dpkg-reconfigure slapd will let you reconfigure the LDAP database with more details:
			falcot.com”.
					dpkg-reconfigure slapd right after the initial installation.
					$ldapsearch -x -b dc=falcot,dc=com# extended LDIF # # LDAPv3 # base <dc=falcot,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # falcot.com dn: dc=falcot,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Falcot Corp dc: falcot # admin, falcot.com dn: cn=admin,dc=falcot,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
/etc/passwd, /etc/group, /etc/services, /etc/hosts and so on), convert this data, and inject it into the LDAP database.
			/etc/migrationtools/migrate_common.ph must be edited; the IGNORE_UID_BELOW and IGNORE_GID_BELOW options need to be enabled (uncommenting them is enough), and DEFAULT_MAIL_DOMAIN/DEFAULT_BASE need to be updated.
			migrate_all_online.sh command, as follows:
			#cd /usr/share/migrationtools#PERL5LIB="${PERL5LIB}:/etc/migrationtools" LDAPADD="/usr/bin/ldapadd -c" ETC_ALIASES=/dev/null ./migrate_all_online.sh
migrate_all_online.sh asks a few questions about the LDAP database into which the data is to be migrated. Tabel 11.1 summarizes the answers given in the Falcot use-case.
			Tabel 11.1. Answers to questions asked by the migrate_all_online.sh script
| Question | Answer | 
|---|---|
| X.500 naming context | dc=falcot,dc=com | 
| LDAP server hostname | localhost | 
| Manager DN | cn=admin,dc=falcot,dc=com | 
| Bind credentials | the administrative password | 
| Create DUAConfigProfile | no | 
PERL5LIB variable. This is due to Debian bug report #982666. 
			/etc/aliases file, since the standard schema as provided by Debian does not include the structures that this script uses to describe email aliases. Should we want to integrate this data into the directory, the /etc/ldap/schema/misc.schema file should be added to the standard schema.
			-c option to the ldapadd command; this option requests that processing doesn't stop in case of error. Using this option is required because converting the /etc/services often generates a few errors that can safely be ignored.
			Tabel 11.2. Configuring the libnss-ldap package:
| Question | Answer | 
|---|---|
| LDAP server URI (Uniform Resource Identifier) | ldapi://ldap.falcot.com | 
| Distinguished name of the search base | dc=falcot,dc=com | 
| LDAP version to use | 3 | 
| LDAP account for root | cn=admin,dc=falcot,dc=com | 
| LDAP root account password | the administrative password | 
| Allow LDAP admin account behave like local root? | yes | 
| Does the LDAP database require login? | no | 
/etc/nsswitch.conf file then needs to be modified, so as to configure NSS to use the freshly-installed ldap module. You can use the example provided in /usr/share/doc/libnss-ldap/examples/nsswitch.ldap or edit your existing configuration.
				Eksempel 11.23. The /etc/nsswitch.conf file
#ident $Id: nsswitch.ldap,v 2.4 2003/10/02 02:36:25 lukeh Exp $ # # An example file that could be copied over to /etc/nsswitch.conf; it # uses LDAP conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # the following lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files ldap shadow: files ldap group: files ldap # consult DNS first, we will need it to resolve the LDAP host. (If we # can't resolve it, we're in infinite recursion, because libldap calls # gethostbyname(). Careful!) hosts: dns ldap # LDAP is nominally authoritative for the following maps. services: ldap [NOTFOUND=return] files networks: ldap [NOTFOUND=return] files protocols: ldap [NOTFOUND=return] files rpc: ldap [NOTFOUND=return] files ethers: ldap [NOTFOUND=return] files # no support for netmasks, bootparams, publickey yet. netmasks: files bootparams: files publickey: files automount: files # I'm pretty sure nsswitch.conf is consulted directly by sendmail, # here, so we can't do much here. Instead, use bbense's LDAP # rules ofr sendmail. aliases: files sendmailvars: files # Note: there is no support for netgroups on Solaris (yet) netgroup: ldap [NOTFOUND=return] files
ldap module is usually inserted before others, and it will therefore be queried first. The notable exception is the hosts service since contacting the LDAP server requires consulting DNS first (to resolve ldap.falcot.com). Without this exception, a hostname query would try to ask the LDAP server; this would trigger a name resolution for the LDAP server, and so on in an infinite loop.
				files module disregarded), services can be configured with the following syntax:
				service: ldap [NOTFOUND=return] files.
				/etc/environment and /etc/default/locale) that will allow applications to perform the required authentications against the LDAP database.
