Command disabled: backlink

Migrating user database to LDAP on Debian Lenny and OpenVZ

As a preparation for for establishing a distributed virtualized environment based on OpenVZ I had to create a new VE based on a precreated Debian Lenny x86 minimal OS template. Once the new VE had Internet access I took the time to update it and remove some unnecessary packages, reconfigure debconf to ask all questions then installed a basic LDAP environment:

dpkg-reconfigure debconf
apt-get install slapd ldapscripts libapache2-mod-php5 php5-ldap cpu wbritish

The configuration values are mostly left intact. I've set the default password and DN (dc=example,dc=com) per se.

Then I've modified /etc/nsswitch.conf to contain:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns ldap
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

I've downloaded and configured PHP LDAP Admin:

wget "http://switch.dl.sourceforge.net/sourceforge/phpldapadmin/phpldapadmin-1.1.0.7.tar.gz"

Then I've created a shell script to migrate user accounts (1000<uid) and groups (1000<gid<80000) to the LDAP database inside my VE (id:100). Modify this script to match your own settings.

#!/bin/bash
 
generate() {
 
passwd=`cat /etc/passwd`
shadow=`cat /etc/shadow`
group=`cat /etc/group`
 
echo -e "$passwd" | while read line; do
 
    name=`echo "$line" | cut -f 1 -d:`
    uid=`echo "$line" | cut -f 3 -d:`
    gid=`echo "$line" | cut -f 4 -d:`
    gecos=`echo "$line" | cut -f 5 -d: | recode l1..bs | tr -d "\b"`
    home=`echo "$line" | cut -f 6 -d:`
    shell=`echo "$line" | cut -f 7 -d:`
 
    if [ $uid -lt 1000 ]; then
        continue;
    fi
 
    passwd=`echo -e "$shadow" | egrep "^$name:" | cut -f2 -d:`
 
cat <<EOF
dn: cn=$name,ou=Users,dc=example,dc=com
cn: $name
objectClass: account
objectClass: posixAccount
objectClass: top
uid: $name
uidNumber: $uid
gidNumber: $gid
userPassword: {crypt}$passwd
homeDirectory: $home
loginShell: $shell
gecos: $gecos
 
EOF
 
done
 
echo -n "$group" | while read line; do
 
    name=`echo "$line" | cut -f 1 -d:`
    gid=`echo "$line" | cut -f 3 -d:`
    members=`echo "$line" | cut -f 4 -d:`
 
 
    if [ $gid -lt 1000 -o $gid -gt 80000 ]; then
        continue;
    fi
 
 
cat <<EOF
dn: cn=$name,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: $name
gidNumber: $gid
EOF
    memuid=""
    echo -n "$members" | tr ',' "\n" | while read member; do
        echo "memberUid: $member"
    done
echo ""
 
done
 
}
 
file=`mktemp -p /vz/root/100/tmp/`
basefile=`basename "$file"`
 
dnfile=`mktemp -p /vz/root/100/tmp/`
basednfile=`basename "$dnfile"`
 
generate > $file
 
cat $file | egrep "^dn:" | cut -f2 -d' ' > $dnfile
 
vzctl exec 100 ldapdelete -c -x -D "cn=admin,dc=example,dc=com" -w ******** -H ldap://127.0.0.1 -f /tmp/$basednfile
vzctl exec 100 ldapadd -c -x -D "cn=admin,dc=example,dc=com" -w ******** -H ldap://127.0.0.1 -f /tmp/$basefile
 
rm -f $file
rm -f $dnfile

To create home directories within the new VE the following small script can be used:

#!/bin/bash
ldapsearch -x -b "ou=Users,dc=example,dc=com" "objectClass=PosixAccount" "dn" | grep "^dn" | cut -f2 -d' ' | while read dn; do
 
    data=`ldapsearch -x -b "$dn"`
    home=`echo -e "$data" | grep "homeDirectory" | cut -f2 -d' '`
    uid=`echo -e "$data" | grep "uidNumber" | cut -f2 -d' '`
    gid=`echo -e "$data" | grep "gidNumber" | cut -f2 -d' '`
 
    if echo "$home" | grep "/home/"; then
 
        mkdir -p $home
        chown $uid:$gid $home
        chmod ug=rwX,o-rwx $home
 
    fi
done

The last thing that needs to be done is to modify the PAM configuration in the following files.

/etc/pam.d/common-account

account	sufficient	pam_ldap.so
account	required	pam_unix.so

/etc/pam.d/common-auth

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure try_first_pass

/etc/pam.d/common-password

password   required   pam_ldap.so
password   required   pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass

Linkbacks

Use the following URL for manually sending trackbacks: http://rigo.info/lib/plugins/linkback/exe/trackback.php/en:blog:migrating_user_database_to_ldap_on_debian_lenny_and_openvz
en/blog/migrating_user_database_to_ldap_on_debian_lenny_and_openvz.txt · Utolsó módosítás: 2009-05-13 00:00 (külső szerkesztés)
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0