Saturday, January 24, 2009

Add user in LDAP Database using Script

Adding the user in LDAP database using the script
 
#!/bin/bash
 
adduser $1
 
passwd $1
 
cat /etc/passwd | grep $1  >> /tmp/changeldappasswd.tmp
 
/usr/share/openldap/migration/migrate_passwd.pl /tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp
 
cat /tmp/changeldappasswd.ldif.tmp | sed s/padl/mydomain/ > /tmp/changeldappasswd.ldif
 
ldapadd -f /tmp/changeldappasswd.ldif -x -D "cn=Manager,dc=mydomain,dc=com" -w secret
 
rm -rf /tmp/changeldappasswd.*

OUTPUT: 
ldapadd -f changeldappasswd.ldif -x -D "cn=Manager,dc=mydomain,dc=com" -w secret adding new entry "uid=test,ou=People,dc=mydomain,dc=com"
 
Output of  this script will be like this (if you want to check the temporary files before completion)
 
# cat /tmp/changeldappasswd.ldif
dn: uid=test,ou=People,dc=mydomain,dc=com
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$RilVIlhw$yUZNJ8VpXDxr9xzsOQ6pi1
shadowLastChange: 14268
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 503
homeDirectory: /home/test

Configuring The LDAP Client

When we have configured our LDAP server properly, we can configure and test the client.

Edit the ldap.conf configuration file

LDAP clients are configured using the /etc/openldap/ldap.conf file. We need to make sure that the file refers to the LDAP server's IP address for the mydomain.com. The file should look like this:

HOST x.x.x.x
BASE dc=mydomain,dc=com

Edit the /etc/nsswitch file

The /etc/nsswitch.conf file defines the order in which the Linux operating system searches login databases for login information.

Here we want to configure it to first search its /etc/passwd file. If it doesn't find the user password information there, it goes to the LDAP server. The easiest way set this up is to use the /usr/bin/authconfig-tui command or using the setup command and there select Authentication Configuration:

  1. Select use LDAP.
  2. Give the LDAP server's IP address, which is x.x.x.x.
  3. Give the base DN as dc=mydomain,dc=com
  4. Do not select TLS.
  5. Use MD5 and shadow passwords.

After finishing the same, once check the details in /etc/nsswitch.conf file and make sure it has references to LDAP.

Create Home Directories On The LDAP Client

Check if ldapuser is Missing From the /etc/passwd file

We can look for ldapuser by searching the /etc/passwd file with the grep command. There should be no response.

# grep ldapuser /etc/passwd
 
Create The Home Directory For ldapuser On The LDAP Client
 # mkdir /home/ldapuser
# chmod 700 /home/ldapuser/
 

HOW TO CONFIGURE LDAP SERVER

First we need to make sure that these required LDAP Server RPMs are installed on our LDAP server such as openldap-2.3.27-5.

Other required LDAP Server RPMS

openldap-clients-2.3.27-5
openldap-devel-2.3.27-5
nss_ldap-253-3
openldap-servers-2.3.27-5
compat-openldap-2.3.27_2.2.29-5

Required LDAP RPMS for Client Machine

We will have to make sure that the following packages are installed on our LDAP client.

openldap-2.3.27-5
openldap-devel-2.3.27-5
openldap-clients-2.3.27-5
nss_ldap-253-3

Configuring The LDAP Server

While we are going to configure LDAP Server, for this we must create an LDAP database and into which we can import the /etc/passwd file.

Here are the steps by step procedure:

1.       Create a Database Directory

In Redhat Enterprise Linux, LDAP by default use  /var/lib/ldap directory to put all the databases. For the example, create a dedicated mydomain.com directory, which should be owned by the user ldap. No need to create ldap user, because this user always created during the RPM installation.

# mkdir /var/lib/ldap/mydomain.com
# chown ldap:ldap /var/lib/ldap/mydomain.com

2.       Create an LDAP "root" password

Only the LDAP root user can create, import data, and export data into an LDAP database. Encrypted password is required for root user. We can create it with the slappasswd command and paste the result in the LDAP configuration file.