				Tabel 11.3. Configuration of libpam-ldap
| Question | Answer | 
|---|---|
| Allow LDAP admin account to behave like local root? | Yes. This allows using the usual passwdcommand for changing passwords stored in the LDAP database. | 
| Does the LDAP database require logging in? | no | 
| LDAP account for root: | cn=admin,dc=falcot,dc=com | 
| LDAP administrative password: | the LDAP database administrative password | 
| Local encryption algorithm to use for passwords: | crypt | 
| PAM profiles to enable: | LDAP Authentication is among the enabled profiles | 
/etc/pam.d/common-auth, /etc/pam.d/common-password and /etc/pam.d/common-account files. This mechanism uses the dedicated pam-auth-update tool (provided by the libpam-runtime package). This tool can also be run by the administrator should they wish to enable or disable PAM modules.
				./easyrsa build-server-full ldap.falcot.com nopass will ask you about the “common name”. The answer to that question must be the fully-qualified hostname for the LDAP server; in our case, ldap.falcot.com.
					pki/issued/ldap.falcot.com.crt file; the corresponding private key is stored in pki/private/ldap.falcot.com.key.
					openldap user identity:
					#adduser openldap ssl-certAdding user `openldap' to group `ssl-cert' ... Adding user openldap to group ssl-cert Done. #mv pki/private/ldap.falcot.com.key /etc/ssl/private/ldap.falcot.com.key#chown root.ssl-cert /etc/ssl/private/ldap.falcot.com.key#chmod 0640 /etc/ssl/private/ldap.falcot.com.key#mv pki/issued/ldap.falcot.com.crt /etc/ssl/certs/ldap.falcot.com.pem#chown root.root /etc/ssl/certs/ldap.falcot.com.pem#chmod 0644 /etc/ssl/certs/ldap.falcot.com.pem
slapd daemon also needs to be told to use these keys for encryption. The LDAP server configuration is managed dynamically: the configuration can be updated with normal LDAP operations on the cn=config object hierarchy, and the server updates /etc/ldap/slapd.d in real time to make the configuration persistent. ldapmodify is thus the right tool to update the configuration:
					Eksempel 11.24. Configuring slapd for encryption
#cat >ssl.ldif <<END dn: cn=config changetype: modify add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap.falcot.com.key - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap.falcot.com.pem END#ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldifSASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" #systemctl restart slapd.service#ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -s base | grep TLSSASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 olcTLSCertificateFile: /etc/ssl/certs/ldap.falcot.com.pem olcTLSCertificateKeyFile: /etc/ssl/certs/ldap.falcot.com.key
SLAPD_SERVICES variable in the /etc/default/slapd file. We'll play it safe and disable unsecured LDAP altogether.
					Eksempel 11.25. The /etc/default/slapd file
# Default location of the slapd.conf file or slapd.d cn=config directory. If # empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to # /etc/ldap/slapd.conf). SLAPD_CONF= # System account to run the slapd server under. If empty the server # will run as root. SLAPD_USER="openldap" # System group to run the slapd server under. If empty the server will # run in the primary group of its user. SLAPD_GROUP="openldap" # Path to the pid file of the slapd server. If not set the init.d script # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by # default) SLAPD_PIDFILE= # slapd normally serves ldap only on all TCP-ports 389. slapd can also # service requests on TCP-port 636 (ldaps) and requests via unix # sockets. # Example usage: # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" SLAPD_SERVICES="ldaps:/// ldapi:///" # If SLAPD_NO_START is set, the init script will not start or restart # slapd (but stop will still work). Uncomment this if you are # starting slapd via some other means or if you don't want slapd normally # started at boot. #SLAPD_NO_START=1 # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, # the init script will not start or restart slapd (but stop will still # work). Use this for temporarily disabling startup of slapd (when doing # maintenance, for example, or through a configuration management system) # when you don't want to edit a configuration file. SLAPD_SENTINEL_FILE=/etc/ldap/noslapd # For Kerberos authentication (via SASL), slapd by default uses the system # keytab file (/etc/krb5.keytab). To use a different keytab file, # uncomment this line and change the path. #export KRB5_KTNAME=/etc/krb5.keytab # Additional options to pass to slapd SLAPD_OPTIONS=""
ldaps:// URI.
					/usr/local/share/ca-certificates and running update-ca-certificates.
					#cp pki/ca.crt /usr/local/share/ca-certificates/falcot.crt#update-ca-certificatesUpdating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... Adding debian:falcot.pem done. done.
/etc/ldap/ldap.conf. This will save quite some typing.
					Eksempel 11.26. The /etc/ldap/ldap.conf file
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-provider.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt