There have been a score of such schemes, and it is unlikely that this is the last. We had kerberos, Yellow Pages, NIS, and so forth, now LDAP. There is no denying that if you have a fair sized user community and many machines, such a scheme will make your life simpler. Maybe. It also puts all your eggs in one basket and when something goes wrong, lots of machines are affected.
useradd -u 555 -c "John Doe" jdoe passwd jdoe ldapusermigrate jdoe
The ldapusermigrate script (csh) is as follows:
set username = jdoe setenv LDAP_BASEDN dc=myserver,dc=mydomain grep "^${username}:" /etc/passwd > /tmp/${username}.passwd /usr/share/migrationtools/migrate_passwd.pl /tmp/${username}.passwd | ldapadd -ZZ -D "cn=Directory Manager" -y /etc/ldap.secret -x /bin/rm /tmp/${username}.passwd grep "^${username}:" /etc/group > /tmp/${username}.group /usr/share/migrationtools/migrate_group.pl /tmp/${username}.group | ldapadd -ZZ -D "cn=Directory Manager" -y /etc/ldap.secret -x /bin/rm /tmp/${username}.group userdel ${username}
set newshell = tcsh set username = jdoe if (`grep $newshell /etc/shells` != $newshell) then echo $newshell not in /etc/shells exit endif /bin/echo -e "dn: uid=$username,ou=People,dc=myserver,dc=mydomain\nchangetype: modify\nreplace: loginShell\nloginShell: $newshell\n" | ldapmodify -D "cn=Directory Manager" -y /etc/ldap.secret -ZZ -x
ldapdelete -ZZ -D "cn=Directory Manager" -y /etc/ldap.secret -x uid=jdoe,ou=People,dc=myserver,dc=mydomain ldapdelete -ZZ -D "cn=Directory Manager" -y /etc/ldap.secret -x cn=jdoe,ou=Group,dc=myserver,dc=mydomainAfter this, manually remove the home directory, mail inbox, and crontabs on all machines.
groupadd idiots ldapgroupmigrate idiotsThe groupmigrate script (csh) is as follows:
set groupname = idiots setenv LDAP_BASEDN dc=myserver,dc=mydomain grep "^${groupname}:" /etc/group > /tmp/${groupname}.group /usr/share/migrationtools/migrate_group.pl /tmp/${groupname}.group | ldapadd -ZZ -D "cn=Directory Manager" -y /etc/ldap.secret -x /bin/rm /tmp/${groupname}.group groupdel ${groupname}
When I do try to use the ldappasswd command as root, I get:
SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available:It turns out this is because ldappasswd defaults to trying to use SASL authentication, which is the wrong thing when you have an OpenLDAP server. There is a "-x" switch to tell it not to use SASL, but never mind all of this.
The story is that the good old passwd command is LDAP aware and can be used in the same way it always has been, both by individual users on any machine, and by root also, but with some limitations.
When root tries to change a users password on an LDAP client machine, root must have that users existing login password. So, if root has no clue what the users password is (the usual case is that a user has forgotten his password and root never knew it in the first place), root must change the password on the LDAP server machine.
A number of LDAP related things have assigned ports:
The standard LDAP port is 389. The secure (SSL) LDAPS port is 636. The Administration Server port is 9830.
TLS is another acronym that pops up right away in this LDAP business. TLS stands for "Transmission Layer Security". It is apparently a standardized form of SSL.
SSL was initially a Netscape protocol, then it went through a standardization process and now is called TLS (Transmission Layer Security). It is commonly referred as SSL/TLS.
As near as I an tell, the name for the LDAP service currently in vogue is "dirsrv" (even in the "389" scheme of things. Therefore, if you want to start (or restart) the LDAP service, you do:
service dirsrv restartNote that you only do this on an LDAP server. This runs the executable /usr/sbin/ns-slapd, but anyone would have known that.
There is also something called dirsrv-admin, but I don't have a clue what it is, you might also want to start it (or maybe you wouldn't):
service dirsrv-admin restart
I first tried working with LDAP under Fedora 11, and was immediately bitten by an "issue" (a policy change actually). Apparently as of Fedora 11, the root user is not allowed to login from the console if X is running. Root login via ssh or from a text console is fine (use a virtual console or telinit 3 if you are desperate). I guess there are too many X based security issues and it was felt that the root password was too sensitive or some logic like that. I am pretty sure this was straightened out to my liking by hacking on some file in the /etc/pam.d directory, but I cannot remember.
The file /etc/nsswitch.conf governs whether LDAP or files or who knows what gets used. The relevant lines are:
#passwd: files ldap #shadow: files ldap #passwd: files ldap passwd: files shadow: files group: filesThe first group of lines, if enabled, would first try to find a user in the passwd/shadow files, and if that failed use ldap. The second group of lines are the "good old way" using passwd and shadow files only.
The actual user and group information is kept in a database. You use the ldapadd, ldapdelete, and ldapmodify commands to make changes. There are nice long intricate man pages for all of these, with more options than you can shake a stick at. I am told that these commands are really useful for non-priveleged users to make changes to things that they are allowed to change.
Apparently under ldap, there is an "identity" refered to as the "directory manager" which is allowed to do any kind of fiddling with LDAP entries, and which/who has its/his/her own password.
Note that ssh authentication using key encryption is not affected. Even though I am one of these low numbered users, I never get hit by the problem because my desktop is not part of the PAM/LDAP world, and I jump from there to other systems using ssh keys. This means that I don't get tripped up by this issue until I am sitting at one of these machines and trying to log in at the console.
What is happening is that system updates are wrongly overwriting files in the /etc/pam.d directory. PAM is the "pluggable authentication module" system, which is a generic "tap" to insert whatever flavor of authentication you might presently be enamoured with. The files that usually get screwed up are:
Adventures in Computing / tom@mmto.org