LDAP Resources

  


[an error occurred while processing this directive]

No Title

[an error occurred while processing this directive]

Reference: Cisco: Internetworking Basics

Contents

Introduction

This guide demonstrates how to extract information from local OS user accounts and groups on the Linux platform and then export those users and objects to a readable LDIF file that can be modified (if necessary) and imported into an LDAP directory. This provides a nice shortcut for setting up users and groups in a newly initialized directory that can be used to authenticate through LDAP.

The Linux machine used in this example is running the latest version of Oracle which at the time of this writing is Oracle Database 11g Release 2 (11.2.0.3.0). The machine name for the database server is racnode1.idevelopment.info and contains user accounts and groups that best define the conventions that I would want to centralize for all Oracle database servers. The local user accounts and groups will be exported from the database server and imported to an LDAP directory on ldapsrv.idevelopment.info.

The example used in this tutorial is based on a clean installation of OpenLDAP Software on the CentOS 5 platform. This tutorial will also work for Red Hat Enterprise Linux 5 and Oracle Linux 5. The LDAP directory used in this guide has been initialized with a base DN of dc=idevelopment,dc=info and organization units People, Group, and Hosts. Obviously, the name of your LDAP server and the base DN will differ and the examples presented in this guide will need to be modified accordingly for you environment.

Refer to the following two tutorials on how to install OpenLDAP Software and initialize the LDAP directory on the server (ldapsrv.idevelopment.info in this guide) on the CentOS 5 platform.

Oracle Users and Groups

The users and groups being migrated to LDAP are reflective of a typical Oracle RAC 11g Release 2 configuration that includes Oracle Grid Infrastructure and Oracle Database software.

Groups
Group Name gidNumber
oinstall 1000
asmadmin 1200
asmdba 1201
asmoper 1202
dba 1300
oper 1301

Users
Username uidNumber gidNumber Groups loginShell homeDirectory
grid 1100 1000 1000(oinstall),1200(asmadmin),1201(asmdba),1202(asmoper) /bin/bash /home/grid
oracle 1101 1000 1000(oinstall),1201(asmdba),1300(dba),1301(oper) /bin/bash /home/oracle
jhunter 500 500 500(jhunter),1300(dba),1301(oper) /bin/bash /home/jhunter

In the end, we will also be able to create additional LDAP users based on a template LDIF record for a user and group developed in the migration phase of this guide.

Install OpenLDAP Server Package

The first step is to install the OpenLDAP server package on the database server. The LDAP server package comes with a set of shell Perl migration scripts for converting existing users, along with UIDs, GIDs, home directories, passwords, etc., into LDIF records.


[root@racnode1 ~]# yum -y install openldap-servers

Migrate Users and Groups

This section contains instructions on how to use the migration scripts provided by OpenLDAP Software to migrate local user accounts and groups to an LDAP directory for authentication purposes.

 

Perl must be installed on the system to use the scripts described in this section.

Migration Scripts

The OpenLDAP server package installed in the previous step includes a set of shell and Perl scripts that can be used to migrate user data and authentication information on the local system into an LDAP format. Those scripts can be found in the /usr/share/openldap/migration directory.


