contentsletmein

CopyrightIBMCorporation2008TrademarksLPIexam301prep:Topic305:IntegrationandmigrationPage1of34LPIexam301prep:Topic305:IntegrationandmigrationSeniorLevelLinuxProfessional(LPIC-3)SeanWalbergApril08,2008Inthistutorial,SeanWalberghelpsyoupreparetotaketheLinuxProfessionalInstituteSeniorLevelLinuxProfessional(LPIC-3)exam.
Inthisfifthinaseriesofsixtutorials,SeanwalksyouthroughintegratingLDAPwithyoursystem'sloginsandapplications.
HealsodetailstheproceduretointegrateyourserverintoaforeignMicrosoftActiveDirectory.
ViewmorecontentinthisseriesBeforeyoustartLearnwhatthesetutorialscanteachyouandhowyoucangetthemostfromthem.
AboutthisseriesTheLinuxProfessionalInstitute(LPI)certifiesLinuxsystemadministratorsatthreelevels:juniorlevel(alsocalled"certificationlevel1"),advancedlevel(alsocalled"certificationlevel2"),andseniorlevel(alsocalled"certificationlevel3").
Toattaincertificationlevel1,youmustpassexams101and102.
Toattaincertificationlevel2,youmustpassexams201and202.
Toattaincertificationlevel3,youmusthaveanactiveadvanced-levelcertificationandpassexam301("core").
Youmayalsopassadditionalspecialtyexamsattheseniorlevel.
developerWorksofferstutorialstohelpyouprepareforthefivejunior,advanced,andseniorcertificationexams.
Eachexamcoversseveraltopics,andeachtopichasacorrespondingself-studytutorialondeveloperWorks.
Table1liststhesixtopicsandcorrespondingdeveloperWorkstutorialsforLPIexam301.
Table1.
LPIexam301:TutorialsandtopicsLPIexam301topicdeveloperWorkstutorialTutorialsummaryTopic301LPIexam301prep:Concepts,architecture,anddesignLearnaboutLDAPconceptsandarchitecture,howtodesignandimplementanLDAPdirectory,andaboutschemas.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage2of34Topic302LPIexam301prep:InstallationanddevelopmentLearnhowtoinstall,configure,andusetheOpenLDAPsoftware.
Topic303LPIexam301prep:ConfigurationLearnhowtoconfiguretheOpenLDAPsoftwareindetail.
Topic304LPIexam301prep:UsageLearnhowtosearchthedirectoryandusetheOpenLDAPtools.
Topic305LPIexam301prep:Integrationandmigration(Thistutorial)LearnhowtouseLDAPasthesourceofdataforyoursystemsandapplications.
Seethedetailedobjectives.
Topic306LPIexam301prep:CapacityplanningComingsoon.
Topassexam301(andattaincertificationlevel3),thefollowingshouldbetrue:YoushouldhaveseveralyearsofexperiencewithinstallingandmaintainingLinuxonanumberofcomputersforvariouspurposes.
Youshouldhaveintegrationexperiencewithdiversetechnologiesandoperatingsystems.
Youshouldhaveprofessionalexperienceas,ortrainingtobe,anenterprise-levelLinuxprofessional(includinghavingexperienceasapartofanotherrole).
YoushouldknowadvancedandenterpriselevelsofLinuxadministrationincludinginstallation,management,security,troubleshooting,andmaintenance.
Youshouldbeabletouseopensourcetoolstomeasurecapacityplanningandtroubleshootresourceproblems.
YoushouldhaveprofessionalexperienceusingLDAPtointegratewithUNIXservicesandMicrosoftWindowsservices,includingSamba,PluggableAuthenticationModules(PAM),e-mail,andActiveDirectory.
Youshouldbeabletoplan,architect,design,build,andimplementafullenvironmentusingSambaandLDAPaswellasmeasurethecapacityplanningandsecurityoftheservicesYoushouldbeablecreatescriptsinBashorPerlorhaveknowledgeofatleastonesystemprogramminglanguage(suchasC).
Tocontinuepreparingforcertificationlevel3,seetheseriesdeveloperWorkstutorialsforLPIexam301,aswellastheentiresetofdeveloperWorksLPItutorials.
TheLinuxProfessionalInstitutedoesn'tendorseanythird-partyexampreparationmaterialortechniquesinparticular.
AboutthistutorialWelcometo"Integrationandmigration,"thefifthofsixtutorialsdesignedtoprepareyouforLPIexam301.
Inthistutorial,you'lllearnallaboutintegrationofLDAPwithauthenticationandotherUNIXservices.
ThistutorialisorganizedaccordingtotheLPIobjectivesforthistopic.
Veryroughly,expectmorequestionsontheexamforobjectiveswithhigherweights.
ObjectivesTable2providesthedetailedobjectivesforthistutorial.
ibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage3of34Table2.
Integrationandmigration:ExamobjectivescoveredinthistutorialLPIexamobjectiveObjectiveweightObjectivesummary305.
1LDAPintegrationwithPAMandNSS2IntegratethecoresystemauthenticationwithLDAP.
305.
2NIStoLDAPmigration1PlanandimplementaNISmigrationstrategy,includingthedeploymentofaNIStoLDAPgateway.
305.
3IntegratingLDAPwithUNIXservices1UseyourLDAPserverasthesourceofdataforSSH,FTP,HTTP,andotherservices.
305.
4IntegratingLDAPwithSamba1UseyourLDAPserverasthesourceofdataforSamba.
305.
5IntegratingLDAPwithActiveDirectory2UseyourLDAPserveralongsideanActiveDirectoryservice.
305.
6IntegratingLDAPwithe-mailservices1Integrateyoure-mailserviceswithyourLDAPdirectory.
PrerequisitesTogetthemostfromthistutorial,youshouldhaveadvancedknowledgeofLinuxandaworkingLinuxsystemonwhichtopracticethecommandscovered.
IfyourfundamentalLinuxskillsareabitrusty,youmaywanttofirstreviewthetutorialsfortheLPIC-1andLPIC-2exams.
Differentversionsofaprogrammayformatoutputdifferently,soyourresultsmaynotlookexactlylikethelistingsandfiguresinthistutorial.
SystemrequirementsTofollowalongwiththeexamplesinthesetutorials,you'llneedaLinuxworkstationwiththeOpenLDAPpackageandsupportforPAM.
Mostmoderndistributionsmeettheserequirements.
LDAPintegrationwithPAMandNSSThissectioncoversmaterialfortopic305.
1fortheSeniorLevelLinuxProfessional(LPIC-3)exam301.
Thistopichasaweightof2.
Inthissection,learnhowto:ConfigureNSStoretrieveinformationfromLDAPConfigurePAMtouseLDAPforauthenticationConfigurePAMmodulesinvariousUNIXenvironmentsIntraditionalUNIXfashion,PAMandtheNameServiceSwitch(NSS)facilitiesabstractvariouscomponentsofauthenticationandlookupfromtheirimplementation,whichallowstheadministratortochangebackenddatastoreswithoutrecompilinganyapplications.
Forinstance,movingfromtraditional/etc/passwd-basedauthenticationtotheNetworkInformationService(NIS)istransparentbecauseNSSisimplementedaspartoftheClibrary.
Applicationsmakeuseofthestandardlibrarycallssuchasgetpwent(3)tolookupusers,butthroughsomeconfigurationmagic,thedataisredirectedtoanotherstorelikeNIS.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage4of34PAMisaslightlydifferentanimal,becauseapplicationsmustbewrittenspecificallywithPAMinmind.
AdministratorscanusearichsetoflibrariestocustomizethebehaviorofaPAM-awareapplication,suchasrequiringspecificgroupmembershipandalogintimeinordertosuccessfullyauthenticate.
PAMandNSScanworkintandemforuserauthentication.
PAM-awareapplicationsinstructPAMtochecktheuser'scredentials.
TheadministratorcanconfigurePAMtocheckthepasswordthroughtheNSSfacilityinadditiontoanyotherrestrictions.
PAMisusedonlyforthepasswordandshadowdatabases,nototherslikegroupsandhosts.
LDAPsupportforbothPAMandNSSisprovidedbyanopensourcepackagefromPADLsoftware.
ConfigureNSStouseLDAPTheNSSfacilityisimplementedintheClibraryasahooktotraditionallibrarycallstogetinformation.
TheClibraryprovidesfunctionslikegetpwenttogetuserinformationandgethostbyname(3)forhostinformation,whichtraditionallywereimplementedaslookupsto/etc/passwdand/etc/hosts,respectively.
TheadministratorcanforcehostnamelookupstoalsousetheDomainNameService(DNS)byconfiguringNSS,meaningtheapplicationisunawareofthechange.
UnderstandNSSTable3outlinesthedatabasesthatarehandledbyNSS.
Mostdatabaseshaveacorrespondingfilein/etc,wherethedataistraditionallystored.
Table3.
NSSdatabasesDatabasenameDescriptionaliasesMailaliasesforsendmail,usedtoforward(alias)onelocaladdresstoanotheraddress.
ethersMapsethernetaddressestoIPaddresses.
RarelyseenanymorebecauseoftheavailabilityoftheAddressResolutionProtocol(ARP).
groupContainsalistofgroupsandtheusersthatbelongtothem.
hostsMapsIPaddressestohostnames.
netgroupUsedtogroupserverstogether.
MostoftenusedforNISandNetworkFileSystem(NFS)security.
networksAmapofnetworknamestonumbers.
Notoftenusedbecauseknowingthenameofthenetworkprovideslittlevalue.
passwdStoresuseraccountinformationsuchasname,Userid,description,primarygroup,homedirectory,andsometimesapassword.
protocolsMapsIPprotocolstotheirname.
publickeyUsedtodistributekeysforNFSandNIS+.
rpcMapsRemoteProcedureCall(RPC)functionnamestonumbers.
ibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage5of34servicesMapsTCPandUDPservicenamestotheportnumber.
shadowAprotected,encrypted,passwordfile.
Usuallythepasswordfieldfrom/etc/passwdisstoredinthisfiletokeepitsafe.
NSSisconfiguredin/etc/nsswitchconfandcontainsonelineperdatabasefromTable3.
Listing1showsasamplensswitch.
conf.
Listing1.
Samplensswitch.
confpasswd:filesnisshadow:filesnisgroup:filesnishosts:filesnisdnsListing1configuresfourmaps:passwd,shadow,group,andhosts.
Thenameofthemapisfollowedbyacolon(:)andthenanorderedlistofwaystoaccessthedata.
ThefirstthreelinesinListing1areallthesame:theyfirstcheckthefilesfortherequestedinformationandthentheNIS,sometimesknownastheYellowPages.
NISischeckedonlyifnothingisfoundinthefiles.
Thefinallineoftheexamplechecksthefiles(/etc/hosts),NIS,andthenDNSforanyhostsrequests.
Themethodsavailabletobeusedinnsswitch.
confhaveacorrespondinglibraryin/libthatbeginswithlibnss_.
Thefunctionalityforfiles,forexample,isfoundin/lib/libnss_files-2.
5.
so(theversionnumberisn'timportantbecauseit'sresolvedbythedynamiclinker,ld-linux.
so).
IntroducingLDAPtoNSSAfterthepreviousdiscussionaboutdynamiclibrariesandtheformatofnsswitch.
conf,itshouldcomeasnogreatsurprisethatLDAPintegrationwithNSSishandledthroughasharedlibrarycalledlibnss_ldapandisreferencedthroughtheldapkeywordin/etc/nsswitch.
conf.
Thissharedlibrarytakesitsconfigurationfrom/etc/ldap.
conf(nottobeconfusedwiththeOpenLDAPconfigurationfileforthecommand-lineclients,/etc/openldap/ldap.
conf).
Listing2showsasampleldap.
conf.
Listing2.
Asampleldap.
conftoconfigurelibnss_ldap#ServerIPaddress(orspace-separatedaddresses)host192.
168.
1.
