Difference between revisions of "LDAP Ramblings"
Jump to navigation
Jump to search
m (Protected "LDAP Ramblings" ([edit=comp] (indefinite) [move=comp] (indefinite) [read=comp] (indefinite))) |
|||
| (37 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Intro== | ==Intro== | ||
| − | On the IAC's user accessable Linux servers (Brems, web, Inca) there is a need for centralized user authentication. With the addition of email | + | On the IAC's user accessable Linux servers (Brems, web, Inca, backup) there is a need for centralized user authentication. With the addition of email users this need becomes critical. The proposed solution is to use OpenLDAP replicated across the mail servers for redundancy. |
| + | |||
| + | ==Adding users manually== | ||
| + | # Create ldap entry, either by web form or manually | ||
| + | # Create home directory: '''mkdir /home/user''' | ||
| + | # Copy skel files: '''cp /etc/skel/.* /home/user/''' | ||
| + | # Change permissions: '''chown -R user:email /home/user/''' | ||
| + | |||
| + | ==Converting mail from Athena== | ||
| + | On athena, create .forward with the following contents: | ||
| + | user@iac.isu.edu, \user | ||
| + | And make sure the permissions are fine: | ||
| + | chmod a+x . | ||
| + | chown user:group .forward | ||
| + | chmod a+r .forward | ||
| + | |||
| + | Then on IAC mail: | ||
| + | mkdir oldmail | ||
| + | chmod go-rwx ./oldmail | ||
| + | cd oldmail | ||
| + | rsync -rzP root@athena.physics.isu.edu:/var/spool/mail/user ./mbox | ||
| + | rsync -rzP root@athena.physics.isu.edu:/home/whatever/user/mail ./ | ||
| + | rsync -rzP root@athena.physics.isu.edu:/home/whatever/user/Sent ./ | ||
| + | ---and so on for all mail folders<br/> | ||
| + | Translate the old mbox files to Maildir | ||
| + | mb2md -s oldmail/ | ||
| + | mv Maildir/.mbox/cur/* Maildir/cur ##this glob man fail for huge numbers of messages | ||
| + | ''Maildir/.mbox/new/, Maildir/.mbox/tmp/ should be empty''<br/> | ||
| + | This should be it, but maybe Sent needs to be copied somewhere else? | ||
==Clients== | ==Clients== | ||
| Line 13: | Line 41: | ||
Currently not planned, but possible once the setup has been proven. This would allow users to log into any machine using their username and login. Only a select few machines (data aquisition etc.) would retain generic iacuser access. | Currently not planned, but possible once the setup has been proven. This would allow users to log into any machine using their username and login. Only a select few machines (data aquisition etc.) would retain generic iacuser access. | ||
| − | ==LDAP | + | ==Datatypes== |
| + | ====Users==== | ||
| + | The standard LDIF: | ||
| + | version: 1 | ||
| + | |||
| + | dn: uid=oborn,ou=People,dc=iac,dc=isu,dc=edu | ||
| + | cn: Brian Oborn | ||
| + | sn: Brian Oborn | ||
| + | uid: oborn | ||
| + | loginShell: /bin/bash | ||
| + | mail: oborn@iac.isu.edu | ||
| + | gidNumber: 5001 | ||
| + | homeDirectory: /home/oborn | ||
| + | uidNumber: 20XX | ||
| + | objectClass: person | ||
| + | objectClass: organizationalPerson | ||
| + | objectClass: IACperson | ||
| + | objectClass: posixAccount | ||
| + | objectClass: CourierMailAccount | ||
| + | objectClass: shadowAccount | ||
| + | userPassword:: e0N... | ||
| + | IACpermission: iacmail | ||
| + | |||
| + | '''Note that sn breaks the standard (should be last name), but it's easier to create as-is''' | ||
| + | |||
| + | For samba authentication add the following classes: | ||
| + | *sambaSamAccount | ||
| + | *sambaGroupMapping | ||
| + | *These are in samba.schema, but require nis.schema, inetorgperson.schema, and cosine.schema first | ||
| + | *Check ACL's as explained on page 126 of "Using Samba" | ||
| + | |||
| + | ====Mail Aliases==== | ||
| + | Mail Aliases are routed by Postfix, and follow the RFC822 standard. | ||