[root@racnode1 ~]# ls -l /usr/share/openldap/migration total 140 -rwxr-xr-x 1 root root 2656 Jul 12 04:07 migrate_aliases.pl -rwxr-xr-x 1 root root 2954 Jul 12 04:07 migrate_all_netinfo_offline.sh -rwxr-xr-x 1 root root 2950 Jul 12 04:07 migrate_all_netinfo_online.sh -rwxr-xr-x 1 root root 3008 Jul 12 04:07 migrate_all_nis_offline.sh -rwxr-xr-x 1 root root 3003 Jul 12 04:07 migrate_all_nis_online.sh -rwxr-xr-x 1 root root 3168 Jul 12 04:07 migrate_all_nisplus_offline.sh -rwxr-xr-x 1 root root 3150 Jul 12 04:07 migrate_all_nisplus_online.sh -rwxr-xr-x 1 root root 5274 Jul 12 04:07 migrate_all_offline.sh -rwxr-xr-x 1 root root 7472 Jul 12 04:07 migrate_all_online.sh -rwxr-xr-x 1 root root 3224 Jul 12 04:07 migrate_automount.pl -rwxr-xr-x 1 root root 2612 Jul 12 04:07 migrate_base.pl -rw-r--r-- 1 root root 8880 Jul 12 04:07 migrate_common.ph -rwxr-xr-x 1 root root 2956 Jul 12 04:07 migrate_fstab.pl -rwxr-xr-x 1 root root 2718 Jul 12 04:07 migrate_group.pl -rwxr-xr-x 1 root root 2755 Jul 12 04:07 migrate_hosts.pl -rwxr-xr-x 1 root root 2860 Jul 12 04:07 migrate_netgroup_byhost.pl -rwxr-xr-x 1 root root 2860 Jul 12 04:07 migrate_netgroup_byuser.pl -rwxr-xr-x 1 root root 3883 Jul 12 04:07 migrate_netgroup.pl -rwxr-xr-x 1 root root 2844 Jul 12 04:07 migrate_networks.pl -rwxr-xr-x 1 root root 5639 Jul 12 04:07 migrate_passwd.pl -rwxr-xr-x 1 root root 2432 Jul 12 04:07 migrate_profile.pl -rwxr-xr-x 1 root root 2877 Jul 12 04:07 migrate_protocols.pl -rwxr-xr-x 1 root root 2858 Jul 12 04:07 migrate_rpc.pl -rwxr-xr-x 1 root root 10020 Jul 12 04:07 migrate_services.pl -rwxr-xr-x 1 root root 3423 Jul 12 04:07 migrate_slapd_conf.pl -rw-r--r-- 1 root root 8060 Jul 12 04:07 migration-tools.txt -rw-r--r-- 1 root root 1855 Jul 12 04:07 README

The "Migrate All" Scripts

There are two versions of migrate_all_* shell scripts in the migration directory: online and offline. I don't use the migrate_all_* scripts to identify users since it actually attempts to perform the import into the LDAP directory. The difference between online and offline is whether the script assumes the LDAP server is online (uses ldapadd) or offline (uses slapadd). Each script will attempt to update the LDAP directory immediately during execution. Again, since I want to modify the generated LDIF records to only import certain users and groups, I will not be covering the "migrate all" scripts in this guide.

The README and the migration-tools.txt files in the /usr/share/openldap/migration directory provide more details on how use the LDAP migration scripts.

Common Defines for MigrationTools

Modify the /usr/share/openldap/migration/migrate_common.ph file so that it reflects the correct domain. You should only need to modify the $DEFAULT_MAIL_DOMAIN, $DEFAULT_BASE, and $EXTENDED_SCHEMA variables.


[root@racnode1 ~]# vi /usr/share/openldap/migration/migrate_common.ph ... # Default DNS domain $DEFAULT_MAIL_DOMAIN = "idevelopment.info"; # Default base $DEFAULT_BASE = "dc=idevelopment,dc=info"; ... # turn this on to support more general object clases # such as person. $EXTENDED_SCHEMA = 1; ...

Export Base

Exporting the LDIF entries for the base DN on the machine you are extracting the local users and groups from is not necessary in this guide. This optional step can be performed to view which organizationalUnit definitions and other objects are present on the local system. I run it mostly for interest in seeing what type of entries it would try to create and import to the LDAP directory.


[root@racnode1 ~]# cd /usr/share/openldap/migration [root@racnode1 migration]# ./migrate_base.pl > base.ldif

 

Exporting the base configuration is optional and will not be imported into the LDAP directory in this section.

Export Users and Groups

Export the local user and group information into a format that is readable by LDAP. This is done by running the appropriate migration script in the /usr/share/openldap/migration directory. Run the appropriate script based on the existing name service.

Users

First, we need to tell the script where to find password information. We do this by setting the shell variable ETC_SHADOW to be /etc/shadow.


[root@racnode1 migration]# export ETC_SHADOW=/etc/shadow

Next, export all local users to an LDIF file named people.ldif.


[root@racnode1 migration]# ./migrate_passwd.pl /etc/passwd people.ldif

Remove extraneous people by modifying the people.ldif file to extract only those users that you want to import into the LDAP directory.


[root@racnode1 migration]# vi people.ldif dn: uid=jhunter,ou=People,dc=idevelopment,dc=info uid: jhunter cn: Jeffrey Hunter givenName: Jeffrey sn: Hunter mail: jhunter@idevelopment.info objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$ZxO.cXOx$tiZQStYEF2sYN0TFtQFZx0 shadowLastChange: 15360 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 500 homeDirectory: /home/jhunter gecos: Jeffrey Hunter dn: uid=grid,ou=People,dc=idevelopment,dc=info uid: grid cn: Grid Infrastructure Owner givenName: Grid Infrastructure sn: Owner mail: grid@idevelopment.info objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$prDmL5Ft$R3myzLbAjxzXO/7ycR6HU0 shadowLastChange: 15360 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1100 gidNumber: 1000 homeDirectory: /home/grid gecos: Grid Infrastructure Owner dn: uid=oracle,ou=People,dc=idevelopment,dc=info uid: oracle cn: Oracle Software Owner givenName: Oracle Software sn: Owner mail: oracle@idevelopment.info objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$FWY0gU.9$aJMPBkM/JsvdMTwa3ZO2N0 shadowLastChange: 15360 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1101 gidNumber: 1000 homeDirectory: /home/oracle gecos: Oracle Software Owner

Groups

Export all local groups to an LDIF file named group.ldif.