138#Searchbasebasedc=ertw,dc=com#optional:bindcredentialsbinddn:cn=nssldap,dc=ertw,dc=combindpw:letmein#Ifrootismakingtherequest,usethisdninstead#Thepasswordisstoredin/etc/ldap.
secretandonlyreadablebyrootrootbinddncn=root,dc=ertw,dc=com#Pointthepasswd,shadow,andgroupdatabasesataDN#theonedefinesthescopenss_base_passwdou=People,dc=ertw,dc=comonenss_base_shadowou=People,dc=ertw,dc=comonenss_base_groupou=Group,dc=ertw,dc=comone#Don'tlookforsecondarygroupsforanyoftheseusersnss_initgroups_ignoreusersroot,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusdInadditiontothecontentof/etc/ldap.
confshowninListing2,youalsoneedtoaddthekeywordldaptothepasswd,shadow,andgrouplinesin/etc/nsswitch.
conf.
Alwaysmakesuretohavefilesasthefirstentry;otherwise,youmayfindyourselfwaitingfordownedserverstotimeout—oryoumayevenbelockedoutofyoursystem.
(Ifyou'relockedoutbecauseofaproblemwithnsswitch.
conf,boottosingle-usermode,resetnsswitch.
confbacktofiles,andthenreboot.
)It'spossibletouseLDAPforallthedatabases,butthethreelistedherearetheonesthatareuseful.
Theothermapsrarelychangeandshouldbemanagedseparately.
Theexceptionisthehostsdatabase,whichcanuseLDAP,althoughDNSisamuchbetterchoice.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage6of34TestitoutIfyou'vegotnsswitch.
confandldap.
confconfiguredproperly,thenyoushouldbeabletologinwithanLDAPuser,aslongasthefollowingattributesareavailable:uid:TheloginnameuidNumber:ThenumericuseridgidNumber:ThenumberprimarygroupidhomeDirectory:Theuser'shomedirectoryuserPassword:Theuser'spassword,encryptedwiththe{crypt}routine(useslappasswdtogeneratethis)TheseattributesandmoreareaddedthroughtheposixAccountobjectClass.
Totest,trytologinasauserwhoisinyourLDAPtreebutnotinthelocalpasswordfiles.
YoucanalsousethegetentpasswdcommandtolookatalltheuserentriesNSSknowsabout.
Ifgetentworksbutthelogindoesn't,youruserPasswordattributeislikelyincorrect.
Ifyou'veverifiedyourconfigurationontheclient,andNSSandLDAPstilldon'tworktogether,enablestats-levelloggingontheOpenLDAPserverandseeifyourqueriesarebeingseenbytheserver,andifthey'rebeingallowed.
ConfigurePAMtouseLDAPPAMismuchlikeNSSinthatitabstractsasetoflibrarycallsfromtheactualimplementation.
UnlikeNSS,PAMdoesn'treplaceexistingUNIXcalls;instead,itprovidesasetofnewcallsthatapplicationscanuse.
UnderstandPAMPAMisimplementedasalibrarythatapplicationsuse.
ApplicationscallthislibrarytousethePAMmanagementfunctionsofcheckingauthentication,accountmanagement,sessionmanagement,andpasswordmanagement.
CheckingauthenticationistheprimepurposeofPAM.
TheapplicationasksthePAMlibrarieswhethertheuserisauthenticated.
ThePAMlibraries,inturn,followtheruleslaidoutbythesystemsadministratortoprompttheuserforapasswordorperformanynumberofotherchecks.
Accountmanagementisrunafterauserprovidesvalidcredentialsandisresponsibleforcheckingtoseeiftheloginisallowed.
Aloginmaynotbeallowedatcertaintimesortocertainapplications.
Sessionmanagementgivestheapplicationanopportunitytosetuptheenvironmentafterasuccessfullogin.
It'softendesirabletogivetheuserloggedintotheconsolesomeextrapermissions,suchastheuseofthelocalCDROMorotherdevices;thisisdoneatthesession-managementlevel.
Finally,passwordmanagementprovidesaflexiblewaytochangepasswords.
Asyou'llsoonsee,thisfunctionalityletsuserschangetheirLDAPpasswordsthroughthefamiliarpasswd(1)program.
ibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage7of34PAMpasswordmanagementalsoallowsyoutospecifypassword-strengthpoliciesthatoperateindependentlyofthepasswordbackend.
ToconfigurePAMforaservice,youmustcreateafilenamedaftertheservicein/etc/pam.
d,suchas/etc/pam.
d/sshdforthesshdservice.
Thisisn'tahard-and-fastrule,becausetheapplicationspecifiesitsownPAMservicename.
Whenindoubt,usethenameofthebinary,andcheckthelogsforerrors.
Eachconfigurationfilein/etc/pam.
dspecifiesanorderedlistofinstructionsforeachofthePAMmanagementfunctions.
Eachlineinthefileisoftheformfunctioncontrolmodulearguments.
Thefunctionisthemanagementfunction,usingkeywordsauth,account,session,andpassword.
Thecontrolspecifieshowthereturnvalueoftheinstructionbeingevaluatedistobeused,andisoneofthefollowingkeywords:required--Thischeckmustsucceedifthefunctionistosucceed.
Ifthischeckfails,thenPAMwillcontinuetochecktherestoftheinstructionsforthegivenfunction,buttheresultsaremeaningless.
requisite--Thischeckmustsucceedifthefunctionistosucceed.
Ifthischeckfails,thenPAMwillstopcheckingtherestoftheinstructionsandreturnafailure.
sufficient--Ifthischecksucceeds,processingstopsandthefunctionreturnssuccessfully,assumingnoprevious"required"elementshavefailed.
Ifthischeckfails,thefailureisignoredandprocessingcontinues.
optional--Theresultsofthecheckareignored.
Themoduleandtheargumentsimplementthecheckitself.
Thesamemodulecanimplementoneormoreofthefunctionsdescribed,soyoumayseethesamemodulelistedseveraltimes.
Onemoduleyou'llseeusedoftenispam_stack,whichletsyoucallinstructionstacksfromotherfiles.
Listing3showsaPAMfilethatusespam_stack.
Listing3.
Usingpam_stacktocallotherinstructionstacksauthrequiredpam_nologin.
soauthrequiredpam_stack.
soservice=system-authaccountrequiredpam_stack.
soservice=system-authsessionrequiredpam_stack.
soservice=system-authpasswordrequiredpam_stack.
soservice=system-authListing3showstheformatofaPAMfile.
Theauthfunctionhastwolines,bothofwhicharerequiredandthereforemustsucceedinorderforasuccessfulauthenticationtohappen.
Thefirstauthlinecallspam_nologin,whosejobistofailifanon-rootusertriestologinwhenthe/etc/nologinfileexists.
Thenextauthlinecallsthepam_stackmoduleandpassesitservice=system-auth.
pam_stack.
sothenreadsthecontentsof/etc/pam.
d/system-authandchecksalltheinstructionsundertheauthfunction.
Ifthatreturnsasuccess,pam_stackreturnsasuccessfulresultbacktothefileinListing3.
Theotherthreefunctions—account,session,andpassword—makereferenceonlytopam_stackandthesystem-authservice.
Iftherespectivefunctionsfromsystem-authreturnsuccessfully,thentheresultisconsideredasuccess.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage8of34Manysystemshaveacommonsetofroutinesforauthentication,sopam_stackisusedinmostfiles,withthesystem-auth(orequivalent)containingalltheinterestingparts.
Fortherestofthissection,thesystem-authfilewillbetheoneusedtoinjectLDAPintothePAMprocess.
IntroducingLDAPtoPAMBoththeNSSandPAMmodulesuse/etc/ldap.
confforconfiguration,soifyou'refollowingalong,you'rehalfwaytohavingaworkingPAM-LDAPsystem.
It'spossibletouseNSSandPAMtogethersothatbothPAM-awareandlegacyapplicationscanauthenticatetoLDAP.
PAMprovidessomenewfeaturesontopofNSS,includingthefollowing:PasswordchangesbyusersMoregranularconfigurationofauthenticationrequirementsSupportformorepasswordencryptiontypesCentralizedadministrationofuseraccountsEnsurethatpam_passwordmd5isin/etc/ldap.
conf,andremoveanyotherpam_passwordlinesiftheyexist.
Thistellsthepam_ldaplibrarytohashthepasswordwithMessageDigest5(MD5)locallybeforesendingittotheLDAPserverwhenchangingpasswords.
Edityour/etc/pam.
d/system-auth(orequivalent)toaddthereferencestopam_ldap,asshowninListing4.
Thelineshouldgoafteranyreferencestopam_unix(sothatlocalaccountstakeprecedenceoverLDAPaccounts)butbeforeanyreferencestopam_allowandpam_deny(whichprovideadefaultallowordeny).
Listing4.
Newsystem-auththatusespam_ldapauthsufficientpam_unix.
sonulloktry_first_passauthsufficientpam_ldap.
souse_first_passauthrequiredpam_deny.
soaccountrequiredpam_unix.
sobroken_shadowaccountsufficientpam_ldap.
soaccountrequiredpam_permit.
sopasswordrequisitepam_cracklib.
sotry_first_passretry=3passwordsufficientpam_unix.
somd5shadownulloktry_first_passuse_authtokpasswordsufficientpam_ldap.
souse_authtokpasswordrequiredpam_deny.
sosessionrequiredpam_limits.
sosessionrequiredpam_unix.
sosessionoptionalpam_ldap.
soThelinesinboldshowadditionstothePAMconfigurationfile.
Notetheadditionofbroken_shadowintheaccountfunctionofpam_unix.
Thisensuresthatpam_unix.
sodoesn'treturnafailureiftheuserdoesn'thaveashadowentry(whichitdoesn't,becausetheaccountisinLDAP).
Theuse_first_passoptiontotheauthmoduleofpam_ldapforcespam_ldap.
sotousethepasswordobtainedfrompam_unix.
soratherthanaskforanewpassword.
use_authtokdoesasimilarthingforthepasswordfunction.
Forauthorization,thenewconfigurationmakesbothUNIXpasswordsandLDAPpasswordssufficienttologin:thatis,thefirstonetosucceedallowstheusertologin.
Ifneitherreturnssuccess(eitherafailure,or"nosuchuser"),thenpam_denycausesafailure.
TestitoutTrytochangeauser'spasswordthroughthepasswdcommand,andthenverifythatthepasswordwaschangedintheLDAPdirectory.
Finally,ensuretheusercanstilllogin.
ibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage9of34IfyouwereabletogetNSSworking,PAMshouldalsowork.
ThebiggestopportunityforerrorismistypingtheentriesinthePAMconfiguration,puttingtheentriesinthewrongfile,orputtingtheminthewrongplaceinthefile.
NIStoLDAPmigrationThissectioncoversmaterialfortopic305.
2fortheSeniorLevelLinuxProfessional(LPIC-3)exam301.
Thistopichasaweightof1.
Inthissection,learnhowto:AnalyzeNISstructurepriortomigrationtoLDAPAnalyzeNISstructurepriortointegrationwithLDAPAutomateNIS-to-LDAPmigrationCreateaNIS-to-LDAPgatewayNISisthetraditionalmethodofcentralauthenticationforUNIXmachines.
NISissimpletosetupandworkswell.
Despitebeingmorecomplex,LDAPauthenticationissuperiortoNISinseveralways:LDAPismoresecurethanNISbecauseyoucanencryptthetrafficandlockdownthedatabase.
LDAPcanstoremorethanjustauthenticationdata,whereasNISislimited.
LDAPisaccessiblebymoreclientsthanisNIS.
YoucanchoosetoreplaceNISwithLDAPorusebothsimultaneously.
Whenyouusethemtogether,LDAPisthecanonicaldatasource,andtheNISserverusesdatafromLDAPinsteadoflocalfiles.
Thisisagoodapproachforalonger-termmigrationorforsupportinglegacyoperatingsystemsthatwon'tworkwithLDAP.
Approach1:MigratetoLDAPThegeneralapproachtomigratingfromNIStoLDAPisasfollows:1.
DeterminewhichNISdatabasesneedtobereplaced.
2.
LoadtheNISdataintoLDAP.
3.
ReconfiguretheclientstouseLDAPinsteadofNIS.
Forthetimebetweenthestartofstep2andtheendofstep3,youhavetwoactivedatabaseswithnoconnections.
Anychanges,suchasaddingauserorchangingauser'spassword,mustbedoneonbothdatabases;otherwise,yourdatamaybecomeinconsistent.
Youmayelecttoputafreezeonallchangesorgowithanintegrationstrategyasshowninthenextsection.
AnalyzeyourexistingNISstructureBeforeperforminganymigration,youmustdeterminewhichdatabasesarebeinghostedbyNIS.
LogintotheNISmasterserver,andlookinthedatabasedirectory.
