Penguin
Diff: LDAPAuthentication
EditPageHistoryDiffInfoLikePages

Differences between version 17 and predecessor to the previous major change of LDAPAuthentication.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 17 Last edited on Saturday, June 19, 2004 3:18:24 pm by GreigMcGill Revert
Older page: version 13 Last edited on Tuesday, January 13, 2004 2:17:55 pm by AlbanBrowaeys Revert
@@ -31,8 +31,9 @@
  MAY rfc822MailMember 
 
  
 Seemed to work for me, or at least, it stopped the migration script from barfing halfway through. 
+  
 Update: /etc/ldap/schema/rfc822.schema is a substract of /etc/ldap/schema/misc.schema . You can either use rfc822.schema as shown above or add: 
  include /etc/ldap/schema/misc.schema 
 atop the /etc/ldap/slapd.conf file. Then restart slapd. 
  
@@ -46,9 +47,9 @@
  
  
 __Migrating your Configuration__ 
  
-Once slapd is up and running, after choosing a sensible base dn and so on (this is beyond the scope of this document -- does someone want to wiki setting up slapd? or I'll do it later), it's time to migrate your existing files. This is easiest done by using PADL's excellent MigrationTools. See http://www.padl.com/OSS/MigrationTools.html for them , or simply apt-get install migrationtools if you're lucky enough to be running Debian. 
+Once slapd is up and running, after choosing a sensible base dn and so on (this is beyond the scope of this document -- does someone want to wiki setting up slapd? or I'll do it later), it's time to migrate your existing files. This is easiest done by using PADL's excellent [Migration Tools| http://www.padl.com/OSS/MigrationTools.html] , or simply apt-get install migrationtools if you're lucky enough to be running Debian. 
  
 Edit your migration_common.ph file and enter in the values appropriate for your setup. Under Debian, it'll be in /usr/share/migrationtools. Also, please do not set $EXTENDED_SCHEMA = 1 unless you really have the extended schemas. You'll want to pay attention to any gids/uids you want to ignore. It's probably a good idea to ignore 'system' users and groups. The defaults in Debian are users below 1000 (probably a good idea) and groups below 100. However, I have several groups I would consider 'system' groups (netsaint, etc, among others) at 101, 102... user groups don't start until 1000. So I suggest ignoring groups below 1000. Greig says this is inclusive, so maybe ignore below 999. Another issue I had was that if I tell it to ignore ANY groups, it ignores ALL the groups, so my groups ended up empty on my LDAP server (''This is to do with a bug in the migration script, which I'm surprised didn't leap out at you straight away. It was comparing the higher and lower GID settings with a variable called $uid -- which didn't exist. $gid was the one it was reading from the group file. This has been fixed in unstable, but its not in stable (woody) nor ever will be I think -- DanielLawson'') (''The culprit lines are on lines 55 and 56 of migrate_group.pl and migrate_passwd.pl - change $uid to $gid'' -- TomHibbert). I had to tell it to ignore none and delete the ones I didn't want manually. Greig says this works for him under Woody and RH, but it certainly didn't work for me. [YMMV]. (''Also, you may run into a problem where migrate_all_online.sh barfs because its trying to add the same entry twice. This happens when you have two entries of the same name (in my case news: root) in /etc/aliases''-- TomHibbert) 
  
 After you've configured this, run the script migrate_all_online.sh and let the tools do all the work. I had a few hiccups here, but that was mainly due to slapd being horribly misconfigured. If you have any problems you can't find solutions to, it's probably a good idea to restart slapd several times, or simply stop it for a while, and try again. I don't really know why, but this seemed to fix some of my problems magically. 
@@ -146,13 +147,9 @@
 Configuring clients to authentication off your [LDAP] server is pretty easy. Just run authconfig and select LDAP where nessessary and enter in your server settings. It is advisable to enable TLS as without it passwords are sent over your network in clear text. 
  
 The only "tweak" I made was to edit /etc/pam_ldap.conf to have the "pam_password" attribute set to "exop". In my experiementation I could only get the "clear", "crypt", and "exop" pam_password methods working. MD5 always failed. I think it might have had something to do with the way OpenLDAP & GQ were interacting when setting passwords encoded with MD5 tho. You might have better luck. Anyway when you use "pam_password exop" and then use passwd(1) to set your passwords in the LDAP directory they are stored encrypted using the very secure SSHA algorythm. 
  
-__Note:__ I think I discovered a bug in authconfig. If you run it multiple times it can bugger up you /etc/pam.d/system-auth file. It appears to append lines to the end of existing configurations. So you end up with lines like this:  
-  
- password sufficient /lib/security/pam_ldap.so use_authtokpassword sufficient /lib/security/pam_ldap.so  
-  
- This is bad. You need to make sure your system-auth file is properly setup. It should look like this: 
+__Note:__ I think I discovered a bug in authconfig. If you run it multiple times it can bugger up you /etc/pam.d/system-auth file. It appears to append lines to the end of existing configurations. This is bad. You need to make sure your system-auth file is properly setup. It should look like this: 
  
  auth required /lib/security/pam_env.so 
  auth sufficient /lib/security/pam_unix.so likeauth nullok 
  auth sufficient /lib/security/pam_ldap.so use_first_pass