[root@racnode1 migration]# ./migrate_group.pl /etc/group group.ldif

Again, remove extraneous entries by modifying the group.ldif file to extract only those groups that you want to import into the LDAP directory.


[root@racnode1 migration]# vi group.ldif dn: cn=jhunter,ou=Group,dc=idevelopment,dc=info objectClass: posixGroup objectClass: top cn: jhunter userPassword: {crypt}x gidNumber: 500 dn: cn=oinstall,ou=Group,dc=idevelopment,dc=info objectClass: posixGroup objectClass: top cn: oinstall userPassword: {crypt}x gidNumber: 1000 dn: cn=asmadmin,ou=Group,dc=idevelopment,dc=info objectClass: posixGroup objectClass: top cn: asmadmin userPassword: {crypt}x gidNumber: 1200 memberUid: grid dn: cn=asmdba,ou=Group,dc=idevelopment,dc=info objectClass: posixGroup objectClass: top cn: asmdba userPassword: {crypt}x gidNumber: 1201 memberUid: grid memberUid: oracle dn: cn=asmoper,ou=Group,dc=idevelopment,dc=info objectClass: posixGroup objectClass: top cn: asmoper userPassword: {crypt}x gidNumber: 1202 memberUid: grid dn: cn=dba,ou=Group,dc=idevelopment,dc=info objectClass: posixGroup objectClass: top cn: dba userPassword: {crypt}x gidNumber: 1300 memberUid: jhunter memberUid: oracle dn: cn=oper,ou=Group,dc=idevelopment,dc=info objectClass: posixGroup objectClass: top cn: oper userPassword: {crypt}x gidNumber: 1301 memberUid: jhunter memberUid: oracle

Import Users and Groups

Use ldapadd to import the people.ldif and group.ldif files to the LDAP directory.


[root@racnode1 migration]# ldapadd -x -W -h ldapsrv -D "cn=Manager,dc=idevelopment,dc=info" -f people.ldif Enter LDAP Password: ********* adding new entry "uid=jhunter,ou=People,dc=idevelopment,dc=info" adding new entry "uid=grid,ou=People,dc=idevelopment,dc=info" adding new entry "uid=oracle,ou=People,dc=idevelopment,dc=info"


[root@racnode1 migration]# ldapadd -x -W -h ldapsrv -D "cn=Manager,dc=idevelopment,dc=info" -f group.ldif Enter LDAP Password: ********* adding new entry "cn=jhunter,ou=Group,dc=idevelopment,dc=info" adding new entry "cn=oinstall,ou=Group,dc=idevelopment,dc=info" adding new entry "cn=asmadmin,ou=Group,dc=idevelopment,dc=info" adding new entry "cn=asmdba,ou=Group,dc=idevelopment,dc=info" adding new entry "cn=asmoper,ou=Group,dc=idevelopment,dc=info" adding new entry "cn=dba,ou=Group,dc=idevelopment,dc=info" adding new entry "cn=oper,ou=Group,dc=idevelopment,dc=info"

Verify Users and Groups

Verify the users and groups imported into the LDAP directory using ldapsearch.


[root@racnode1 ~]# ldapsearch -x -W -h 'ldapsrv' -D 'cn=Manager,dc=idevelopment,dc=info' -b 'ou=People,dc=idevelopment,dc=info' dn cn Enter LDAP Password: ********* # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: dn cn # # People, idevelopment.info dn: ou=People,dc=idevelopment,dc=info # jhunter, People, idevelopment.info dn: uid=jhunter,ou=People,dc=idevelopment,dc=info cn: Jeffrey Hunter # grid, People, idevelopment.info dn: uid=grid,ou=People,dc=idevelopment,dc=info cn: Grid Infrastructure Owner # oracle, People, idevelopment.info dn: uid=oracle,ou=People,dc=idevelopment,dc=info cn: Oracle Software Owner # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 4