Onmostsystems,thefilesarestoredin/var/yp/,inadirectorynamedafterthedomainname.
Listing5showsthefilesinatypicalNISserver'sdatabasedirectory.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage10of34Listing5.
DeterminingwhichdatabasesareservedbyNIS#ls/var/yp/`domainname`group.
bygidgroup.
bynamehosts.
byaddrhosts.
bynamemail.
aliasesnetid.
bynamepasswd.
bynamepasswdbyuidprotocols.
bynameprotocols.
bynumberrpc.
bynamerpc.
bynumberservices.
bynameservices.
byservicenameypserversListing5usesthedomainnamecommandtodisplaythedomainname.
Whenplacedinsidebackticks(`),theresultofthiscommandisinsertedinthecommandline.
Withtheexceptionoftheypserversfile,alltheotherfilesinthisdirectoryrepresentaNISdatabase.
GatherthelistofuniquedatabasenamestodeterminewhichdatabasesneedtobemovedtoLDAP.
NISstoresthesamedatawithdifferentlookupkeys,suchasbynameandUIDinthecaseofthepasswordfile;inthiscase,theybothrepresentthepassworddatabase.
Somearen'tobvious:forexample,mail.
aliasesisthealiasestable.
Ifindoubt,lookin/var/yp/Makefiletodeterminethesourceofthedatabase.
Afterlookingattheserver,youmaywishtoexaminesomeofyourNISclientstodeterminewhichmapsthey'reusing.
Todoso,lookfortheniskeywordin/etc/nsswitch.
conf.
You'llprobablyfindthatyourserverisstoringmoremapsthanarebeingused.
UsethemigrationtoolsThemostpopulartoolstomigrateNISdatatoLDAPareprovidedbyPADLsoftware,themakersofpam_ldap,nss_ldap,andtheNIS-LDAPgatewaydiscussedlater.
Chancesare,yourdistributionincludesthefiles;otherwise,youcanfindlinkstothetoolsintheRelatedtopicssection.
ThePADLmigrationtoolscantakedatafromlocalfiles,NIS,orNIS+anddumpthemintoyourLDAPserver.
BeforeusingthePADLtools,youmusthaveyourLDAPserverupandrunningwithnodata.
Thetoolswillgeneratealltheentriesnecessary,andyouwanttoavoidduplication.
Themigrationtoolsconsistofasetofshellandperlscripts.
OnRedHatsystems,thescriptsarepartoftheopenldap-serverspackageandarefoundin/usr/share/openldap/migrationdirectory.
Debianuserswillwantthemigrationtoolspackage.
Lookforafilecalledmigrate_base.
pl,ordownloadthelatestversionfromPADL.
Thesescriptstakedatafromavarietyofsources,convertittoLDIF,andthenaddittoyourserver.
Dataisaddedwiththeldapaddcommandinonlinemodeandthroughslapaddinofflinemode,soyou'llneedadministrativecredentialsfortheformer,andyou'llneedtohaveyourLDAPprocessstoppedforthelatter.
Beforegettingstarted,you'llfindithelpfultosetsomeenvironmentvariablestosetupthebasedomainname(DN)ofthetreeandyourrootDN.
Listing6showsthebashcommandstoprepareformigrationoftheertw.
comdomain.
Listing6.
SettingenvironmentvariablesinpreparationforanLDAPmigrationexportLDAP_BASEDN="dc=ertw,dc=com"exportLDAP_BINDDN="cn=root,dc=ertw,dc=com"exportLDAP_DEFAULT_MAIL_DOMAIN=ertw.
comThefirstlineinListing6isthebaseDNoftheLDAPtree,whichwillbeusedtogeneratealltheDNslater.
ThesecondlineisyourrootDN.
Youneedthepasswordonlyifyou'reusingonlineibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage11of34mode.
ThefinallineofListing6setsthedefaultdomainnamefore-mailaddresses.
Someofthetoolswon'tpromptyouforthisinformation,sosettingitnowwillpreventaggravationlateron.
Thetoolsaresplitintotwocategories.
Thefilesinthefirstcategoryhavenamesstartingwithmigrate_all_.
Thesecondcategoryincludestheremainingfiles,whichhavenamesbeginningwithmigrate_followedbythenameofafileordatabase.
Thescriptsinthefirstcategoryareusedtogatherthedatatogether;thesecondcategoryisusedtoconvertthenativeformatintoLDIF.
Younowhavetwooptions.
Youcanuseoneofthemigrate_all_scripts,whichwillautomaticallygraballthecommondatabasesfromyourchosenlocation(NIS,files,NIS+m,andsoon);oryoucangrabonlytherelevantdatayourselfandusetheindividualmigrationscriptstoconvertthedataintoLDIF.
Thefirstapproach,whenitworks,iseasier.
Listing7showstheuseofmigrate_all_nis_online.
shtomigrateallthedatafromNISintoLDAPinonlinemode.
Listing7.
MigratingdatafromNIStoLDAPusingthemigrate_all_nis_online.
shscript[root@server1migration]#.
/migrate_all_nis_online.
shEntertheNISdomaintoimportfrom(optional):Nosuchmapnetworks.
byaddr.
Reason:InternalNISerrorEnterthehostnameofyourLDAPserver[ldap]:localhostEnterthecredentialstobindwith:mypasswordDoyouwishtogenerateaDUAConfigProfile[yes|no]noImportingintodc=ertw,dc=com.
.
.
Creatingnamingcontextentries.
.
.
Migratinggroups.
.
.
Migratinghosts.
.
.
Migratingnetworks.
.
.
Migratingusers.
.
.
Migratingprotocols.
.
.
Migratingrpcs.
.
.
Migratingservices.
.
.
Migratingnetgroups.
.
.
Migratingnetgroups(byuser).
.
.
sh:/etc/netgroup:NosuchfileordirectoryMigratingnetgroups(byhost).
.
.
sh:/etc/netgroup:Nosuchfileordirectoryaddingnewentry"dc=ertw,dc=com"ImportingintoLDAP.
.
.
addingnewentry"ou=Hosts,dc=ertw,dc=com".
.
.
.
.
outputomitted.
.
.
addingnewentry"cn=rquotad,ou=Rpc,dc=ertw,dc=com"addingnewentry"cn=rquotad,ou=Rpc,dc=ertw,dc=com"ldap_add:Alreadyexists(68)/usr/bin/ldapadd:returnednon-zeroexitstatus:savingfailedLDIFto/tmp/nis.
ldif.
X17515Listing7startsbyrunningthemigrate_all_nis_onlineshscript,whichgrabsdatafromNIS,convertsittoLDIF,andthenusesldapaddtoimportthedata.
ThefirstqueryfromthescriptistheNISdomain;youcanpressEnterforthedefaultNISdomainonthesystem.
ThescriptthenimportstheNISdata(onthissystem,anonfatalerrorisprintedbecausethenetworksmapisn'tused).
ThescriptpromptsforinformationontheLDAPserver,suchasthehostnameandthepassword(thebindDNandbaseDNwerelearnedthroughtheenvironmentvariablesyouenteredinListing6).
YoushouldchoosenottoimportaDUAConfigProfileunlessyouhaveaschemathatsupportsit,whichisunlikely.
If,atthispoint,youstartgettingerrorsaboutinvalidDNsyntax,besureyou'veimportedthenis.
schemafileinsideslapd.
conf.
Ifyourschemaiscorrect,thescriptwillimportdataintoyourLDAPtree.
It'slikelythatthescriptmaydiewithanerrorsuchastheoneseenattheendofListing7.
BecauseofthewaydataisstoredinNIS,youmayhaveduplicateentriesinsomedatabases.
ThisisfineinNISbutnotinLDAP.
Thereareafewsolutionstothisproblem,dependingonyourneeds:EdittheLDIFfile(/tmp/nis.
ldif.
X17515inthiscase)toremovetheduplicates,andthendeleteyourLDAPdatabaseandimportthefile.
Tellldapaddtoignoreerrorswiththe-coption.
exportLDAPADD="/usr/bin/ldapadd-c"willdothis.
(Notethatthescriptwillstillreportanerror,butthedatawillhavebeenimported.
)developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage12of34Editmigrate_all_nis_online.
shtosetthevalueofETC_SERVICES,ETC_PROTOCOLS,andETC_RPCto/dev/nullinsteadofatemporaryfile.
Doingsoskipsprocessingthedatabase.
(Notethatsomeofthemigrate_all_scriptscanbeoverriddenbyenvironmentvariables,butnottheNISvariant.
)Skipmigrate_all_nis_online.
sh,andmigratebyhand.
Thefirstthreeoptionsareselfexplanatoryandeffectiveaslongasyou'recomfortablewiththeresults(suchasnothavingprotocols,RPC,andservicesinLDAPforthethirdoption).
Thefourthoptionneedssomeexplanation.
IfallyouwanttodoismovegroupsandusersovertoLDAP,youcanjustaseasilycopythefilesyourselfandgeneratetheLDIFusingtheotherscriptsprovided,andusingypcattogetthedataoutofNIS.
Listing8showstheprocess.
Listing8.
Migratinggroupsandusersbyhand[root@server1migration]#ypcatpasswd>/tmp/passwd.
tmp[root@server1migration]#ypcatgroup>/tmp/group.
tmp[root@server1migration]#.
/migrate_base.
pl>/tmp/ldif[root@server1migration]#.
/migrate_passwd.
pl/tmp/passwd.
tmp>>/tmp/ldif[root@server1migration]#.
/migrate_group.
pl/tmp/group.
tmp>>/tmp/ldif[root@server1migration]#ldapadd-x-D"cn=root,dc=ertw,dc=com"\-w"mypassword"-f/tmp/ldifaddingnewentry"dc=ertw,dc=com"addingnewentry"ou=Hosts,dc=ertw,dc=com".
.
.
.
.
outputomitted.
.
.
ThefirsttwolinesofListing8useypcattogetthedatafromNISintoafilein/tmp.
ThenextthreelinesgenerateLDIF.
migrate_basegeneratessomebasicentriesinthetree,andthenexttwolinesconvertthepasswordandgroupfilestoLDIF.
Notetheuseoftheappendoperator(>>),sotheresultingfilewillcontaintheoutputofallthreemigrationscripts.
Finally,youcallldapaddtoimportthedata.
Whicheverwayyougo,performsomebasicsearchestomakesureyoucanseethedata.
Besureyoucanseethepasswordhashes(usetherootDNforthis,becauseit'spossibleyouhaveanaccesscontrollistpreventingpasswordsfrombeingseen).
Atthispoint,youhaveyourNISdatainLDAP.
UntilallyourNISclientsaremovedover,allchangestoNISmustbereplicatedtoLDAPandviceversa.
MovetheclientsandverifyresultsMovingtheclientsisasimplematterofsettingupNSSandPAMontheclient.
Theprevioussectioncoveredthisindetail.
Inbrief,youpopulate/etc/ldap.
confwithyourserverinformationandedit/etc/nsswitch.
conftoreplaceniswithldap.
Ifyou'resettingupPAM,thenyouneedtoedittherelevantfilesin/etc/pam.
dtoaddreferencestopam_ldap.
so.
TestyourclientsbyloggingintothemasaregularuserandrunningthegetentcommandsonthedatabasesyoumovedtoLDAP.
Approach2:IntegratewithLDAPThesecondapproachcallsforthecoexistenceofNISandLDAP.
Thiscanbehelpfulifyouhaveclientsthatdon'tspeakLDAP(eitherbynothavinganativeLDAPmoduleorbynotsupportingibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage13of34PAM),orifyouwanttospreadoutyourtransitionoveralongerperiodoftime.
TheapproachforaNIS/LDAPcoexistenceissimilartothefirststrategy:1.
DeterminewhichNISdatabasesareinuse.
2.
LoadtheNISdataintoLDAP.
3.
ReplaceyourNISserverswithypldapd.
4.
ReconfiguretheclientsthatwillbeusingLDAP.
TheclientsthatwillcontinuetouseNISneednochangesbecauseypldapdisafullyfunctionalNISserver.
TheonlydifferencebetweenitandthestandardypservthatcomeswithyouroperatingsystemisthatypldapdgetsitsdatafromLDAPinsteadoflocalfiles.
Thefirsttwostepsarethesameasthefirstapproach,soyoubeginatstep3.
