uidNumber by default, should create one. Open the console, select the directory server, click Open Configuration tab. Open the Data->(your base DN)->Database part of the tree. Go to the Indexes tab. Under Additional indexes click on Add attribute.... Add the indexes you need. A good place to start includes uidNumber and gidNumber . Click Save. This can take a bit of time, and the database will be locked (in read-only mode) while you do this.
Search Result Limit Default setting is to return 2000 entries in a query only. This needs to be increased in a few places in the directory manager part of the console. Open the console, select the directory server, click Open Configuration tab, select the server object itself. Performance tab, change the limit from 2000 to more. Click Save. Open the Data -> Database Link Settings part of the tree. Go to the Default Creation Parameters tab. Change the size limit from 2000 to more. Click Save. Open the Data -> Database Settings part of the tree. Go to the LDBM Plug-in Settings tab, change the Look-through limit from 5000 entries to more. Click Save.
Connect to LDAP FC4 and earlier: authconfig FC5+: authconfig-tui
LdapImport http://wiki.babel.com.au/index.php?area=Linux_Projects&page=LdapImport Originally designed as a tool to assist migration from OpenLDAP to FedoraDirectoryServer but has been developed into a general purpose LDAP migration tool. LdapImport.pl imports data into a destination LDAP server, from one of two sources. The data can come from either: Another (source) LDAP server, or /etc/passwd, /etc/shadow and /etc/group files.
Schema Mapping Some attempt at schema checking and/or mapping is done. Also, LdapImport will over-write existing entries in the destination LDAP server if required.
GUI Mode There is none Anyone familiar with Perl GTK/Qt toolkits? Glade?
Perl requirements A reasonably recent version of Perl (http://www.perl.org/). This should include at least the Carp and Data::Dumper modules perl-LDAP (Net::LDAP CPAN module), available from http://ldap.perl.org/, or as an RPM shipped with FedoraCore 3 or 4. You may need to install this using yum -y install perl-LDAP. perl-Time-HiRes (Time::HiRes CPAN module), also shipped with Fedora Core 3 or later. You may need to install this using yum -y install perl-Time-HiRes. perl-Log-Log4perl (Log::Log4perl CPAN module) – shipped with Fedora Core 3 or later. You may need to install this using yum -y install perl-Log-Log4perl.
LdapImport in action Logging Log file name [LdapImport.log] ?
Destination Server Destination LDAP Server Name [localhost] ? I am guessing that this is a FEDORA server. Root DN to bind to localhost [cn=Directory Manager] ? Password for cn=Directory Manager [] ? ENTERyourPASSWORDhere OU to contain users in localhost [ou=People, dc=babel,dc=office] ? OU to contain groups in localhost [ou=Groups, dc=babel,dc=office] ? email domain [babel.office] ?
Source Source type -- Files/Winbind/Server [f/w/s] [s] ? f Should I migrate user accounts (y/n) [y] ? /etc/passwd file location [/etc/passwd] ? /etc/shadow file location [/etc/shadow] ? Should I migrate groups (y/n) [y] ? /etc/group file location [/etc/group] ?
Other LDAP Tools Fedora Console LAM GQ
Fedora Console Web Based or Java Based Each has different functionality Web based acts as a “gateway” service Can be customised See Gateway Customisation Manual
LAM LDAP Account Manager Web Based Useful for managing Samba and LDAP account information High-Level Schema views
GQ Useful for LDAP browsing & debugging Low Level Tree Browser Schema Browser Not currently maintained