Section 10.2. Dissection and Discussion

10.2. Dissection and Discussion

A decision to use LDAP was made even though I knew nothing about LDAP except that I had been reading the book "LDAP System Administration," by Gerald Carter. LDAP seemed to provide some of the functionality of Novell's e-Directory Services and would provide centralized authentication and identity management.

Building the LDAP database took a while and a lot of trial and error. Following the guidance I obtained from "LDAP System Administration," I installed OpenLDAP (from RPM; later I compiled a more current version from source) and built my initial LDAP tree.

10.2.1. Technical Issues

The first challenge was to create a company white pages, followed by manually entering everything from the printed company directory. This used only the inetOrgPerson object class from the OpenLDAP schemas. The next step was to write a shell script that would look at the /etc/passwd and /etc/shadow files on our mail server and create an LDIF file from which the information could be imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3, and SMTP.

Because a decision was made to use Courier-IMAP the schema "authldap.schema" from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory needs. Where the Courier-IMAP file provided by SUSE is used, this file is named courier.schema.

Looking back, it would have been much easier to populate the LDAP directory using a convenient tool such as phpLDAPAdmin from the outset. An excessive amount of time was spent trying to generate LDIF files that could be parsed using the ldapmodify so that necessary changes could be written to the directory. This was a learning experience!

An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to make them work. Instead, even though it is most inelegant, I wrote a simple script that did what I needed. It is enclosed as a simple example to demonstrate that you do not need to be a guru to make light of otherwise painful repetition. This file is listed in Example 10.2.1.

Example 10.2.1. A Rough Tool to Create an LDIF File from the System Account Files

#!/bin/bash cat /etc/passwd | while read l; do   uid='echo $l | cut -d : -f 1'   uidNumber='echo $l | cut -d : -f 3'   gidNumber='echo $1 | cut -d : -f 4'   gecos='echo $l | cut -d : -f 5'   homeDirectory='echo $l | cut -d : -f 6'   loginShell='echo $l | cut -d : -f 6'   userPassword='cat /etc/shadow | grep $uid | cut -d : -f 2'   echo "dn: cn=$gecos,ou=people,dc=mycompany,dc=com"   echo "objectClass: account"   echo "objectClass: posixAccount"   echo "cn: $gecos"   echo "uid: $uid"   echo "uidNumber: $uidNumber"   echo "gidNumber: $gidNumber"   echo "homeDirectory: $homeDirectory"   echo "loginShell: $loginShell"   echo "userPassword: $userPassword" done 

Note

The PADL MigrationTools are recommended for migration of the UNIX account information into the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups, aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text files (or from a name service such as NIS). This too set can be obtained from the PADL Web site[1]. [1] <http://www.padl.com>