# slappasswd
New password:
Re-enter new password:
{SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ

3.       Create a Test Account Named ldapuser

Here we are creating a ldapuser account for testing purpose, using this command.

# useradd -g users ldapuser
# passwd ldapuser
Changing password for user ldapuser.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

4.       Edit the slapd.conf file

The LDAP server's daemon is named slapd and its configuration file is named /etc/openldap/slapd.conf. Update it with:

  • A database of the default type bdb using the domain suffix mydomain.com made up of domain components (DCs) mydomain and com.
  • The root user with a common name (CN), or nickname, of Manager who, as expected, is part of the mydomain and com DCs.
  • The encrypted version of the LDAP root password as well as the location of the LDAP database.

The configuration file syntax to configure LDAP is:

database        bdb
suffix          "dc=mydomain,dc=com"
rootdn          "cn=Manager,dc=mydomain,dc=com"
rootpw          secret
rootpw          {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ
directory       /var/lib/ldap/mydomain.com

5.       Create Your LDAP Database

This process involves migrating our system’s authentication files to the LDAP database which we will need to create. Here’s what we need to do:

1. Update our file location database with the updated command.  

# updatedb

2. Locate migrate_common.ph file. Here we can see it is located in the /usr/share/openldap/migration/ directory.

# locate migrate_common.ph
Output :     /usr/share/openldap/migration/migrate_common.ph

3. We have to edit this file and replace all instances of the string “padl” with the string “mydomain”. Padl is the website used by some of the LDAP development team. We need our domain to be “mydomain” instead so it matches our /etc/openldap/slapd.conf file. The migrate_common.ph file will be used later by the migration script.

4. Copy the DB_CONFIG.example starter file to our ldap database directory of /var/lib/ldap/mydomain.com.

# cp /etc/openldap/DB_CONFIG.example  /var/lib/ldap/mydomain.com/DB_CONFIG

5. Now we have to migrate our system authentication files using the migrate_all_offline.sh script that should reside in the same directory as the migrate_common.ph file.

# /usr/share/openldap/migration/migrate_all_offline.sh
Creating naming context entries...
Migrating groups...
Migrating hosts...
...
...
...
Preparing LDAP database...
=> bdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair already exists (-30996)
=> bdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996) slapadd: could not add entry dn="cn=raid-am,ou=Services,dc=mydomain,dc=com"(line=16432): txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996) Migration failed: saving failed LDIF to /tmp/nis.ldif.E14499

6. LDAP would not start unless the files in the database directory are owned by the ldap user. Use the chown command to do this.

# chown -R ldap:ldap /var/lib/ldap/mydomain.com

7. Start LDAP and make sure it should start on reboot.

# service ldap start
Starting slapd: [  OK  ]
# chkconfig ldap on

Now we are ready to go forward! As our database has been created.

Test the LDAP database

For the testing purpose, we can view all the LDAP database entries at the same time with the ldapsearch command; this is a good test to make sure that we have all the correct functionality.

# ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'
 
OUTPUT should be like this 
# echo, Services, mydomain.com
dn: cn=echo,ou=Services,dc=mydomain,dc=com
objectClass: ipService
objectClass: top
ipServicePort: 4
ipServiceProtocol: ddp
cn: echo
 
# rje, Services, mydomain.com
dn: cn=rje,ou=Services,dc=mydomain,dc=com
objectClass: ipService
objectClass: top
ipServicePort: 5
ipServiceProtocol: udp
ipServiceProtocol: tcp
cn: rje
 
 
# test, People, mydomain.com
dn: uid=test,ou=People, dc=mydomain,dc=com
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJFJpbFZJbGh3JHlVWk5KOFZwWER4cjl4enNPUTZwaTE=
shadowLastChange: 14268
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 503
homeDirectory: /home/test
 
# search result
search: 2
result: 0 Success
 
# numResponses: 323
# numEntries: 322

THIS IS NOT A COMPLETE RESULT OUTPUT, ITS ONLY A PART OF OUTPUT