[root@racnode1 ~]# ldapsearch -x -W -h 'ldapsrv' -D 'cn=Manager,dc=idevelopment,dc=info' -b 'ou=Group,dc=idevelopment,dc=info' dn cn Enter LDAP Password: ********* # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: dn cn # # Group, idevelopment.info dn: ou=Group,dc=idevelopment,dc=info # jhunter, Group, idevelopment.info dn: cn=jhunter,ou=Group,dc=idevelopment,dc=info cn: jhunter # oinstall, Group, idevelopment.info dn: cn=oinstall,ou=Group,dc=idevelopment,dc=info cn: oinstall # asmadmin, Group, idevelopment.info dn: cn=asmadmin,ou=Group,dc=idevelopment,dc=info cn: asmadmin # asmdba, Group, idevelopment.info dn: cn=asmdba,ou=Group,dc=idevelopment,dc=info cn: asmdba # asmoper, Group, idevelopment.info dn: cn=asmoper,ou=Group,dc=idevelopment,dc=info cn: asmoper # dba, Group, idevelopment.info dn: cn=dba,ou=Group,dc=idevelopment,dc=info cn: dba # oper, Group, idevelopment.info dn: cn=oper,ou=Group,dc=idevelopment,dc=info cn: oper # search result search: 2 result: 0 Success # numResponses: 9 # numEntries: 8

Test User Authentication Through LDAP

Log in as one of the new directory users to a client machine that can authenticate through the LDAP server. The client machine should not have any local user accounts or groups defined with the same name as those being authenticated through the LDAP directory.


[root@racnode1 ~]# ssh oracle@ldaptest The authenticity of host 'ldaptest (192.168.1.104)' can't be established. RSA key fingerprint is f8:76:8c:98:62:b0:f0:29:21:19:18:ea:f6:24:23:bc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ldaptest,192.168.1.104' (RSA) to the list of known hosts. oracle@ldaptest's password: Creating directory '/home/oracle'. Creating directory '/home/oracle/.mozilla'. Creating directory '/home/oracle/.mozilla/plugins'. Creating directory '/home/oracle/.mozilla/extensions'. [oracle@ldaptest ~]$ id uid=1101(oracle) gid=1000(oinstall) groups=1000(oinstall),1201(asmdba),1300(dba),1301(oper) [oracle@ldaptest ~]$ cat /etc/passwd | grep oracle [oracle@ldaptest ~]$ cat /etc/group | grep oinstall

Notice that oracle was able to authenticate through LDAP and log in to the machine. Since this was the first time logging in as oracle, the home directory was automatically created. Also notice that the oracle user account and the associated groups are not listed in /etc/passwd and /etc/group on the local system. This account was authenticated through LDAP and uses the values from the LDAP server for the account.

 

Please refer to the following guide on how to configure authentication for a Linux client through LDAP on the CentOS 5 platform.

Configure System Authentication Using OpenLDAP

About the Author

Jeffrey Hunter is an Oracle Certified Professional, Java Development Certified Professional, Author, and an Oracle ACE. Jeff currently works as a Senior Database Administrator for The DBA Zone, Inc. located in Pittsburgh, Pennsylvania. His work includes advanced performance tuning, Java and PL/SQL programming, developing high availability solutions, capacity planning, database security, and physical / logical database design in a UNIX / Linux server environment. Jeff's other interests include mathematical encryption theory, tutoring advanced mathematics, programming language processors (compilers and interpreters) in Java and C, LDAP, writing web-based database administration tools, and of course Linux. He has been a Sr. Database Administrator and Software Engineer for over 20 years and maintains his own website site at: http://www.iDevelopment.info. Jeff graduated from Stanislaus State University in Turlock, California, with a Bachelor's degree in Computer Science and Mathematics.



Copyright (c) 1998-2017 Jeffrey M. Hunter. All rights reserved.

All articles, scripts and material located at the Internet address of http://www.idevelopment.info is the copyright of Jeffrey M. Hunter and is protected under copyright laws of the United States. This document may not be hosted on any other site without my express, prior, written permission. Application to host any of the material elsewhere can be made by contacting me at jhunter@idevelopment.info.

I have made every effort and taken great care in making sure that the material included on my web site is technically accurate, but I disclaim any and all responsibility for any loss, damage or destruction of data or any other property which may arise from relying on it. I will in no case be liable for any monetary damages arising from such loss, damage or destruction.

Last modified on
Tuesday, 04-Sep-2012 00:29:27 EDT
Page Count: 22151