| + | The CourierMailAlias class is used for the ''maildrop'' attribute. | ||
| + | |||
| + | # testdrop, MailAlias, iac.isu.edu | ||
| + | dn: mailAcceptingGeneralID=testdrop,ou=MailAlias,dc=iac,dc=isu,dc=edu | ||
| + | mailAcceptingGeneralID: testdrop | ||
| + | rfc822ForwardingMailbox: oborn@iac.isu.edu | ||
| + | rfc822ForwardingMailbox: oborn | ||
| + | objectClass: rfc822Delivery | ||
| + | objectClass: CourierMailAlias | ||
| + | mail: testdrop@iac.isu.edu | ||
| + | maildrop: oborn | ||
| + | maildrop: ashleykswingle | ||
| + | |||
| + | ==Example LDAP Commands== | ||
| + | Create a ssh tunnel from local port 3890 to darwin.iac.isu.edu port 389 | ||
| + | *ssh -L 3890:localhost:389 darwin.iac.isu.edu | ||
| + | |||
| + | Search directory, simple password bind: | ||
| + | *ldapsearch -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -W -b dc=iac,dc=isu,dc=edu '*' | ||
| + | |||
| + | Search directory, anonymous bind: | ||
| + | *ldapsearch -h localhost -x -b dc=iac,dc=isu,dc=edu '*' | ||
| − | + | Add an LDIF file: | |
| + | *ldapadd -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -W < ~brian/oborn.ldif | ||
| − | ==Replication== | + | Delete an LDAP entry: |
| + | *ldapdelete -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -W 'uid=oborn,dc=iac,dc=isu,dc=edu' | ||
| + | |||
| + | Change an LDAP password: | ||
| + | *ldappasswd -h localhost -x -D uid=oborn,ou=People,dc=iac,dc=isu,dc=edu -A -W -S | ||
| + | |||
| + | As admin, change someone else's password: | ||
| + | *ldappasswd -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -A -W -S uid=oborn,ou=People,dc=iac,dc=isu,dc=edu | ||
| + | |||
| + | ==LDAP Settings== | ||
| + | |||
| + | ==Multimaster Replication== | ||
*Requires ntp time syncronization between replication servers. | *Requires ntp time syncronization between replication servers. | ||
| − | + | *Only works with OpenLDAP 2.4 (not available in current Debian/Ubuntu/SUSE repositories) | |
| + | *Probably not needed with our very infrequent writes | ||
==Resources== | ==Resources== | ||
====Books==== | ====Books==== | ||
| + | *There is a good section on [http://us1.samba.org/samba/docs/man/Samba-Guide/happy.html#id2573279 debugging] LDAP with extra syslogging in '''Samba 3 by Example'''. | ||
*[http://www.amazon.com/Deploying-OpenLDAP-Tom-Jackiewicz/dp/1590594134/ref=sr_11_1?ie=UTF8&qid=1199748798&sr=11-1 Deploying OpenLDAP] | *[http://www.amazon.com/Deploying-OpenLDAP-Tom-Jackiewicz/dp/1590594134/ref=sr_11_1?ie=UTF8&qid=1199748798&sr=11-1 Deploying OpenLDAP] | ||
*[http://www.amazon.com/LDAP-Directories-Explained-Introduction-Independent/dp/020178792X/ref=sr_11_1?ie=UTF8&qid=1199748823&sr=11-1 LDAP Directories Explained] | *[http://www.amazon.com/LDAP-Directories-Explained-Introduction-Independent/dp/020178792X/ref=sr_11_1?ie=UTF8&qid=1199748823&sr=11-1 LDAP Directories Explained] | ||
====Websites==== | ====Websites==== | ||
| + | *[http://wiki.debian.org/LDAP Debian LDAP Wiki] Maybe be one release behind | ||
| + | *[http://www.openldap.org/doc/admin24/ OpenLDAP Admin Guide] | ||
*[http://www.openldap.org/ OpenLDAP] | *[http://www.openldap.org/ OpenLDAP] | ||
| − | *[http://www.linuxjournal.com/article/5505 LinuxJournal | + | *[http://www.faqs.org/docs/Linux-HOWTO/LDAP-HOWTO.html Linux LDAP Howto] |
| + | *[http://www.linuxjournal.com/article/5505 LinuxJournal] Highly Available LDAP | ||
| + | *[http://www-uxsup.csx.cam.ac.uk/pub/doc/suse/suse9.3/suselinux-adminguide_en/cha.ldap.html SUSE LDAP docs] | ||
Latest revision as of 02:07, 31 December 2010
Intro
On the IAC's user accessable Linux servers (Brems, web, Inca, backup) there is a need for centralized user authentication. With the addition of email users this need becomes critical. The proposed solution is to use OpenLDAP replicated across the mail servers for redundancy.