ReplaceyourNISserverswithypldapdypldapdisaNISserverdaemonthatgetsitsinformationfromLDAPinsteadofthedatabasefilesin/var/yp.
It'scommercialsoftwarefromPADL,butyoucangeta30-daytriallicensebye-mailingPADL(seetheRelatedtopics).
Installationofypldapdisasimpleprocess:1.
Untarthesoftwareto/opt/ypldapd.
2.
Copythelicenseto/opt/ypldapd/etc/padlock.
ldif.
3.
Edittheconfigurationfile,/opt/ypldapd/etc/ypldapd.
conf4.
StopyourexistingNISserver.
5.
Startupypldapd.
First,runmkdir-p/opt/ypldapdasroottomaketheypldapddirectory(and/opt,ifitdoesn'talreadyexist).
Changeintothisdirectory(cd/opt/ypldapd),anduntartheypldapddistributionwithtar-xzf/tmp/ypldapd_linux-i386.
tar.
gz.
Thisplacestheypldapdfilesintheproperdirectory.
You'llhavebeengivenalicensefile,whichyou'llplacein/opt/ypldapd/etc/padlock.
ldif.
Ifyou'recopyingitfromane-mail,thenmakesureyoure-mailclientdidn'twraplonglines:thekeyshouldbefourlineslongwithaseriesofattribute:valuepairs.
ypldapd'sconfigurationfileisin/opt/ypldapd/etc/ypldapd.
conf.
Thereisafilecalledypldapd.
conf.
samplethatyoucancopytostartwith.
Aswiththeotherutilitiesyou'veseensofar,youneedtoprovideinformationaboutyourLDAPserver.
Listing9showsasimpleypldapd.
conf.
Listing9.
Sampleypldapd.
conf#TheNISdomainnameypdomainertw#TheLDAPserverandbaseDNldaphostlocalhostbasedndc=ertw,dc=com#Credentials.
.
.
TheusermustbeabletoreadtheuserPasswordattributebinddncn=ypldapd,dc=ertw,dc=combindcredmypassword#ThemapofNISdatabasestoDNs(relativetobasedn)#Ifyouusedthemigrationtoolsthenyoushouldn'thavetochangeanythingnamingcontextsnamingcontexts.
conf#Shouldypldapdcachedatacachingon#Cachelifetime,inminutescache_dump_interval15#Shouldpasswordsbehiddenhide_passwordsoff#Howmanyypldapdserverscanberunningatagiventimemaxchildren5Withypldapd.
confinplace,youcanshutdownallinstancesofypservandthenrunsbin/ypldapd,whichstartsypldapdinthebackground.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage14of34MovetheclientsandverifyresultsTotestyournewNISserver,runypwhich,whichtellsyouwhichNISserveryou'reboundto.
Ifyougetanerror,makesurethatnootherinstancesofypservarerunningandthatonlyoneypldapdisrunning.
Then,trytofetchamapbytypingypcatpasswd(thisassumesyourserverwasalsorunningaclient).
ClientsthatwillbestayingwithNISshouldalsobeabletorunypwhichandypcatagainstthenewserver.
ForclientsthatwillbemovingtoLDAP,seetheprevioussetofinstructionsforthemigration.
IntegrateLDAPwithUNIXservicesThissectioncoversmaterialfortopic305.
3fortheSeniorLevelLinuxProfessional(LPIC-3)exam301.
Thistopichasaweightof1.
Inthissection,learnhowto:IntegrateSSHwithLDAPIntegrateFTPwithLDAPIntegrateHTTPwithLDAPIntegrateFreeRADIUSwithLDAPIntegrateprintserviceswithLDAPMostapplicationswillworkcorrectlywithLDAPifyou'veconfiguredNSSandPAM.
SomeapplicationsneedtobetoldtousePAM,orprovideadditionalfunctionalitybyaccessingLDAPcorrectly.
ThissectionfocusesonthecommonUNIXdaemonsandhowtheysupportLDAPintegration.
IntegrateSSHwithLDAPTheOpenSSHdistributionintegrateswithLDAPthroughPAM,aslongasthefunctionalitywascompiledin.
Tocheck,runldd/usr/sbin/sshd|greppamtoseeifthePAMsharedlibrariesarelinked.
Ifnot,youmustrecompilesshdwith--with-pam.
TousePAM,besureyouhaveaPAMconfigurationfilenamed/etc/pam.
d/sshdifonedoesn'texistalready.
Listing10showsasamplePAMfilethatmakesuseofthesystem-authstack.
Listing10.
Asample/etc/pam.
d/system-authauthrequiredpam_stack.
soservice=system-authaccountrequiredpam_stack.
soservice=system-authpasswordrequiredpam_stack.
soservice=system-authsessionrequiredpam_stack.
soservice=system-authWiththePAMconfigurationfileinplace,youcanconfiguresshdtoworkwithPAM.
In/etc/ssh/sshd_config,addUsePAMyes,andrestartsshd.
IntegrateFTPwithLDAPManyFTPdaemonsareavailable,anditisn'tclearwhichonesapplytotheLPIC3exam.
ibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage15of34TheeasiestintegrationmethodistorelyonNSSintegration.
WhentheFTPserverperformsapasswordlookup,theNSSfacilityusesLDAP.
Inmoderntimes,though,FTPserversarelikelytobebuiltwithPAMsupport.
Inthesecases,youcreateyourPAMconfigurationfilein/etc/pam.
d.
Thisfileisusuallycalledftp,butitcanbeoverriddendependingonthesoftwareanddistribution.
Forexample,RedHatpackagesthevsftpddaemontouse/etc/pam.
d/vsftpdinsteadofthedefault/etc/pam.
d/ftp.
OncetheftpdaemonhasfounditsPAMconfigurationfile,itprocessesitjustlikeanyotherPAMclient.
TheconfigurationinListing10isenoughtogetstarted.
Youmayalsoconsiderusingpam_listfile.
soitem=usersense=denyfile=/etc/ftpusersonerr=succeedandpam_shellsintheauthphasetolimittheuserswhocanloginandthevalidshells,likethelegacyFTPserversdid.
IntegrateHTTPwithLDAPTheApacheWebserverhasmodulesthathandlebasicHTTPauthenticationwithanLDAPbackendinsteadofthetraditionalhtpasswdfile-basedbackend.
Thisisprovidedthroughthemod_authnz_ldapandmod_ldapmodules.
ThefirstmoduleprovidesthemechanismstouseLDAPinformationtoauthenticateaWebuser,whereasmod_ldapprovidesaninterfaceformod_authnz_ldap(oranyfutureLDAP-basedmodule)toaccessLDAP,includingconnectionpoolingandcaching.
TheinstructionsinthissectionrefertoApache2.
2.
Ifyou'reusingApache2.
0,themod_auth_ldapmoduleisusedinsteadofmod_authnz_ldap.
Configurationofthesetwomodulesissimilar.
Bothmod_ldapandmod_authnz_ldaparepartoftheApachedistribution.
IfyoucompileyourWebserverbyhand,youneedtoadd--enable-authnz-ldap--enable-ldaptoyourconfigurecommand.
Ifyouuseyourdistribution'sversionofApache,theninstalltheappropriatemodule(forRedHatdistributions,themodulesarepartofthecorehttpdpackage).
Whenausermakesarequesttoaprotectedresource,Apachereturnsanerrorcode401(unauthorized).
Atthispoint,theWebbrowsershouldprompttheuserforausernameandpassword.
TheWebbrowserthenreissuestherequestwiththisinformationencodedinanAuthorizationheader.
IftheusernameandpasswordareacceptedbytheWebserver,thepageisservedtotheclient;otherwise,theserverreturnsanother401.
Apache,whenconfiguredtocheckpasswordsagainstLDAP,firstbindstotheserverasapredefineduserandperformsalookupontheusertofindtheDN.
Theserverthenrebindsastheuserwiththeprovidedpassword.
Iftheservercansuccessfullybindasthisuser,theauthenticationisconsideredsuccessful.
Afterasuccessfulauthentication,theservercanbeconfiguredtoperformadditionalauthorizationtasks,suchascheckingagainsttheDNorattribute,ortestingtoseeiftheuserpassesasearchfilter.
Ifanyofthesetestsareconfigured,thenthetestmustpassfortheauthorizationtopass.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage16of34Configurationofmod_authnz_ldapissimilartothestandardauthenticationmethodusingtextfiles.
Listing11showsthesimplestcaseofLDAPauthenticationwithnoauthorization.
Listing11.
ApacheconfigurationforLDAPauthenticationLoadModuleldap_modulemodules/mod_ldap.
soLoadModuleauthnz_ldap_modulemodules/mod_authnz_ldap.
so<Location/protected>AuthTypebasicAuthNameProtectedByLDAPAuthBasicProviderldapAuthLDAPUrlldap://192.
168.
1138/ou=People,dc=ertw,dc=comuid#Anonbindforfirstphase#AuthLDAPBindDN#AuthLDAPBindPasswordAuthzLDAPAuthoritativeoffrequirevalid-user</Location>ThefirsttwolinesofListing11loadtherequiredmodulesintotheWebserver.
TherestoftheconfigurationisenclosedinaLocationcontainer,meaningitappliesonlytorequestsbeginningwith/protected.
TheconfigurationfirstdeclaresBasicauthenticationandanameofProtectedByLDAP.
TheWebbrowsershowsthenametotheuser.
TheAuthBasicProviderlinetellsApachethatauthenticationisprovidedthroughLDAP.
Listing11continueswithAuthLDAPUrl,whichpointsApachetotheLDAPserver.
Theformoftheparameterisldap://host:port/basednattributescopefilter.
hostandportdefinetheLDAPserver,andbasednisthebaseDNfromwhichtheinitialsearchisperformed.
attributereferstotheattributethatwillbesearchedalongwiththeusernameduringtheinitialsearch(thedefaultisuid).
scopeiseitheroneorsubtocorrespondwithonelevelorallchildren.
filterisanoptionalfilterthatwillbelogicallyANDedwiththesearchforthegivenuser/attributecombination.
TheexampleinListing11hasAuthLDAPBindDNandAuthLDAPBindPasswordcommentedout,whichresultsinananonymousbind.
Ifyouwanttospecifyauserhere,youmay.
Eitherway,theuserperformingtheinitialbindmustbeabletosearchontheattributeprovidedintheAuthLDAPUrlcommand.
Thefinaltwolinesdisableauthorizationbyallowinganyvalidateduser.
AuthzLDAPAuthoritativeoffmeansthatalatermodulecanallowtheaccessevenifLDAPdeniesauthorization(butnotauthentication).
requirevalid-usercomesfromanothermodule,sothisdeferralisrequired.
Insteadofthesetwolines,youcanuseLDAP-relatedones,suchascheckingforgroupmembershiporanLDAPattribute.
Listing12showspartoftheconfigurationfromListing11,butitrestrictsaccesstopeoplewiththeou=Engineeringattributeandvalue.
Listing12.
RestrictingaccesstoaparticularOUAuthzLDAPAuthoritativeonrequireldap-filterou=engineeringTwothingsarenotableinListing12.
First,AuthzLDAPAuthoritativeisnowon(thisisthedefault)becauseyourrequirementcanbehandledbytheLDAPmodule.
Second,theldap-filterdoesn'tincludeparentheses.
ApacheusesthegivenLDAPfilterandalsoperformsalogicalANDwiththeuid(orwhicheverattributeyouspecifiedintheAuthLDAPUrlcommand)andbuildsthesearchfilterwithasimplestringinsertion.
Ifyouhaveextraquotesorparenthesesinyourfilter,theresultingquerybecomesinvalid.
Theauthenticationfails,andalogmessageisprintedtotheserver'serror_log.
ibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage17of34IntegrateFreeRADIUSwithLDAPFreeRADIUSisanopensourceRemoteAuthenticationDialInUserService(RADIUS)serverthatisoftenusedforauthenticationofdial-uporothernetworkdevices.
ClientsuseRADIUStoauthenticateusers,andtheRADIUSserverinturnusesLDAPtofinditsinformation.
YoucanintegratePAMandFreeRADIUStwoways:byusingPAM,orbyenablingnativeLDAPsupportthroughtherlm_ldapmodule.
ThechoicedependsonhowyouplantouseRADIUS.
Ifallyouneedisauthentication,oryoudon'twishtomodifyyourLDAPschema,thenusePAM.
