The latest version of this document can be found at http://pobox.com/~bcwhite/ldap-upgrade.txt Last Updated: 2006-05-23 I just upgraded our company's network from a system created 6 years ago (NIS and SMBPASSWD) to an up-to-date one (for 2006, at least) including a central LDAP server. It was a far from painless experience, so I thought I'd write up the experience in the hope that it may help others. If I've left anything out, please let me know. mailto:bcwhite@precidia.com (or if I've left there, mailto:bcwhite@pobox.com). I used my own "cfile" utility (http://sf.net/projects/cfile) to manage all the configuration files across multiple machines. I hope to package it up for Debian soon. Here's what I did... Note that I'm using Debian 3.1 as my installed system. Create an LDAP Server (apt-get install slapd) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ref: http://www.metaconsultancy.com/whitepapers/ldap.htm http://www.tldp.org/HOWTO/LDAP-HOWTO/ http://www.grennan.com/ldap-HOWTO.html SLAPD has to be one of the most difficult things to wrap your head around I've ever come across. Perhaps if you spoke LDAP in your sleep, it would all be obvious, but I've smoothed out the brick wall next to me banging my head against it these past few days. Getting SLAPD (v2.2.23) started wasn't much trouble. I set my suffix (aka "base") to "dc=precidia". This would typically be "dc=precidia,dc=com", but I'm lazy. I also set my default password style to SSHA (salted-SHA) and set an administrator access point. Since I planned on disabling this access point later, I just used a basic "crypt" to store the password. # "secret" is password, "XX" is salt (use any two letters or numbers) perl -e 'print crypt("secret","XX"),"\n"' XXIABNgk3eFuw password-hash SSHA rootdn cn=root,dc=precidia rootpw {crypt}XXIABNgk3eFuw Also, create all the appropriate indices for speed: index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUid eq index sambaSID eq #index sambaPrimaryGroups eq index sambaDomainName eq index default sub Push these changes with: /etc/init.d/slapd force-reload In brief, LDAP is an object storage system where objects are grouped (typcially) by an "organizationalUnit", or "ou" for short. Of course, you can't simply store an object specifying a new "ou=something"; you first have to create an object that describes it. Thus, before you can store objects in "ou=Domains" you first have to store the object: dn: ou=Domains,dc=precidia ou: Domains objectClass: top objectClass: organizationalUnit The first line is the "distinuguished name" and is the unique identifier for this object. Every object has one and it details the hierarchy under which the object is stored. In this case, my "base" (the root of my tree) is "dc=precidia" and the sub-tree is "Domains". Despite the fact that I said you cannot store an object in a "ou=Domains" without first creating it, it is possible to create it and store it there at the same time. Enabing Ssecure LDAP ("ldaps") is left as an exercise to the reader! (That means I haven't yet done it at the time this was written.) Luckily, the LDAP Account Manager will do much of that for you... Migrate Existing UNIX Information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ref: http://www.linuxjournal.com/article/6266 http://www.gurulabs.com/goodies/downloads.php http://www.gurulabs.com/downloads/ldapmigrate For this, I used the "ldapmigrate" perl script desribed above. For this to run, you'll have to install "libnet-ldap-perl" and maybe a few others. Then, on your ldap server, do: cd /var/data/ldap /etc/init.d/slapd stop rm -f * /etc/init.d/slapd start This will give you a clean database to start from. I restarted from this point many, many times. Create an "admin" account for LDAP administration. It will need a valid password but should have an invalid shell to prevent unix login (because it will eventually have root access -- see Samba section). A vaild home directory may be useful, though. Before doing the migration, I edited the "ldapmigrate" script and changed all occurances of "Group" to "Groups" for naming consistancy and to match the defaults of the LDAP Account Manager. Then do the migration... LDAPBIND="cn=root,dc=precidia" LDAPPASS="secret" LDAPBASE="dc=precidia" LDAPHOST="localhost" ldapmigrate -D $LDAPBIND -w $LDAPPASS -b $LDAPBASE -h $LDAPHOST --extschema --extconts --prepdb ldapmigrate -D $LDAPBIND -w $LDAPPASS -b $LDAPBASE -h $LDAPHOST --extschema --minuid=1001 --mingid=1000 -f /etc/passwd passwd ldapmigrate -D $LDAPBIND -w $LDAPPASS -b $LDAPBASE -h $LDAPHOST --extschema --minuid=1001 --mingid=1000 -f /etc/group group It's important to use the "--extschema" so that the objects will be ready to accept Samba information. Your minuid/maxuid and mingid/maxgid may be different than mine. Add Additional Information ~~~~~~~~~~~~~~~~~~~~~~~~~~ At this point, I wrote my own Perl script using Net::LDAP to add additional information (phone number, fax number, email, etc.) from an internal database of that information. I also generated samba SID information from the /etc/smbpasswd file. I'll try to make it available for reference, but it's not likely to be directly usable by anyone. The