Adding users manually
- Create ldap entry, either by web form or manually
- Create home directory: mkdir /home/user
- Copy skel files: cp /etc/skel/.* /home/user/
- Change permissions: chown -R user:email /home/user/
Converting mail from Athena
On athena, create .forward with the following contents:
user@iac.isu.edu, \user
And make sure the permissions are fine:
chmod a+x . chown user:group .forward chmod a+r .forward
Then on IAC mail:
mkdir oldmail chmod go-rwx ./oldmail cd oldmail rsync -rzP root@athena.physics.isu.edu:/var/spool/mail/user ./mbox rsync -rzP root@athena.physics.isu.edu:/home/whatever/user/mail ./ rsync -rzP root@athena.physics.isu.edu:/home/whatever/user/Sent ./
---and so on for all mail folders
Translate the old mbox files to Maildir
mb2md -s oldmail/ mv Maildir/.mbox/cur/* Maildir/cur ##this glob man fail for huge numbers of messages
Maildir/.mbox/new/, Maildir/.mbox/tmp/ should be empty
This should be it, but maybe Sent needs to be copied somewhere else?
Clients
Linux Clients
Administrative users will retain entries in the local /etc/passwd and /etc/shadow files for troubleshooting access. All other users will exist in LDAP and will have individual server permissions.
Email Clients
Ideally email users can be accommodated without having local accounts. If this is not possible, the local shell can be set to disallow logins for security purposes.
Windows Clients
Currently not planned, but possible once the setup has been proven. This would allow users to log into any machine using their username and login. Only a select few machines (data aquisition etc.) would retain generic iacuser access.
Datatypes
Users
The standard LDIF:
version: 1 dn: uid=oborn,ou=People,dc=iac,dc=isu,dc=edu cn: Brian Oborn sn: Brian Oborn uid: oborn loginShell: /bin/bash mail: oborn@iac.isu.edu gidNumber: 5001 homeDirectory: /home/oborn uidNumber: 20XX objectClass: person objectClass: organizationalPerson objectClass: IACperson objectClass: posixAccount objectClass: CourierMailAccount objectClass: shadowAccount userPassword:: e0N... IACpermission: iacmail
Note that sn breaks the standard (should be last name), but it's easier to create as-is
For samba authentication add the following classes:
- sambaSamAccount
- sambaGroupMapping
- These are in samba.schema, but require nis.schema, inetorgperson.schema, and cosine.schema first
- Check ACL's as explained on page 126 of "Using Samba"
Mail Aliases
Mail Aliases are routed by Postfix, and follow the RFC822 standard. The CourierMailAlias class is used for the maildrop attribute.
# testdrop, MailAlias, iac.isu.edu dn: mailAcceptingGeneralID=testdrop,ou=MailAlias,dc=iac,dc=isu,dc=edu mailAcceptingGeneralID: testdrop rfc822ForwardingMailbox: oborn@iac.isu.edu rfc822ForwardingMailbox: oborn objectClass: rfc822Delivery objectClass: CourierMailAlias mail: testdrop@iac.isu.edu maildrop: oborn maildrop: ashleykswingle
Example LDAP Commands
Create a ssh tunnel from local port 3890 to darwin.iac.isu.edu port 389
- ssh -L 3890:localhost:389 darwin.iac.isu.edu
Search directory, simple password bind:
- ldapsearch -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -W -b dc=iac,dc=isu,dc=edu '*'
Search directory, anonymous bind:
- ldapsearch -h localhost -x -b dc=iac,dc=isu,dc=edu '*'
Add an LDIF file:
- ldapadd -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -W < ~brian/oborn.ldif
Delete an LDAP entry:
- ldapdelete -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -W 'uid=oborn,dc=iac,dc=isu,dc=edu'
Change an LDAP password:
- ldappasswd -h localhost -x -D uid=oborn,ou=People,dc=iac,dc=isu,dc=edu -A -W -S
As admin, change someone else's password:
- ldappasswd -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -A -W -S uid=oborn,ou=People,dc=iac,dc=isu,dc=edu
LDAP Settings
Multimaster Replication
- Requires ntp time syncronization between replication servers.
- Only works with OpenLDAP 2.4 (not available in current Debian/Ubuntu/SUSE repositories)
- Probably not needed with our very infrequent writes
Resources
Books
- There is a good section on debugging LDAP with extra syslogging in Samba 3 by Example.
- Deploying OpenLDAP
- LDAP Directories Explained
Websites
- Debian LDAP Wiki Maybe be one release behind
- OpenLDAP Admin Guide
- OpenLDAP
- Linux LDAP Howto
- LinuxJournal Highly Available LDAP
- SUSE LDAP docs