IfyouneedtouseRADIUSattributes,thenit'seasiertoconfiguretheLDAPmoduleandstoretheattributesinLDAP(RADIUSallowstheservertosendconfigurationdetailstothedeviceaskingforauthentication,whichletsyouprovidedifferentservicestodifferentusers).
ForPAMmode,ensurethatyouhavePAMsetupforLDAPliketheothersystems.
ThePAMconfigurationfileforFreeRADIUSis/etc/pam.
d/radiusd.
StartingfromthedefaultconfigurationfilesthatcomewithFreeRADIUS,uncommentthepamkeywordintheauthenticatesectionofradiusd.
conf.
Next,edittheusersfileandlookforDEFAULTAuth-Type=System.
ChangetheSystemkeywordtoPAM.
Restartradiusd,andyou'redone.
ThenativeLDAPmodule,rlm_ldap,ismorecomplex.
First,youmusthaveFreeRADIUSinstalledonyoursystem,builtwiththerlm_ldapmodule(--enable-ldap).
FreeRADIUSisbuiltlikemostotherpackagesandsowon'tbecoveredhere.
YourLinuxdistribution,ifitincludesFreeRADIUS,likelyincludestheLDAPmodule.
FreeRADIUSincludesanLDAPschemainafilecalledopenldap.
schema.
Copythisto/etc/openldap/schema/freeradius.
schema,andimportitintoOpenLDAPthroughtheincludedirectiveinslapd.
conf.
TheschemaprovidesseveralattributesandtwoobjectClasses.
OneoftheobjectClassesisradiusprofile;it'susedforanyuserswhowillbeauthenticatedwithRADIUS.
radiusprofileisanauxiliaryobjectClassandthereforecangoonanyentry.
radiusObjectProfileisastructuralobjectClassusedtocreatecontainersofradiusprofiles;itisn'tnecessaryforoperation.
Next,editthedefaultusersfileasinthePAMexample,butinsteadofchangingthedefaultmethodtoPAM,commentoutthatentiresection.
Thisfilecontrolshowusersareauthenticatedandauthorized.
RemovingthedefaultmethodisenoughtoallowtheLDAPmoduletotakeoverandhandleuserauthenticationandauthorization.
radiusd.
confneedsmorework.
Inboththeauthenticateandauthorizesections,uncommenttheldapkeywordthatenablesLDAPauthenticationandauthorization.
YoumustalsofindasectionthatlookslikeAuth-TypeLDAP{ldap}anduncommentthat.
Finally,uncommenttheldap{.
.
.
}section,andenteryourserver'saddress,baseDN,andoptionalauthenticationinformation.
Likeothersoftwareyou'veseen,theinitialbindperformsthelookupoftheuser'sDN;then,asecondbindismadeasthatusertoconfirmthepasswordandretrievetheattributes.
Therefore,theuseryouinitiallybindas(oranonymousifyouhavenoconfigureduser)mustbeabletoperformsearchesontheuidattribute,andusersmustbeabletoreadtheirownattributes.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage18of34UserswhoneedtobeauthenticatedbyLDAPmustusetheradiusProfileobjectClassandhaveadialupAccessattributewithsomevalueinit,suchas"yes".
Withmoreadvancedconfigurations,youcanusethevaluetoapplydifferentsettings,butforbasicpurposes,theattributecantakeanyvalue.
FreeRADIUSisanextremelyrobustRADIUSserver,andagreatdealofconfigurationcanberequiredtogetittodowhatyouneed.
ThetwoconfigurationsshownherefocusonlyonwhatisneededtogetLDAPworking.
IntegrateCUPSwithLDAPTheCommonUNIXPrintingSystem(CUPS)isthecurrentlyfavoredprintingdaemonbecauseofitseaseofconfiguration,supportfortheInternetPrintingProtocol(IPP),andbackwardcompatibilitywiththetraditionallprtools.
CUPSsupportsPAM,butitmustbetoldhowandwhentoauthenticate.
Firstedit/etc/pam.
d/cupssothatitsupportsLDAP.
Next,in/etc/cups/cupsd.
conf,createforyourprintersacontainerthatrequiresauthentication,suchasinListing13.
Listing13.
Aprinterscontainerthatrequiresauthentication<Location/printers>AuthTypeBasic</Location>Listing13showsaconfigurationthatrequiresBasicauthenticationforanyURLbeginningwith/printers.
TheCUPSconfigurationisalmostidenticaltothatofApache,sothisconfigurationshouldremindyouofListing11.
However,CUPSisusingPAMinsteadofanativeLDAPmodule,sonoLDAPconfigurationisnecessary.
CUPSusesPAMforauthenticationbecausethatishowit'sconfigured.
Now,whenyoutrytobrowseaURLunder/printers,whichincludesprintingtoaprinter,you'repromptedforapassword.
Listing14showssuchaprompt.
Listing14.
VerifyingthatCUPSisworkingwithLDAP[sean@bobLPIC-III_5]$lprindex.
xmlPasswordforseanonlocalhostmypassword[sean@bobLPIC-III_5]$IfthepasswordwereincorrectorPAMwasn'tworking,thenListing14wouldhaverepromptedforapassword.
PAMwassuccessful,though,sothedocumentwasprintedandtheuserwasreturnedtotheshellprompt.
IntegrateLDAPwithSambaThissectioncoversmaterialfortopic305.
4fortheSeniorLevelLinuxProfessional(LPIC-3)exam301.
Thistopichasaweightof1.
Inthissection,learnhowto:MigratefromsmbpasswdtoLDAPUnderstandtheOpenLDAPSambaschemaibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage19of34UnderstandLDAPasaSambapasswordbackendSambaistheUNIXcommunity'swayofintegratingwithMicrosoftWindowsnetworks.
Withthissoftware,youcansharefileswithMicrosoftnetworks(bothclientandserver)andmakeyourUNIXcomputerappearasaWindowscomputertotheotherWindowsclients.
UnderstandSambaauthenticationSamba'sgoalisintegrationwithWindowsnetworks,soitmustusetheauthenticationmechanismsthatWindowsuses.
Ifyou'reauthenticatingagainstaWindowsserver,thisisfine,butoftentheSambaserveristherepositoryforthecredentials.
Thus,twocopiesofpasswordhashesareneeded—oneforthetraditionalUNIXpasswordsandanotherfortheMicrosofthashes.
MicrosoftpasswordsaresimilartoUNIXpasswordsinthatthey'rehashesoftherealpassword.
Ahashfunctionisaone-wayfunctionthatacceptsavariable-lengthinput(suchasapassword)andoutputsafixed-lengthhash(string).
It'simpossibletotakethehashandrecovertheoriginalpassword,althoughyoucouldtrybillionsofdifferentinputsinhopesthattheresultinghashwillmatch.
TwodifferentpasswordhashesarestoredforMicrosoftpasswords:theLANManagerhashandtheWindowsNThash.
Thefirstisn'tassecureasthesecondbecauseseveralthingsaredonetothepasswordbeforehashingthatreducethenumberofpossibleoutputs.
TheWindowsNThashwasdesignedtoovercometheselimitations.
Eventhoughbothhashesarestored,youcanchoosetodisabletheLANManagersupportifallyourclientssupportNThashes(availableonWindowsNTSP3andabove).
Sambahastraditionallystoredthepasswordhashesinthesmbpasswdfileandusestoolslikesmbpasswdtomanagethepasswordfilebythesamename.
ThiscaneasilybemovedtoLDAPsothatmultipleSambaserverscanauthenticatewithoutneedingtousePrimaryDomainControllersorotherMicrosoftinfrastructure.
StoringthedatainLDAPalsoreducesduplicationofinformationacrossyournetwork.
UnderstandtheSambaschemaNTpasswordsaredifferentfromUNIXpasswordsandcan'tbestoredintheuserPasswordattribute.
Therefore,theLDAPschemamustbeextendedtostorethepasswordhashesandotherpiecesofinformationthataMicrosoftdeviceexpectstobeavailable.
TheschemafileisdistributedwiththeSambasuiteassamba.
schema.
Copythisfileto/etc/openldap/schema,andusetheincludedirectiveinslapd.
conftomakeitapartofyourserver'sschema.
samba.
schemaintroducesseveralnewobjectClasses,whichareexplainedinTable4.
Table4.
objectClassesinsamba.
schemaobjectClassDescriptiondeveloperWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage20of34sambaSamAccountProvidestheinformationneededforanaccount(computer,user,andsoon)inanNTenvironment.
sambaGroupMappingMapsaUNIXgrouptoaWindowsgroup.
sambaTrustPasswordProvidesauthenticationinformationabouttrustrelationshipsbetweendomains.
sambaDomainStoresinformationaboutthedomainintheLDAPtree.
You'llfindoneoftheseaddedautomaticallytoyourLDAPtreeafteryousetupSamba/LDAP.
ConfigureSambaforLDAPConfiguringSambaforLDAPinvolveseditingsmb.
conftosetuptheLDAPdatasourceandthenmanipulatingyourusers'LDAPentriestomakethemawareofthenewSambaattributes.
Inyoursmb.
conf,you'llfindalinelikepassdbbackend=tdbsam,whichrepresentsthesmbpasswdfilestoragemechanism.
ReplacethiswiththecodeinListing15,modifiedforyourenvironment.
Listing15.
Usingtheldapsampasswordstorage#ldapsamrequirestheuritotheLDAPserverpassdbbackend=ldapsam:ldap://192.
168.
1.
138/#AuserinyourLDAPserverthatcanreadandwritethenewattributes#Thepasswordwillbeenteredlaterldapadmindn=cn=root,dc=ertw,dc=com#Sameassearchbaseldapsuffix=dc=ertw,dc=com#OUsforusers/computers/groupsldapusersuffix=ou=Peopleldapmachinesuffix=ou=Computersldapgroupsuffix=ou=GroupOnceyou'vesetupsmb.
conf,restartSambaandexecutesmbpasswd-W.
You'repromptedforthepasswordfortheLDAPadminDNyouenteredinsmb.
conf.
Atthispoint,SambawilluseLDAPdatatoauthenticateusers.
ManageSambausersinLDAPUsersmustbesetupwiththesambaSamAccountobjectClassbeforetheycanuseSamba,whichincludessettingthepasswordhashesandassigningasecurityidentifier(SID)totheuser.
Thisiseasilyhandledbythesmbpasswdutility,whichtraditionallyaddeduserstothesmbpasswdfile.
smbpasswdwillmanageanLDAPuserifsmb.
confisconfiguredtouseLDAP,suchasinListing15.
Tosetupanewuser,firstbesuretheuser'saccountissetupwiththeposixAccountobjectClassandauidattribute,whichshouldalreadybethereiftheuserlogsinthroughLDAPandPAMorNSS.
Next,runsmbpasswd-ausernametomodifytheuser'sLDAPentry,whichincludessettingtheSambapassword.
Listing16showsatypicaluser'sentryafterbeingsetupforSamba.
Listing16.
ASambauser'sentrydn:cn=JimJoe,ou=people,dc=ertw,dc=comgivenName:Jimsn:Joecn:JimJoeuid:jjoeuidNumber:1000sambaSID:S-1-5-21-2287037134-1443008385-640796334-userPassword::e01ENX1yTDBZMjB6QytGenQ3MlZQek1TazJBPT0=sambaLMPassword:5BFAFBEBFB6A0942AAD3B435B51404EEsambaNTPassword:AC8E657F83DF82BEEA5D43BDAF7800CCloginShell:/bin/bashgidNumber:4homeDirectory:/home/asambaAcctFlags:[U]objectClass:inetOrgPersonobjectClass:sambaSamAccountobjectClass:posixAccountobjectClass:topTheboldlinesfromListing16wereaddedbysmbpasswd.
Startingfromthetop,aSIDisaddedtotheaccount.
Usingsmbpasswdfreesyoufromneedingtocalculatethis,becausesmbpasswdfiguresoutwhatSIDtouse.
Next,theLanManagerandNTpasswordhashesarestored.
Theibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage21of34sambaAcctFlagsisusedtostoresomeattributesoftheentry.
Possiblevaluesofthisflagareasfollows:N:NopasswordrequiredD:AccountdisabledH:HomedirectoryrequiredT:TemporaryduplicateofotheraccountU:RegularuseraccountM:MNS(MajorityNodeSetcluster)logonuseraccountW:WorkstationTrustAccountS:ServerTrustAccountL:AutomaticlockingX:Passworddoesn'texpireI:DomainTrustAccountFinally,thesambaSamAccountobjectClassenablesalltheseattributes.
