====== Migrating user database to LDAP on Debian Lenny and OpenVZ ======
As a preparation for for establishing a distributed virtualized environment based on [[http://www.openvz.org|OpenVZ]] I had to create a new VE based on a [[http://wiki.openvz.org/Download/template/precreated|precreated]] [[http://download.openvz.org/template/precreated/contrib/debian-5.0-amd64-minimal.tar.gz|Debian Lenny x86 minimal OS template]]. Once the new VE had Internet access I took the time to update it and remove some unnecessary packages, reconfigure debconf to ask all questions then installed a basic LDAP environment:
dpkg-reconfigure debconf
apt-get install slapd ldapscripts libapache2-mod-php5 php5-ldap cpu wbritish
The configuration values are mostly left intact. I've set the default password and DN (//dc=example,dc=com//) per se.
Then I've modified ''/etc/nsswitch.conf'' to contain:
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns ldap
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
I've downloaded and configured [[http://phpldapadmin.sourceforge.net|PHP LDAP Admin]]:
wget "http://switch.dl.sourceforge.net/sourceforge/phpldapadmin/phpldapadmin-1.1.0.7.tar.gz"
Then I've created a shell script to migrate user accounts (1000
#!/bin/bash
generate() {
passwd=`cat /etc/passwd`
shadow=`cat /etc/shadow`
group=`cat /etc/group`
echo -e "$passwd" | while read line; do
name=`echo "$line" | cut -f 1 -d:`
uid=`echo "$line" | cut -f 3 -d:`
gid=`echo "$line" | cut -f 4 -d:`
gecos=`echo "$line" | cut -f 5 -d: | recode l1..bs | tr -d "\b"`
home=`echo "$line" | cut -f 6 -d:`
shell=`echo "$line" | cut -f 7 -d:`
if [ $uid -lt 1000 ]; then
continue;
fi
passwd=`echo -e "$shadow" | egrep "^$name:" | cut -f2 -d:`
cat < $file
cat $file | egrep "^dn:" | cut -f2 -d' ' > $dnfile
vzctl exec 100 ldapdelete -c -x -D "cn=admin,dc=example,dc=com" -w ******** -H ldap://127.0.0.1 -f /tmp/$basednfile
vzctl exec 100 ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w ******** -H ldap://127.0.0.1 -f /tmp/$basefile
rm -f $file
rm -f $dnfile
To create home directories within the new VE the following small script can be used:
#!/bin/bash
ldapsearch -x -b "ou=Users,dc=example,dc=com" "objectClass=PosixAccount" "dn" | grep "^dn" | cut -f2 -d' ' | while read dn; do
data=`ldapsearch -x -b "$dn"`
home=`echo -e "$data" | grep "homeDirectory" | cut -f2 -d' '`
uid=`echo -e "$data" | grep "uidNumber" | cut -f2 -d' '`
gid=`echo -e "$data" | grep "gidNumber" | cut -f2 -d' '`
if echo "$home" | grep "/home/"; then
mkdir -p $home
chown $uid:$gid $home
chmod ug=rwX,o-rwx $home
fi
done
The last thing that needs to be done is to modify the PAM configuration in the following files.
/etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
/etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure try_first_pass
/etc/pam.d/common-password
password required pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass
{{tag>bash ldap lenny debian openvz migration}}
~~LINKBACK~~