rpm -Uvh
openldap12-1.2.13-2h2.0.i386.rpm \ openldap-2.0.21-0h2.0.i386.rpm \ openldap-clients-2.0.21-0h2.0.i386.rpm \ openldap-servers-2.0.21-0h2.0.i386.rpm |
####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "dc=mydomain,dc=co,dc=jp" #suffix "o=MyCompany,c=JP" rootdn "cn=Manager,dc=mydomain,dc=co,dc=jp" #rootdn "cn=Manager,o=My Organization Name,c=US" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. |
/etc/rc.d/init.d/ldap
start |
rpm -Uvh
openldap12-1.2.13-2h2.0.i386.rpm \ openldap-2.0.21-0h2.0.i386.rpm \ openldap-clients-2.0.21-0h2.0.i386.rpm \ nss_ldap-189-4.i386.rpm |
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.comldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never HOST ldap.mydomain.co.jp BASE dc=mydomain,dc=co,dc=jp |
# Your LDAP
server. Must be resolvable without using LDAP. host ldap.mydomain.co.jp # The distinguished name of the search base. base dc=mydomain,dc=co,dc=jp # The LDAP version to use (defaults to 2) #ldap_version 2 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=manager,dc=mydomain,dc=co,dc=jp # The credentials to bind with. # Optional: default is no credential. bindpw secret |
cd
/usr/share/openldap/migration |
# Default DNS domain $DEFAULT_MAIL_DOMAIN = "mydomain.co.jp"; # Default base $DEFAULT_BASE = "dc=mydomain,dc=co,dc=jp"; # Turn this on for inetLocalMailReceipient # sendmail support; add the following to # sendmail.mc (thanks to Petr@Kristof.CZ): ##### CUT HERE ##### #define(`confLDAP_DEFAULT_SPEC',`-h "ldap.mydomain.co.jp"')dnl #LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl #FEATURE(ldap_routing)dnl ##### CUT HERE ##### # where /etc/mail/ldapdomains contains names of ldap_routed # domains (similiar to MASQUERADE_DOMAIN_FILE). $DEFAULT_MAIL_HOST = "mail.mydomain.co.jp"; |
# Naming contexts. Key is
$PROGRAM with migrate_ and .pl # stripped off. RFC2307BIS denotes support for rfc2307bis/ # Solaris 8 hierarchy. $RFC2307BIS = 0; |
dn: dc=mydomain,dc=co,dc=jp objectClass: dcObject dc: mydomain dn: ou=People,dc=mydomain,dc=co,dc=jp objectClass: organizationalUnit ou: People dn: ou=Groups,dc=mydomain,dc=co,dc=jp objectClass: organizationalUnit ou: Groups |
ldapadd -x -D "cn=manager,dc=mydomain,dc=co,dc=jp" -v -x -W -f
base.ldif |
./migrate_passwd.pl
/etc/passwd > passwd.ldif |
ldapadd -x -D "cn=manager,dc=mydomain,dc=co,dc=jp" -v -x -W -f
passwd.ldif |
./migrate_group.pl /etc/group
> group.ldif ldapadd -x -D "cn=manager,dc=mydomain,dc=co,dc=jp" -v -x -W -f group.ldif |
ypcat $DOMFLAG passwd | sort | uniq > $ETC_PASSWD ypcat $DOMFLAG group | sort | uniq > $ETC_GROUP ypcat $DOMFLAG services | sort | uniq > $ETC_SERVICES ypcat $DOMFLAG protocols | sort | uniq > $ETC_PROTOCOLS touch $ETC_FSTAB ypcat $DOMFLAG rpc.byname | sort | uniq > $ETC_RPC ypcat $DOMFLAG hosts | sort | uniq > $ETC_HOSTS ypcat $DOMFLAG networks | sort | uniq > $ETC_NETWORKS #ypcat $DOMFLAG -k aliases | sort | uniq > $ETC_ALIASES |
./migrate_all_nis_online.sh [root@server migration]# ./migrate_all_nis_online.sh Enter the NIS domain to import from (optional): nis-domain Enter the X.500 naming context you wish to import into: [dc=mydomain,dc=co,dc=jp] Enter the name of your LDAP server [ldap]:ldap.mydomain.co.jp(※ldapサーバーのホスト名 Enter the manager DN: [cn=manager,dc=mydomain,dc=co,dc=jp]: Enter the credentials to bind with: <sldap.confのrootpwで設定した値を入力> Do you wish to generate a DUAConfigProfile [yes|no]? ....... /usr/bin/ldapadd: succeeded |
ldapsearch -C -x -D "cn=manager,dc=mydomain,dc=co,dc=jp" -b \ "dc=mydomain,dc=co,dc=jp" -w secret "(&(uid=hoge)(objectclass=posixAccount))" |
passwd: files nisplus ldap shadow: files nisplus ldap group: files nisplus ldap |
access to
attribute=userPassword by dn="cn=Manager,dc=mydomain,dc=co,dc=jp" write by self write by anonymous auth by * none access to * by dn="cn=Manager,dc=mydomain,dc=co,dc=jp" write by self write by users read by anonymous auth |
cp -a /usr/share/doc/samba-ldap-2.2.5/examples/LDAP/samba.schema
\ /etc/openldap/schema/ |
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/rfc822-MailMember.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/redhat/kerberosobject.schema include /etc/openldap/schema/samba.schema |
/etc/rc.d/init.d/ldap
restart |