Inadditiontothosedescribedhere,youcansetmanyotheroptionstocarrymoreWindows-specificinformation.
ConsultthepdbeditmanpagetolearnaboutreadingandmodifyingSambauserinformationfromthecommandline.
SambacanactasaWindowsPrimaryDomainController(PDC),andtheextrainformationisnecessaryforWindowsclientstofunctioncorrectly.
PasswordsynchronizationNowthattwosetsofpasswordsexist(userPasswordandthetwoSambahashes),youmustfindawaytokeepthepasswordsinsyncwitheachother.
IfauserchangeshisorherSambapassword,eitherfromthecommandlineorfromaWindowsclient,theUNIXpasswordshouldchange.
Likewise,ifauserchangestheUNIXpassword,theSambapasswordshouldchange.
Thefirstcaseistheeasiest.
Addldappasswordsync=yestothe[global]sectionofsmb.
conf,andrestartSamba.
AnyfurtherpasswordchangeswillchangeboththeSambaanduserPasswordhashes.
GettingtheSambapasswordschangedwhenauserchangeshisorherpasswordthroughtheUNIXpasswdcommandrequiresPAM.
Sambacomeswithmod_smbpasswd,whichisusedtoauthenticateandchangepasswordsthroughtheSambasystem.
Fornow,thereisnoneedtoauthenticatepasswords,soonlythepasswordfunctionwillbeused.
Listing17showspartofaPAMconfigurationfilethat,whenused,changesbothUNIXandSambapasswordsinLDAP.
Listing17.
APAMpasswordstacktochangebothUNIXandSambapasswordspasswordrequisitepam_cracklib.
sotry_first_passretry=3passwordoptionalpam_smbpass.
souse_authtokuse_first_passpasswordsufficientpam_unix.
somd5shadownulloktry_first_passuse_authtokpasswordsufficientpam_ldap.
souse_authtokpasswordrequiredpam_deny.
soInListing17,theaddedlineisshowninbold.
Thepam_smbpassmoduleislistedasoptionalsothatifauserisn'tconfiguredasaSambauser,thatstepwillfallthrough.
TheSambapasswordchangeisbeforetheUNIXandLDAPpasswordchanges,becausethesetwoaremarkedassufficient,meaningthefirstonetosucceedstopsprocessing.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage22of34WithListing17inplace,auserchanginghisorherpasswordfromthecommandlinewillalsochangetheSambapassword.
MigrateexistinguserstoLDAPWhenyoumovetoanLDAPbackend,you'relikelytohaveexistingusersinafile-basedpasswordmechanismthatyouneedtomigrate.
Thepdbeditutilitycancopyaccountsfromoneplacetoanothertomakethisjobeasy.
Listing18showstheuseofpdbedittomigrateusers.
The-iparametersetsthesourceofthedata,andthe-eparametersetsthedestination.
Beforerunningthepdbeditcommand,youshouldhavetheldapsamdatabasesetupinsmb.
conf.
Listing18.
Migratingusersfromtdbsamtoldapsam[root@server1~]#pdbedit-eldapsam-itdbsamImportingaccountforfred.
.
.
okImportingaccountforjsmith.
.
.
okIfyou'reusingtheoldersmbpasswdpasswordbackend,usesmbpasswdinsteadoftdbsam.
IntegrateLDAPwithActiveDirectoryThissectioncoversmaterialfortopic305.
5fortheSeniorLevelLinuxProfessional(LPIC-3)exam301.
Thistopichasaweightof2.
Inthissection,learnabout:KerberosintegrationwithLDAPCross-platformauthenticationSinglesign-onconceptsIntegrationandcompatibilitylimitationsbetweenOpenLDAPandActiveDirectoryMicrosoftWindowscanbefoundinalmosteverycompany;there'sagoodchancethatyourenvironmentalreadymakesuseofActiveDirectory,Microsoft'senterprisedirectoryservice.
ActiveDirectoryisbasedontwoopenprotocols:LDAPandKerberos.
ByunderstandingtheseprotocolsandconfiguringtheLinuxsystemappropriately,yourLinuxboxcanauthenticateagainsttheenterprisedirectoryandfacilitatesinglesignon(SSO).
Thismeansyoulogintoyourmachineonce,andyourcredentialsaregoodthroughoutthenetwork.
UnderstandKerberosKerberos,namedafterthethree-headeddogfromHadesinGreekmythology,isaprotocolthatallowsusersandserverstoprovetheiridentitytoeachotheroveranuntrustednetwork.
ItwasdevelopedattheMassachusettsInstituteofTechnology(MIT)foruseontheirnetworkandhassincefounditsplaceinmanyothernetworks.
MicrosoftchosetouseKerberosaspartofWindows2000'sActiveDirectory.
KerberosVisthecurrentlydevelopedstream,althoughyoumayrunintoKerberosIVattimes.
KerberosVprovidesbackwardcompatibilityforsystemsstillusingKerberosIV.
ibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage23of34TheKerberosprotocolKerberosisaprotocolthatallowsaservicetoauthenticatetheidentityofauserwithoutneedingtoseeapassword.
Thisisachievedbyhavingamutuallytrustedserver,calledtheAuthenticationService(AS).
TheASsharesasecretwitheachuserandservice.
ThesecretisusedtoprotectinformationbetweentheASandtheotherendoftheconversation;itevenletstheASgivetheuseramessage(calledaticket)destinedforsomeoneelse.
Inthislattercase,userscan'treadtheticketbecausetheydon'thavethesharedsecret.
AllclientsandserversformaKerberosrealm,whichismuchlikeanNISdomainor,insomerespects,thebaseDNofanLDAPtree.
TherealmdefinesallthedevicesandpeoplethatauthenticatetoacommonsetofKerberosservers.
Generally,therealmistheDNSzoneoftheorganizationwritteninuppercase,suchasERTW.
COM.
ForthepurposesofKerberos,theclientsarethecomputersthatgetticketsfromaKerberosserver.
TheserversarethedevicesthatprovidetheKerberosservicesofgrantingtickets.
EverythingthatisauthenticatedintheKerberosrealmhasacorrespondingKerberosprincipalthatidentifiesitandisassociatedwiththepasswordorsharedsecret.
Whenauserconnectstoaserver,they'rereallyconnectingtoaservicerunningontheserver.
EachserviceistreatedseparatelyandmustberegisteredasaprincipalwiththeKerberosserver.
Aservice'sprincipalisoftheformservicename/servername@REALM,whereasauser'sprincipalisoftheformuser@REALM.
TheKerberosprotocolisshowninFigure1.
Figure1.
TheKerberosprotocolTheKerberosprotocolcanbeviewedashavingtwodistinctphases:theinitialloginoftheusertotherealm,andtheauthenticatingoftheusertotheservice.
ThemagicofKerberosisthattheinitialloginhappensonlyonce;thesubsequentserviceauthenticationcanhappenmanytimestomanyservers.
ThefirstphaseofKerberosstartswiththeuseraskingtheKerberosserver(specifically,acomponentcalledtheKeyDistributionCenter[KDC])foraTicketGrantingTicket(TGT),whichwilldeveloperWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage24of34beusedlatertorequestservice.
TheKDCgeneratesaTGT,encryptsitwiththeuser'spassword,andsendsitbacktotheuser.
TheTGThasbeenlikenedtoavisitorpassinacompany.
Youshowyouridentificationtothesecurityguard(KDC)andaregrantedavisitorpassthat'svalidforoneday.
ThisprocessallowsyoutokeepyourownIDsecureandalsolimitsthecompany'sexposuretoastolenvisitorpass.
TheTGTexpiresinashortperiodoftime,usuallyaround8hours.
Inthesecondphase,theuserdecidesheorsheneedsaccesstoaservice.
TheusersendsarequesttotheKerberosserver'sTicketGrantingService(TGS)component,whichincludestheTGTandthenameoftheservice(theprincipal).
TheTGScheckstoseeiftheTGTisstillvalidandthenissuesaticketthathasbeenencryptedwiththesharedsecretoftheservice.
Finally,theuserpresentsthistickettotheservice.
Iftheservicecansuccessfullydecrypttheticket,thentheserviceknowstheKerberossystemapprovedtherequest.
Nopasswordsevercrossedthenetwork.
Kerberosthwartsreplayattacks,whereanattackercapturesaticketandusesitagain,byimposinglimitedlifetimesonticketsandincludingtimestampsintheencryptedticket.
Aticketforaservicemaybevalidfor5minutes,sotheservicehastorememberjust5minutes'worthofticketstoknowifaticketwasreplayed.
Allclocksmustbesynchronizedforthistosucceed.
WheredoesLDAPfitinKerberosprovidesonlyanauthenticationframework,muchlikethePAMsystemdoes.
Userinformationisn'tstoredintheKerberosdatabase.
KerberossecretscanbestoredintheLDAPdatabaseortheycanbeleftseparate.
ThechoiceisuptotheimplementationofKerberos.
Ineithercase,LDAPisusedtostoretheuserinformationsuchashomedirectoryandpersonalinformation.
YoumustkeepyourKerberosdatabasesecureregardlessofwhereit'sstored.
TheKerberoskeysarelikepasswords:theycanbestolenandusedtogenerateTGTsandtickets.
MostguidesstronglyrecommendkeepingyourKerberosserveronitsowndeviceandprotectingitasmuchaspossible.
ConfigureMicrosoftActiveDirectoryforyourLinuxguestsActiveDirectoryusesimplementationsofKerberosandLDAPthatarecompatiblewiththoseshippedwithLinux.
MicrosofthasextendedKerberostosupportWindows-specificattributes,butthisdoesn'tpreventUNIXusersfromusingit(seetheRelatedtopicsforMicrosoft'sdocumentationonthesubject).
TheActiveDirectoryschemamustbeextendedtosupportsomeoftheUNIXattributes,whichiseasilydoneinWindows2003Server.
GototheControlPanelofyourDomainController,andchooseAddorRemovePrograms>Add/RemoveWindowsComponents.
FromtheActiveDirectoryServicescomponent,choosetheIdentityManagementforUNIXsubcomponent.
(IfyouhaveanearlierversionofWindows,thiscomponentissometimescalledtheServerforNIS.
)Installibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage25of34thissoftware,andtheLDAPschemawillbeextended;youruserdialogswillalsoincludeaUNIXAttributestab,whichwillbeusedsoon.
FromtheActiveDirectoryUsersandComputersapplication,edittheDomainUserssecuritygroup.
Notethenewtab,UNIXAttributes.
AssignagroupandNISdomaintoyourDomainUsersgroup,asshowninFigure2.
DoingsoallowsthegrouptobeseenbytheUNIXsystems.
Thisgroupwillbetheuser'sprimarygroup.
Figure2.
AssigningUNIXattributestoagroupStillintheUserscontainer,findauserwhomyouwanttouseonyourUNIXservers.
FindtheUNIXAttributestabforthisuser,andassignthestandardUNIXattributestothem.
Figure3showsasampleuser.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage26of34Figure3.
TheUNIXattributesofauserTheuserinFigure3hasbeenassignedaprimarygroup,ahomedirectory,ashell,andauserid.
Next,youmustcreateaserviceaccountthatallowsaccesstoyourLDAPtree,becauseanonymousaccessisdisabledbydefault.
Usethefollowingconfigurationforthisuser:Name:LDAPserviceaccount(oryourchoice)Userlogonname:ldap(oryourchoice)Password:YourchoiceUsercan'tchangepassword:SelectedPasswordneverexpires:SelectedPrimarygroup:DomainGuestsTheserviceaccountshouldonlybeamemberofDomainGuests.
FromtheMemberOftab,addtheDomainGuestsgrouptotheaccount,highlightitinthelistofgroups,thenclicktheSetPrimaryGroupbutton.
Withthegroupchanged,youcanremovetheDomainUsersgroupfromtheprofile.
Ifyoursecuritypolicyprohibitsthepasswordoptions,you'llhavetoadjustyourLinuxconfiguration(describednext)eachtimethepasswordchanges.
NotethatLDAPisusedhereonlyfordirectoryinformationandnotpasswords,sotherequirementtochangepasswordsislessened.
ibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage27of34ConfigureLinuxTheLinuxsideoftheequationinvolvesthreesteps.