LDAP Account Manager should allow you to add the samba information by hand. Install LDAP Account Manager (apt-get install ldap-account-manager) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ref: http://lam.sourceforge.net/ Before you can use this for editing, you have to get it installed. Version 0.4.9 goes in to "apache" automatically (I think) but to use it with "apache2" you need to do something like: cd /etc/apache2/sites-available ln -s /etc/ldap-account-manager/apache.conf ldap-account-manager cd ../sites-enabled ln -s ../sites-available/ldap-account-manager 010-lam /etc/init.d/apache2 restart Then you should be able to log in with http://hostname/lam/ and get a login page. Additional Apache configuration is left as an exercise to the reader. Once you do get a login page... Select the "configuration login" from the upper right corner. The default password is "lam". You'll need to change all the suffix parameters to match the suffix you chose when you configured slapd. I use: UserSuffix: ou=people,dc=precidia GroupSuffix: ou=groups,dc=precidia HostSuffix: ou=hosts,dc=precidia DomainSuffix: ou=domains,dc=precidia PasswordHash: SSHA Set the "ranges" fields to match what you want for your site. Set the list of valid users to whatever is appropriate. I set it to: uid=admin,ou=People,dc=precidia Finally, create a new configuration password (it's group with the "list of valid users" under "security settings" but it only applies to getting to this configuration screen) and submit the changes. Go back to the login screen and login as "admin" with the password for that account (_not_ the configuration password you just changed). It should tell you that some LDAP parts are missing and offer to create them for you. Let it do so. Create a new domain. To get the SID for a domain you're migrating from a legacy system, go to your legacy system and run: net getlocalsid precidia Don't change the "algorithmic RID base" unless you've changed it previously. I haven't yet discovered exactly whan the "next ... rid" options do so I haven't played with them, yet. I believe they allow you to specify starting RIDs that increment normally rather that being generated by some function of your userid/groupid. Note: There is also a "phpldapadmin" package that provides more detailed control of the LDAP directory, but because it's a generic interface you have to know much more to do account management. Configure Linux Authentication (apt-get install libnss-ldap libpam-ldap libpam-passwdqc) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ref: http://www.metaconsultancy.com/whitepapers/ldap-linux.htm http://www.openwall.com/passwdqc/README.shtml In brief, this involved editing several configuration files... /etc/nsswitch.conf: passwd: files ldap group: files ldap shadow: files ldap /etc/pam_ldap.conf: host admin1.ott.precidia.com base dc=precidia ldap_version 3 rootbinddn uid=admin,ou=People,dc=precidia pam_filter &(objectclass=posixAccount)(!(uidNumber=0)) pam_password exop /etc/libnss-ldap.conf: uri ldap://admin1.ott.precidia.com ldap://admin2.ott.precidia.com base dc=precidia /etc/pam.d/common-account: account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so /etc/pam.d/common-auth: auth sufficient pam_ldap.so auth sufficient pam_unix.so shadow use_first_pass auth required pam_deny.so /etc/pam.d/common-session: session sufficient pam_ldap.so session required pam_unix.so /etc/pam.d/common-password: password requisite pam_passwdqc.so min=12,10,10,8,6 random=25 retry=3 passphrase=2 password sufficient pam_ldap.so type=network use_authtok first_pass password sufficient pam_unix.so type=machine use_authtok md5 password required pam_deny.so Once all of this is done, you should be able to "su - user" and become that user. Whew! Configure Samba Authentication (apt-get install samba) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ref: http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html http://www.coe.tamu.edu/cs/Manuals/Samba/Samba-LDAP-HOWTO.html http://research.imb.uq.edu.au/~l.rathbone/ldap/samba.shtml http://www.mami.net/univr/tng-ldap/howto/ http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html man smb.conf Congratulations on getting this far! The following was done with Samba v3.0.14a. You'll need to import the samba scheme in to slapd.conf by adding this line. If the file is not in /etc/ldap/schema, you'll probably find a gzipped version here: /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz include /etc/ldap/schema/samba.schema Then add the following to your working smb.conf configuration file: passdb backend = ldapsam:ldap://admin1.ott.precidia.com ldap admin dn = uid=samba,ou=Services,dc=precidia ldap suffix = dc=precidia ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Hosts ldap replication sleep = 1000 ldap password sync = true ldapsam:trusted = true A few notes: The man pages for version 3.0.14a indicates that the specific suffix directives replace the default "ldap suffix". In fact, they simply prepend to it. Also, don't put quote marks around the values! This configuration assumes a user "samba" created in the "Services" unit of the directory. You'll have to do that