# LDAP ldap server = ldap.mydomain.com ldap port = 389 ldap suffix = "dc=mydomain,dc=co,dc=jp" ldap admin dn = "cn=manager,dc=mydomain,dc=co,dc=jp" ldap ssl = no |
smbpasswd -w secret Setting stored password for "cn=Manager,dc=mydomain,dc=co,dc=jp" in secrets.tdb |
cd /usr/doc/samba-ldap-2.2.5/examples/LDAP/smbldap-tools mkdir -p /usr/local/sbin cp -a smbldap-*.pl /usr/local/sbin cp -a smbldap_*.pm /usr/local/sbin |
cd /usr/doc/samba-ldap-2.2.5/examples/LDAP/smbldap-tools/mkntpwd make install -m 555 mkntpwd /usr/local/sbin |
ln -s
/usr/local/sbin/smbldap_*.pm /usr/lib/perl5/site_perl/ |
# Notes: to use to dual ldap
servers backend for Samba,
you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # just use the same server for slaveLDAP and masterLDAP. # # Slave LDAP : needed for read operations # # Ex: $slaveLDAP = "127.0.0.1"; $slaveLDAP = "ldap.mydomain.co.jp"; # # Master LDAP : needed for write operations # # Ex: $masterLDAP = "127.0.0.1"; $masterLDAP = "ldap.mydomain.co.jp"; # # LDAP Suffix # # Ex: $suffix = "dc=IDEALX,dc=ORG"; $suffix = "dc=mydomain,dc=co,dc=jp"; # # Where are stored Users # # Ex: $usersdn = "ou=Users,$suffix"; for ou=Users,dc=IDEALX,dc=ORG $usersou = q(People); $usersdn = "ou=$usersou,$suffix"; # # Where are stored Computers # # Ex: $computersdn = "ou=Computers,$suffix"; for ou=Computers,dc=IDEALX,dc=ORG $computersou = q(Computers); $computersdn = "ou=$computersou,$suffix"; # # Where are stored Groups # # Ex $groupsdn = "ou=Groups,$suffix"; for ou=Groups,dc=IDEALX,dc=ORG $groupsou = q(Groups); $groupsdn = "ou=$groupsou,$suffix"; # # Default scope Used # $scope = "sub"; # # Credential Configuration # # Bind DN used # Ex: $binddn = "cn=Manager,$suffix"; for cn=Manager,dc=IDEALX,dc=org $binddn = "cn=Manager,$suffix"; # # Bind DN passwd used # Ex: $bindpasswd = 'secret'; for 'secret' $bindpasswd = "secret"; |
_LOGINSHELL_ | /bin/bash |
_USERHOMEPREFIX_ | /home/ |
_PDCNAME_ | PDC-SRV |
_HOMEDRIVE_ | D: |
cd /usr/share/doc/samba-2.2.5/examples/LDAP cat /etc/samba/smbpasswd | ./import_smbpasswd.pl |
ldapsearch -C -x -D "cn=manager,dc=mydomain,dc=co,dc=jp" -b \ "dc=mydomain,dc=co,dc=jp" -w secret "(&(uid=hoge)(objectclass=sambaAccount))" |
####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "dc=subdomain.dc=mydomain,dc=co,dc=jp" #suffix "o=MyCompany,c=JP" rootdn "cn=Manager,dc=subdomain,dc=mydomain,dc=co,dc=jp" #rootdn "cn=Manager,o=My Organization Name,c=US" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. |
dn: dc=subdomain,dc=mydomain,dc=co,dc=jp objectClass: referral objectClass: extensibleObject dc: subdomain ref: ldap://ldap.subdomain.mydomain.co.jp/dc=subdomain,dc=mydomain,dc=co,dc=jp |
# Do not enable referrals
until AFTER you have a working directory # service AND an understanding of referrals. referral ldap://ldap.mydomain.co.jp/ |
/etc/rc.d/init.d/ldap
restart |
ldapsearch -x -C -D "cn=manager,dc=mydomain,dc=co,dc=jp" -b \ "dc=mydomain,dc=co,dc=jp" -h ldap.mydomain.co.jp -p 389 "(uid=tophoge)" \ -w secret |
ldapsearch -x -C -D "cn=manager,dc=mydomain,dc=co,dc=jp" -b \ "dc=mydomain,dc=co,dc=jp" -h ldap.mydomain.co.jp -p 389 "(uid=subhoge)" \ -w secret |
ldapsearch -x -C -D "cn=manager,dc=subdomain,dc=mydomain,dc=co,dc=jp"
-b \ "dc=mydomain,dc=co,dc=jp" -h ldap.subdomain.mydomain.co.jp -p \ 389 "(uid=subhoge)" -w secret |
ldapsearch -x -C -D "cn=manager,dc=subdomain,dc=mydomain,dc=co,dc=jp"
-b \ "dc=mydomain,dc=co,dc=jp" -h ldap.subdomain.mydomain.co.jp -p \ 389 "(uid=tophoge)" -w secret |
# Your LDAP
server. Must be resolvable without using LDAP. host ldap.subdomain.mydomain.co.jp # The distinguished name of the search base. base dc=mydomain,dc=co,dc=jp # The LDAP version to use (defaults to 2) #ldap_version 2 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=manager,dc=subdomain,dc=mydomain,dc=co,dc=jp # The credentials to bind with. # Optional: default is no credential. bindpw secret |
# LDAP ldap server = ldap.subdomain.mydomain.co.jp ldap port = 389 ldap suffix = "dc=mydomain,dc=co,dc=jp" ldap admin dn = "cn=manager,dc=subdomain,dc=mydomain,dc=co,dc=jp" ldap ssl = no ldap referrals = yes |
/etc/rc.d/init.d/smb restart |
access
to dn="dc=holonsoft,dc=co,dc=jp" by * read access to attribute=userPassword by dn="cn=Manager,dc=mydomain,dc=co,dc=jp" write by self write by anonymous auth by * none access to * by dn="cn=Manager,dc=mydomain,dc=co,dc=jp" write by self write by users read by anonymous auth |