4. Configuration of LDAP Server

4.1. Overview

Migrated services, including authentication from flat files to the Open LDAP server; tested.

Problems:

• migration failed since in /etc/protocols, "tp++ ..." not liked and in /etc/services, "whois++ ..." not liked.
• having got data in, could not get data out: permissions problem on database files.

4.2. What I Did

Followed RedHat ref guide instructions:

• Used the migration tools in /usr/share/openldap/migration. First, edited migrate_common.ph (see the /usr/share/openldap/migrate/README):

          $DEFAULT_BASE = "o=talbycsuumist,c=gb";
          $DEFAULT_MAIL_DOMAIN = "umist.ac.uk";
          $DEFAULT_MAIL_HOST = "mailrouter.umist.ac.uk";
      

  and then ran migrate_all_offline.pl:
  
  Problems:
  The script did not like the lines tp++... in /etc/protocols and whois++... in /etc/services, so I commented them out (I don't really need them). After that, the script worked.
  
  N.B. The script migrates the contents of, e.g., /etc/passwd and /etc/shadow into the LDAP database, but leaves this contents in tact. To ensure that the LDAP-based authentication is taking place one needs to remove users' entries from these files.
  
  
• Used /usr/sbin/authconfig to sort out PAM --- selected LDAP in addition to flat files ("check" LDAP and entered o=talbycsuumist,c=gb where asked).
  
  
• Edited /etc/nsswitch to introduce LDAP (instead of NIS):

          passwd:     files ldap
          shadow:     files ldap
          group:      files ldap
      

4.3. Testing and Debugging; Problems

Having made appropriate changes on boiler.csu.umist.ac.uk, Solaris 2.8 machine, authentication from boiler to pinback failed. First, could pinback use its own LDAP server? No... Could not authenticate or finger except by flat files.

Running

    /usr/sbin/slapcat

    ldapsearch -h 127.0.0.1 -p 389 -x -s sub "o=talbycsuumist,c=gb" \
        "uid=simonh"

Deleting simonh from flat files with slapd running: no problems --- could still login and finger ok.