First,yousetupdirectoryaccessthrough/etc/ldap.
conf.
Next,youconfigurePAMforKerberosauthentication.
Finally,configureSambatouseActiveDirectoryinformationforauthentication,andjoinittothedomain.
Beforeyoustart,youmustensurethatyourLinuxmachineisusingyourMicrosoftserverforbothDNSandnetworktime.
YourLinuxservermustalsohaveahostrecordintheMicrosoftDNSzoneforyourdomain.
ConfigureLDAPLDAPisconfiguredasitwasearlier,exceptthatsomemappingisrequiredfromUNIXattributestoMicrosoftattributes.
Listing19shows/etc/ldap.
confconfiguredtoaccessaMicrosoftLDAPdirectoryusingtheuseraccountsetuppreviously.
Listing19.
Configuringldap.
conftouseaMicrosoftdirectory#Informationaboutthedirectoryurildap://192.
168.
1.
151binddnldap@ertw.
combindpwldapsslnobasedc=ertw,dc=com#Mapattributesnss_map_objectclassposixAccountusernss_map_objectclassshadowAccountusernss_map_attributeuidsAMAccountNamenss_map_attributehomeDirectoryunixHomeDirectorynss_map_attributeshadowLastChangepwdLastSetnss_map_objectclassposixGroupgroupnss_map_attributeuniqueMembermemberpam_login_attributesAMAccountNamepam_filterobjectclass=Userpam_passwordadTheconfigurationshowninListing19firstpointsthemoduletotheMicrosoftLDAPserverusingthecredentialssetupearlier.
TheattributesaremappedfromtheUNIXnametotheMicrosoftname,suchasusingsAMAccountNamefortheuserid.
Finally,addldapwinbindtothepasswd,group,andshadowsectionsof/etc/nsswitchconf(leavefilesinthere).
ThisletsyoursystempulldirectoryinformationfromLDAPandSamba(thelattertobeconfiguredlater).
Afterthisstep,youcanrungetentpasswdtoseetheLDAPusers.
NotethatyoumustsettheUNIXattributesfortheuserinActiveDirectoryfortheusertoshowupinthelist.
ConfigureKerberosKerberosisconfiguredthroughPAMandthe/etc/krb5.
conffile.
Ifyou'reusingyourMicrosoftDNSserverforyourDNS,thenyouonlyneedtospecifyyourrealm,becausetheserverwillbelearnedautomaticallyfromDNS.
Listing20showsthecontentsof/etc/krb5.
confListing20.
/etc/krb5.
conffortheERTW.
COMrealm[logging]default=FILE:/var/log/krb5libs.
logkdc=FILE:/var/log/krb5kdc.
logadmin_server=FILE:/var/log/kadmind.
log[libdefaults]default_realm=ERTW.
COMdns_lookup_realm=falsedns_lookup_kdc=trueticket_lifetime=24hforwardable=yes[realms]ERTW.
COM={default_domain=ertw.
com}[domain_realm].
ertw.
com=ERTW.
COMertw.
com=ERTW.
COM[appdefaults]pam={debug=falseticket_lifetime=36000renew_lifetime=36000forwardable=truekrb4_convert=false}krb5.
confisdividedintosections,withthenameofthesectionenclosedinsquarebrackets.
Theloggingsectionspecifiesthepathsofvariouslogfiles.
ThelibdefaultssectionsconfigurethedeveloperWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage28of34Kerberoslibraries:inparticular,thedns_lookup_kdctellsthelibrarytolookforserverrecords(SRV)inDNStofindtheKDC.
Therecordlookslike_kerberos.
_tcp.
ERTWCOM.
,andtheresponseisthenameofaserverandtheporttocontact.
TherealmssectiondefinestherealmsandtheassociatedDNSzones.
Thedomain_realmsectiondoesthereverse:itallowsahosttodetermineitsrealmbasedonitsfullyqualifieddomainname(FQDN).
Finally,theappdefaultssectionisfortheapplicationsusingKerberos;inthiscase,PAMhasbeenconfiguredwithsomedefaultoptions.
Inpractice,thereislittletoconfigureinkrb5.
confbecausethedefaultconfigurationfilehasalltherequiredelements.
Allyouhavetodoissubstituteyourrealmanddomainnamewhereappropriate.
Youcanalsouseyoursystem'sKerberosconfigurationutility,suchasauthconfig.
TheconfigurationofPAMisjustlikethepreviousconfigurationsofLDAPandsmbpasswd.
YouinsertacalltotheKerberosPAMlibrarywhereappropriate.
Listing21showspartoftheFedorasystem-authfileafterKerberoshasbeenconfigured.
Listing21.
system-authfileafterconfiguringKerberosauthsufficientpam_unix.
sonulloktry_first_passauthsufficientpam_krb5.
souse_first_passauthrequiredpam_deny.
soaccountrequiredpam_unixsobroken_shadowaccount[default=badsuccess=okuser_unknown=ignore]pam_krb5.
soaccountrequiredpam_permit.
sopasswordsufficientpam_unix.
somd5shadownulloktry_first_passuse_authtokpasswordsufficientpam_krb5.
souse_authtokpasswordrequiredpam_deny.
sosessionrequiredpam_unix.
sosessionoptionalpam_krb5.
soKerberoshasbeenaddeddirectlyaftertheUNIXpasswordcheckintheauthorizationphaseasasufficientitem.
ThismeansthatifaUNIXpasswordisfound,Kerberosisn'tconsulted.
IfnoUNIXpasswordisfound,thenKerberosisconsulted.
IfKerberosfails,thestackfails.
Ifnouserisfound,thencontrolpassestothepam_denymodule,whichcausesafailure.
Theaccountphaseusesanalternativesyntaxtotheoneyou'veseensofar.
EachPAMmodulecanreturndifferentoptions,suchas"success"or"nosuchuser".
Thesquarebracketsallowtheadministratortotakeadifferentactionbasedoneachpossiblereturncode.
Listing21implementsapolicythatsaysifpam_krb5returnsasuccessfulresult,thencontinueprocessing.
Iftheuserisunknown,thenignorethemodulecompletely.
Anythingelseisconsideredafailure.
Thisbehaviorisclosetotherequiredkeyword,withtheexceptionthatanunknownuserdoesn'tcauseafailure.
Consultthepam.
conf(5)manpageformoredetailsonthissyntax,includingtheoptions.
Thepasswordandsessionphasesincludethemoduleinthestackwithnospecialoptions.
Atthispoint,youshouldbeabletologintoyourLinuxserverusingActiveDirectorycredentials.
ThenextstepconfiguresSambaandfurthersecurestheconnectionbycreatingacomputeraccountfortheserver.
ConfigureSambaandjointhedomainForSamba'sconfiguration,youmustfirstremoveyourexistingpasswordbackendfromsmb.
conf,andanyofthetdbfilesin/etc/sambaand/var/cache/samba.
Listing22showsthedirectivesyoumustaddtothe[global]sectionofsmb.
conftoallowSambatouseAD.
ibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage29of34Listing22.
SambaconfigurationforADintegration#Activedirectorysecuritysecurity=adsrealm=ERTW.
COMusekerberoskeytab=yes#Identitymappingidmapbackend=adldapidmapsuffix=dc=ertw,dc=com#LDAPconfigurationldapadmindn=cn=ldap,cn=users,dc=ertw,dc=comldapsuffix=dc=ertw,dc=com#Winbindwinbindusedefaultdomain=yeswinbindnestedgroups=yesListing22startsbyspecifyingthatADSsecuritymodeisused(remoteActiveDirectoryserver),alongwiththeKerberosrealm.
Thesecondsectionconfiguresidmapping,whichisafeaturethatmapsremoteMicrosoftSIDstolocalUNIXids.
ThisconfigurationspecifiesthatActiveDirectoryisthesourceoftheinformation.
ThemappingistakencareofontheMicrosoftside,becauseyou'vealreadyenteredtheIDsintheUNIXAttributestaboftheusersandgroups.
YourserverjusthastopullthisinformationfromLDAP.
TheLDAPconfigurationisfamiliar;itsetstheDNfortheLDAPconnectiontotheldapusercreatedearlier.
Notethatthecontaineriscn=usersinsteadoftheou=peoplethathasbeenusedsofar.
Thepasswordisenteredthroughsmbpasswd.
ThelasttwolinesenableWinbind,whichisanimplementationofsomeoftheMicrosoftRemoteProcedureCalls(seeRelatedtopicsformoreinformationonWinbind).
ItletsyougetmoreinformationoutofyourActiveDirectoryserver,ratherthanonlythegroupsandusersforwhichyou'veaddedUNIXattributes.
Aftersmb.
confisconfigured,starttheSambaandwinbindservices.
ThefinalstepsintheSambaconfigurationaretosettheadmindnpasswordandtojoinyourdomain.
Listing23showsthecomputerjoiningthedomain.
Listing23.
Settingtheadmindnpasswordandjoiningthedomain[root@server1~]#smbpasswd-WSettingstoredpasswordfor"cn=ldap,cn=users,dc=ertw,dc=com"insecrets.
tdbNewSMBpassword:ldapRetypenewSMBpassword:ldap[root@server1~]#netadsjoin-Uadministratoradministrator'spassword:mypasswordUsingshortdomainname--ERTW0Joined'SERVER1'torealm'ERTW.
COM'TestitoutYoushouldbeabletologintoyourserverwithActiveDirectorycredentialsandbrowsefilesharesfromaremotecomputerwithouthavingtologin.
Somehelpfulcommandstotestare:netadstestjoin:Teststhecomputeraccountwbinfo-u:ShowsalistofActiveDirectoryusersandtestswinbindklist:AfteryouloginthroughKerberos,showsyourTGTandanyserviceticketsthathavebeenissuedsmbclient-k-L'\\SERVERNAME':ShowsalistofsharesfromSERVERNAME,usingaKerberosloginIntegrateLDAPwithe-mailservicesThissectioncoversmaterialfortopic305.
6fortheSeniorLevelLinuxProfessional(LPIC-3)exam301.
Thistopichasaweightof1.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage30of34Inthissection,learnhowto:PlanLDAPschemastructurefore-mailservicesCreatee-mailattributesinLDAPIntegratePostfixwithLDAPIntegratesendmailwithLDAPsendmailandPostfixaretwoofthemorepopularmailtransportagents(MTAs)inuse.
ThejoboftheMTAistoreceivemessagesfromthesystemsandsendthemtobedeliveredtotheenduserortothenexthopMTA.
MTAsalsotakemessagesfromusersandfindtheremoteMTAthatiscapableofdeliveringthemessage.
BothsendmailandPostfixrelyonvariousmaps—key/valuepairsthatarenormallyheldinflatfilesorhashdatabaseslikeBDB.
ThistypeoflookupisalsoagoodfitforLDAP.
TheadvantagesofLDAParethatmanyhostscansharethesameconfiguration,andthatit'seasiertodeveloptoolstomanagethedatainLDAPratherthaninflatfilesthatmustthenberebuiltintohashtables.
TheoverheadofLDAPversusdiskreadsshouldnotbethatonerous,especiallyiftheLDAPtreeisproperlyindexed.
ConfiguresendmailThesendmailMTAisacomplexcreature,andaddingLDAPtothemixonlyincreasesthecomplexity.
Youcandojustaboutanythingwithsendmailbecauseit'salmostinfinitelyconfigurable.
Thedownsideisthatthingsthatshouldbesimpletendtobemorecomplicatedthannecessary.
Understandthatsendmailisaprogramthatinterpretsalanguageoftencalledcfinordertoprocessmail.
Cfisalanguagemadeforeasyparsingbysendmail,nothumans.
Fortunately,humanscanusealanguagecalledM4,whichhasamuchsimplersyntax,togeneratetheresultingcfcode.
sendmailmapsManycfoperationsinvolvelookingupinformationinmaps,whichareseriesofkey-valuepairs.
Eachmaphasaparticularpurpose,suchasthealiasesmapformailaliasesandthemailertablemapforstaticroutingofe-mail.
Themapisatwo-columnentity;lookupsareperformedontheleft-handside(LHS),andthecorrespondingvaluefromtheright-handside(RHS)isreturned.
Theconceptofamapdoesn'ttranslatedirectlyintoLDAP.
