Migrating user database to LDAP on Debian Lenny and OpenVZ
As a preparation for for establishing a distributed virtualized environment based on OpenVZ I had to create a new VE based on a precreated Debian Lenny x86 minimal OS template. Once the new VE had Internet access I took the time to update it and remove some unnecessary packages, reconfigure debconf to ask all questions then installed a basic LDAP environment:
dpkg-reconfigure debconf apt-get install slapd ldapscripts libapache2-mod-php5 php5-ldap cpu wbritish
The configuration values are mostly left intact. I've set the default password and DN (dc=example,dc=com) per se.
Then I've modified /etc/nsswitch.conf to contain:
passwd: files ldap group: files ldap shadow: files ldap hosts: files dns ldap networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
I've downloaded and configured PHP LDAP Admin:
wget "http://switch.dl.sourceforge.net/sourceforge/phpldapadmin/phpldapadmin-1.1.0.7.tar.gz"
Then I've created a shell script to migrate user accounts (1000<uid) and groups (1000<gid<80000) to the LDAP database inside my VE (id:100). Modify this script to match your own settings.
#!/bin/bash generate() { passwd=`cat /etc/passwd` shadow=`cat /etc/shadow` group=`cat /etc/group` echo -e "$passwd" | while read line; do name=`echo "$line" | cut -f 1 -d:` uid=`echo "$line" | cut -f 3 -d:` gid=`echo "$line" | cut -f 4 -d:` gecos=`echo "$line" | cut -f 5 -d: | recode l1..bs | tr -d "\b"` home=`echo "$line" | cut -f 6 -d:` shell=`echo "$line" | cut -f 7 -d:` if [ $uid -lt 1000 ]; then continue; fi passwd=`echo -e "$shadow" | egrep "^$name:" | cut -f2 -d:` cat <<EOF dn: cn=$name,ou=Users,dc=example,dc=com cn: $name objectClass: account objectClass: posixAccount objectClass: top uid: $name uidNumber: $uid gidNumber: $gid userPassword: {crypt}$passwd homeDirectory: $home loginShell: $shell gecos: $gecos EOF done echo -n "$group" | while read line; do name=`echo "$line" | cut -f 1 -d:` gid=`echo "$line" | cut -f 3 -d:` members=`echo "$line" | cut -f 4 -d:` if [ $gid -lt 1000 -o $gid -gt 80000 ]; then continue; fi cat <<EOF dn: cn=$name,ou=Groups,dc=example,dc=com objectClass: top objectClass: posixGroup cn: $name gidNumber: $gid EOF memuid="" echo -n "$members" | tr ',' "\n" | while read member; do echo "memberUid: $member" done echo "" done } file=`mktemp -p /vz/root/100/tmp/` basefile=`basename "$file"` dnfile=`mktemp -p /vz/root/100/tmp/` basednfile=`basename "$dnfile"` generate > $file cat $file | egrep "^dn:" | cut -f2 -d' ' > $dnfile vzctl exec 100 ldapdelete -c -x -D "cn=admin,dc=example,dc=com" -w ******** -H ldap://127.0.0.1 -f /tmp/$basednfile vzctl exec 100 ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w ******** -H ldap://127.0.0.1 -f /tmp/$basefile rm -f $file rm -f $dnfile
To create home directories within the new VE the following small script can be used:
#!/bin/bash ldapsearch -x -b "ou=Users,dc=example,dc=com" "objectClass=PosixAccount" "dn" | grep "^dn" | cut -f2 -d' ' | while read dn; do data=`ldapsearch -x -b "$dn"` home=`echo -e "$data" | grep "homeDirectory" | cut -f2 -d' '` uid=`echo -e "$data" | grep "uidNumber" | cut -f2 -d' '` gid=`echo -e "$data" | grep "gidNumber" | cut -f2 -d' '` if echo "$home" | grep "/home/"; then mkdir -p $home chown $uid:$gid $home chmod ug=rwX,o-rwx $home fi done
The last thing that needs to be done is to modify the PAM configuration in the following files.
/etc/pam.d/common-account
account sufficient pam_ldap.so account required pam_unix.so
/etc/pam.d/common-auth
auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure try_first_pass
/etc/pam.d/common-password
password required pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass
Linkbacks