manually with a command like: ldapadd -D cn=root,dc=precidia -w secret -b dc=precidia -h 10.0.1.5 dn: uid=samba,ou=Services,dc=precidia objectClass: top objectClass: account objectClass: posixAccount cn: Samba Server uid: samba uidNumber: 3000 gidNumber: 3000 homeDirectory: /tmp ^D ldappasswd -x -D cn=root,dc=precidia -w secret -h 10.0.1.5 -s SOMETHING uid=samba,ou=Services,dc=precidia The last command sets the password for the "uid=samba,ou=Services,dc=precidia" account to "SOMETHING". Obviously, choose something other than SOMETHING. Now you need to tell samba what it is. The reason for creating a special service account with these permissions is because it's stored on disk by samba. As such, it's not good to use an ordinary user account which may require it's password changed if an employee leaves or something. smbpasswd -w SOMETHING Finally, you have to give that account special permission in the "slapd.conf" file so it can update records in the directory as it runs. To do that, change the admin rule to something like: access to * by dn="uid=admin,ou=People,dc=precidia" write by dn="uid=samba,ou=Services,dc=precidia" write by * read At the same time, add the following so that the samba passwords are protected. (These encrypted passwords are actually "plain text equivalents" which means that knowing them allows access just as though one knew the original password from which they were derived -- thank you, Microsoft security experts.) access to attrs=sambaLMPassword,sambaNTPassword by dn="uid=samba,ou=Services,dc=precidia" write by * none Doing /etc/init.d/samba restart should start quickly. If it appears to hang while starting "smbd" then there is probably problems accessing the ldap server. The /var/log/syslog file on the LDAP server may have useful information as to what was being accessed. If your log level is set to zero, the "smbd" process will exit quietly on an LDAP failure. The LDAP activity found in /var/log/syslog can be quite helpful but don't expect it to be easy. At this point, you should be able to use Windows Explorer to browse the samba host and access shared drives using usernames and password that were imported in to the LDAP directory. Connecting to the domain still needs more work, though. Connecting to a domain needs a privileged account. I used the same "admin" account that had its information originally imported from a unix account. For this to work in samba, though, _MUST_ be user-id 0 (yes, ZERO). I understood this requrirement when samba had to create new local accounts, but seems to still be the case for LDAP directories. This is unfortunate as it means you have a root account in your ldap directory, but we'll mitigate this risk as much as possible. Log out of the LDAP Account Manager and do a "configuration login". Set the minimum UID number to "0" (zero), submit, and login normally. Edit the "admin" user and set the UID number to 0. Previously it was stated to not have a valid login password for this account during the initial migration, but set the login shell to /bin/false, too. When done change the minimum UID back to what you want. Lastly, you have to choose between manual or automatic addition of new hosts. You can use the LDAP Account Manager to manually add all new hosts before connecting them to the domain, or you can have samba create those accounts during the first join attempt. For now, I'm just sticking with the manual addition. There appears to be no easy way to get samba to do it automatically. You can find instructions on how this can be done here http://www.nomis52.net/?section=docs&page=samldap but configuration is complex and I was unable to get the tools to work properly. That's annoying! This should be a built-in feature of Samba! ============================================================================== And that's it. Wasn't that easy! You know, I love the power and flexibility of the GNU/Linux operating system, but it took me two weeks to figure out all of the above. There were many times I yearned for a simple graphical setup program under Windoze. I'm trying to help out some by writing this, but I'm afraid it will become just one more HOWTO is the huge mess of them, none of them complete. Writing this after the fact instead of during the process wasn't so smart, either; I'm sure there are things I have forgotten to mention. I have this idea of duplicating the Wikipedia site (http://www.wikipedia.org) but making it Linux documentation. Maybe it's already out there... One of the drawbacks of the "bazzaar" model is that developers concentrate on getting the software to do the things they want it to do and not on making easy installation. After all, installation only has to be done once, they know how to do it, and a set installation program would only limit easy expansion of the software itself. There is something to be said for the czar of the cathedral decreeing, "you people over there -- go and make a good install interface so our software will get chosen in the first place". Brian ( bcwhite@precidia.com ) ------------------------------------------------------------------------------- Until we are first independent, we cannot be interdependent.