Asingle-keylookupinasendmailmapmayreturnonlyoneRHSentry(theRHScanhavemultiplevalues,butonlyoneinstanceofthekeymayexist).
sendmailworkswiththisbydefiningaschemathatallowskey-valuepairstobestoredinLDAP.
Furthermore,sendmailtranslateseachmaprequestintoanLDAPqueryfilterthatisdesignedtoreturnasetofattributesfromasingleentry.
Youcanchoosetousethesendmailschema,oryoucanmodifythefilterstoworkwiththedatainyourtree.
Togetstarted,addthemisc.
schemaschema(itcomeswithOpenLDAP)toyourserver'sschema.
ThisimplementsLDAP-basedmailrouting.
Then,addsendmail.
schemafromthesendmaildistribution,whichletsyoustoremapsinLDAP.
ibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage31of34ConfigureLDAPmailroutingSomeorganizationshavemultiplemailserverstohandlealltheirusers,eitherbecauseofgeographicalconstraintsorformanagingcapacityontheservers.
Inthiscase,auser'smailboxmightbeonaservercalledwpgertw.
combuttheuser'se-mailaddressmightbesean@ertw.
com.
LDAPmailroutingallowsanysendmailservertoreceivethemessage,performanLDAPlookup,andrewritetheaddresstotheinternalversion.
It'sthenasimplemattertochangethedestinationserverbychangingLDAP.
Inanycase,theuser'se-mailaddressstaysthesame.
Themisc.
schemaimplementsanInternetdraftforLDAProuting.
ThisschemaprovidestheinetLocalMailRecipientobjectClasswiththefollowingattributes:mailLocalAddress:Anattributethatdefinessomeone'se-mailaddressasit'sseenbysomeoneoutsidetheorganizationmailRoutingAddress:Anattributethatdefinestheinternaladdressofauser,whichusuallyincludestheserverthatholdstheuser'smailboxmailHost:Anattributethatdefinestheserverthathandlesthisuser'se-mailThehostinformationfortheusercanbeheldineithermailRoutingAddressormailHost.
Forexample,amailRoutingAddressofsean@wpg.
ertw.
comwithamailHostofmx.
ertw.
comseemslikeacontradiction.
Ifthehostisset,themailwillbedeliveredthereregardlessoftheroutingaddress.
Theaddresswillstillberewrittentotheroutingaddressifthatattributeexists.
Intheexampleofsean@wpg.
ertw.
com,theaddressintheenvelopewillberewrittentosean@wpg.
ertw.
com,butthemessagewillbedeliveredtomx.
ertw.
com.
Listing24showstheM4codethatenablesLDAProuting.
Thisshouldgoin/etc/mail/sendmail.
mc;then,youmustrebuildyoursendmail.
cf.
Usuallythismeansgoinginto/etc/mail/andrunningmake;oritmaymeanrunningm4sendmail.
mc>sendmail.
cf.
Listing24.
EnablingLDAProutinginsendmail.
mcdefine(`confLDAP_DEFAULT_SPEC',`-hlocalhost-bdc=ertw,dc=com')FEATURE(`ldap_routing')LDAPROUTE_DOMAIN(`ertw.
com')ThefirstlinesetsthedefaultargumentsfortheinternalLDAPclient:thehostandthesearchbase.
ThesecondlineenablestheLDAProutingfeature,andthethirdenablestheertw.
comdomainforLDAProuting.
TheduplicationofthemailLocalAddressattributefrominetLocalMailRecipientandthemailattributefrominetOrgPersonisworthlookingat.
sendmailletsyouoverridethesearchesitusesinternallybypassingextraargumentstotheldap_routingfeature.
ThefirstargumentisthefilterusedtofindthemailHostattribute,andthesecondisusedtofindmailRoutingAddress.
Therefore,FEATURE(`ldap_routing',`ldap-1-T<TMPF>-vmailHost-k(&(objectClass=inetLocalMailRecipient)(mail=%0))',`ldap-1-T<TMPF>-vmailRoutingAddress-k(&(objectClass=inetLocalMailRecipient)(mail=%0))')enablessendmailtousethemailattributeinsteadofmailLocalAddress.
Thesearchfilterisspecifiedwiththe-kswitch,andtheattributetoreturnwith-v.
Therestoftheargumentsarestandardforsendmail.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage32of34ConfigurealiasessendmailimplementsLDAPaliasesasaseriesofentriesintheLDAPtree,keyedonanattributecalledsendmailMTAKeyusinganobjectClassofsendmailMTAAliasObject.
Youmaywishtokeepthealiasesintheirowncontainer.
Listing25showstheLDIFforasendmailaliasthattakesmailforexec@ertw.
comandsendsittohair@ertwcomandteeth@ertw.
com.
Listing25.
Aliasforexec@ertw.
comdn:sendmailMTAKey=execs,ou=aliases,dc=ertw,dc=comobjectClass:sendmailMTAAliasObjectsendmailMTACluster:externalsendmailMTAAliasGrouping:aliasessendmailMTAKey:execssendmailMTAAliasValue:hair@ertwcomsendmailMTAAliasValue:teeth@ertw.
comThefirstattribute,sendmailMTACluster,definestheserversthatcanusethisalias.
Youmustalsodefinetheclusternameinthesendmail.
mcfile,suchasdefine(`confLDAP_CLUSTER',`external').
Thisclusterisusedaspartofthesearchfilter,soifyouforgettodefineit,youraliaseswillneverbeused.
ThealternativetodefiningaclusteristosetsendmailMTAHost,whichmakestheentryapplyonlytoaparticularhost.
sendmailMTAAliasGroupingmustbealiases;thisispartofthesearchfilter.
Thekeyreferstothenameofthealias;finally,youhaveoneormorevaluesthatarethetargets.
ThefinalstepistoconfiguresendmailtouseLDAPforthealiasesfilewiththedefine(`ALIAS_FILE',`ldap:')M4directive.
Ingeneral,anywhereyou'reaskedforafileinsendmail.
mc,youcanputldap:,andthemapwillbereferencedinLDAP.
ThesendmailMTAAliasGroupingthenbecomesthenameofthemap.
ConfigurePostfixPostfixisdesignedtobesimplerthansendmailbuttoremaincompatiblewithsendmail.
Theconceptofmapsisstillaround,butinsteadoffittingthemapsintoaschema,youmustdefineyourownqueryfiltersthatuseyourownattributes.
Formostmaps,youspecifythetargetasldap:/path/to/config.
cf,withconfig.
cfbeingaconfigurationfilethatdefinestheLDAPserver,thequery,andtheattributesthatformtheresponse.
Forexample,thelocal_recipient_mapsdirectivespecifieshowPostfixwillmape-mailaddressestolocalaccounts.
Specifylocal_recipient_maps=$aliases,ldap:/etc/postfix/localrecipients.
cftofirstcheckthealiasesdatabase(tocomelater)andthentheregularaddressattachedtoauser'sentry.
Listing26showsthecontentsoflocalrecipients.
cf.
Listing26.
ThelocalrecipientsLDAPlookup#LDAPserverinfoserver_host=ldap://localhostsearch_base=ou=people,dc=ertw,dc=com#%sisthee-mailaddress.
.
.
query_filter=mail=%s#theuidtellstheaccountthatgetsthedeliveryresult_attribute=uidListing26specifiesthelocalLDAPserverandthePeopleOU.
Postfixconsultsthesearchfilterandreplacesthe%swiththee-mailaddress.
Thus,ane-mailforfred@ertw.
comwillresultinasearchfor(mail=fred@ertw.
com)inthePeopleOU.
Theuidattributeisusedtoibm.
com/developerWorks/developerWorksLPIexam301prep:Topic305:IntegrationandmigrationPage33of34determinethemailbox.
Totest,youcanrunpostmap-qfred@ertw.
comldap:/etc/postfix/localrecipients.
cf,whichrunsthegivene-mailaddressthroughthelocalrecipients.
cfconfigurationfile(notethatNSSmustbeconfiguredtoreturndetailsaboutthefredaccount).
SummaryInthistutorial,youlearnedhowtointegrateLDAPwithyourcurrentsystems.
NSSprovidesaneasywayforcoreUNIXtoolstomakeuseofLDAPbyredirectingthestandardClibrarycallstothebackendofyourchoice.
PAMisyetanotherabstraction;itallowsyoutochangethewayapplicationsauthenticateinagranularfashionaslongastheapplicationisPAMaware.
PAMalsohashooksforaccountrestrictionsandpasswordchanges.
ThePAMfileslivein/etc/pam.
d.
MigratingfromNIStoLDAPinvolvesplanningwhichdatabasesneedtobemovedandthenrunningsomeutilitiestoextractthedataandconvertittoLDIF.
IfyoustillmustsupportNISinyourenvironment,PADLhaswrittenaNISservercalledypldapdthattranslatesbetweenNISandLDAPbypresentingaNISinterfacetoapplications,andthatreadsthedatafromLDAP.
ManyapplicationsarePAMaware,whichmeansyourmigrationtoLDAPisassimpleaschangingafewfilesin/etc/pam.
d.
Someapplications,likeApache,speakLDAPdirectly.
ConfiguringApacheforLDAPinvolvesusingthemod_authnz_ldapmoduleandspecifyingsearchfiltersthathelpApachefindtheusersinthetree.
SambaprovidesWindowsservicesonaUNIXplatform.
YoucanconfigureSambatouseLDAPdataoreventouseKerberosdatatotalkdirectlytoWindows.
Inthelattercase,LDAPisstillusedfordirectoryinformation,andKerberosisusedforauthentication.
E-mailisanaturalfitforLDAPbecauseofitssimilaritytoaphonebook.
BothsendmailandPostfixallowmapstobeservedfromLDAP.
ThisconcludesthelookatdirectoryservicesfortheLPIC3exam.
ThenextandfinaltutorialintheserieswillfocusonmonitoringandpredictingtheperformanceofyourLinuxservers.
developerWorksibm.
com/developerWorks/LPIexam301prep:Topic305:IntegrationandmigrationPage34of34RelatedtopicsReviewtheprevioustutorialinthis301series,"LPIexam301prep,Topic304:Usage"(developerWorks,March2008),oralltutorialsinthe301series.
ReviewtheentireLPIexampreptutorialseriesondeveloperWorkstolearnLinuxfundamentalsandprepareforsystemadministratorcertification.
FirewallBuildersimplifiesthetaskoftypinginiptablesruleswithaniceGUIandsuiteoftoolstorolloutupdatestoyourfirewalls.
Downloadpam_ldapandnss_ldapifyourdistributiondoesnotincludethePADLPAMandNSSLDAPlibraries.
Downloadypldapdifyou'regoingtofollowalongwiththeNIS-LDAPgatewaydemonstration.
Thelicenseisgoodfor30days.
DownloadtheLDAPmigrationtoolsfromPADL'ssite.
NewtoKerberosStartwiththisexplanationintheformofaplay.
ReadMicrosoft'sdocumentationonKerberosoperationandKerberostroubleshooting.
ThisarticleonWinbindshowsyouanalternativewaytointegrateSambaandADwithoutusingKerberos.
mod_authnz_ldapgivesyouallthedetailsonApacheandLDAPconfiguration.
HowHTTPauthenticationworksiscoveredinWikipedia.
ReadtheFreeRADIUSdocumentationontheLDAPmodule.
Ifyou'rehavingahardtimefindingtheschema,tryRADIUS-LDAPv3.
schema.
gz.
ReadthePostfixLDAPHowtoandthemanpageforldap_table(5)beforeyoustartwithPostfixandLDAP.
ThesendmailconfigurationguidedescribesallthewaysLDAPcanbeused,includingthewaythesearchfiltersaregeneratedfromtheconfigurationfile.
Thispostaboutanalternativewaytobuildsendmailaliasesisenlightening,notonlybecauseit'ssimplerthanthenormalway,butalsobecauseitgivesyouapeekbehindthescenes.
ThisonlineLDAPbookisanexcellentworkinprogress.
OpenLDAPisagreatchoiceforanLDAPserver.
phpLDAPadminisaWeb-basedLDAPadministrationtool.
IftheGUIismoreyourstyle,Lumaisagoodonetolookat.
InthedeveloperWorksLinuxzone,findmoreresourcesforLinuxdevelopers,andscanourmostpopulararticlesandtutorials.
SeeallLinuxtipsandLinuxtutorialsondeveloperWorks.
CopyrightIBMCorporation2008(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)