====== Migrating user database to LDAP on Debian Lenny and OpenVZ ====== As a preparation for for establishing a distributed virtualized environment based on [[http://www.openvz.org|OpenVZ]] I had to create a new VE based on a [[http://wiki.openvz.org/Download/template/precreated|precreated]] [[http://download.openvz.org/template/precreated/contrib/debian-5.0-amd64-minimal.tar.gz|Debian Lenny x86 minimal OS template]]. Once the new VE had Internet access I took the time to update it and remove some unnecessary packages, reconfigure debconf to ask all questions then installed a basic LDAP environment:


dpkg-reconfigure debconf
apt-get install slapd ldapscripts libapache2-mod-php5 php5-ldap cpu wbritish

The configuration values are mostly left intact. I've set the default password and DN (//dc=example,dc=com//) per se. Then I've modified ''/etc/nsswitch.conf'' to contain:


passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns ldap
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

I've downloaded and configured [[http://phpldapadmin.sourceforge.net|PHP LDAP Admin]]:


wget "http://switch.dl.sourceforge.net/sourceforge/phpldapadmin/phpldapadmin-1.1.0.7.tar.gz"

Then I've created a shell script to migrate user accounts (1000 #!/bin/bash generate() { passwd=`cat /etc/passwd` shadow=`cat /etc/shadow` group=`cat /etc/group` echo -e "$passwd" | while read line; do name=`echo "$line" | cut -f 1 -d:` uid=`echo "$line" | cut -f 3 -d:` gid=`echo "$line" | cut -f 4 -d:` gecos=`echo "$line" | cut -f 5 -d: | recode l1..bs | tr -d "\b"` home=`echo "$line" | cut -f 6 -d:` shell=`echo "$line" | cut -f 7 -d:` if [ $uid -lt 1000 ]; then continue; fi passwd=`echo -e "$shadow" | egrep "^$name:" | cut -f2 -d:` cat < $file cat $file | egrep "^dn:" | cut -f2 -d' ' > $dnfile vzctl exec 100 ldapdelete -c -x -D "cn=admin,dc=example,dc=com" -w ******** -H ldap://127.0.0.1 -f /tmp/$basednfile vzctl exec 100 ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w ******** -H ldap://127.0.0.1 -f /tmp/$basefile rm -f $file rm -f $dnfile To create home directories within the new VE the following small script can be used:


#!/bin/bash
ldapsearch -x -b "ou=Users,dc=example,dc=com" "objectClass=PosixAccount" "dn" | grep "^dn" | cut -f2 -d' ' | while read dn; do

    data=`ldapsearch -x -b "$dn"`
    home=`echo -e "$data" | grep "homeDirectory" | cut -f2 -d' '`
    uid=`echo -e "$data" | grep "uidNumber" | cut -f2 -d' '`
    gid=`echo -e "$data" | grep "gidNumber" | cut -f2 -d' '`

    if echo "$home" | grep "/home/"; then

        mkdir -p $home
        chown $uid:$gid $home
        chmod ug=rwX,o-rwx $home

    fi
done

The last thing that needs to be done is to modify the PAM configuration in the following files. /etc/pam.d/common-account account sufficient pam_ldap.so account required pam_unix.so /etc/pam.d/common-auth auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure try_first_pass /etc/pam.d/common-password password required pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass {{tag>bash ldap lenny debian openvz migration}} ~~LINKBACK~~