-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daouda LO wrote:
> Buchan Milne <[EMAIL PROTECTED]> writes:
>
>
>>FACORAT Fabrice wrote:
>>
>>
>>>Just a question : could userdrake allow to switch auth system ( files
>>><-> NIS <-> LDAP ) easily after installation ?
>>>
>>
>>No, but openldap-migration should help you to do most of it. I had hoped
>>to have time to work on a GUI for openldap, but I don't think I will.
>
>
> It's on my todo and i need your help for this as i don't know ldap
> enough.
Attached is a script that could be seen as a simple prototype for
setting up a single LDAP server. Instead of (or in addition to)
prompting for min/max UIDs, a dual-user-list approach (as in say the kcm
module for samba in ksambaplugin contrib package) may be better.
The samba import mechanism may change for samba3, but I haven't imported
for samba3 yet since some aspects of LDAP support are still broken at
present.
For more info (a complete tool for this would need to support adding
LDAP slaves etc) see the updated articles on mandrakesecure.net:
http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php
http://www.mandrakesecure.net/en/docs/samba-pdc.php
http://www.mandrakesecure.net/en/docs/ldap-auth2.php
Note that for the client side, some changes need to be made in drakx for
LDAP support to make it work better out-the-box:
- -use objectclass posixaccount instead of objectclass account (deprecated
in openldap-2.1.x, many tools don't add it anyway) in pam_filter in
/etc/ldap.conf
- -put pam_pwdb before pam_ldap in /etc/pam.d/system-auth
- -add "ldap" to the automount line of /etc/nsswitch.conf
- -If NIS or LDAP are used for auth, and NFS is installed, install
autofs also
(last two changes mean that automount maps that are stored in ldap will
be used without any further configuration on the client machine, and
users will be able to login to NFS-mounted home directory and have all
other NFS shares mounted on access - extemely low maintenance solution
rivalling Active Directory-based folder redirection - just missing
per-OU support or similar).
(Pixel, do you rather want a bugzilla bug?)
I will be happy to test import to LDAP from system accounts if it can be
done on 9.1 (my cooker box has no local accounts, all are in LDAP already).
Regards,
Buchan
- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE++uxVrJK6UGDSBKcRAtYnAKCTfLNSDr7jLm5oC8ZsJaIyfC9v5ACgvX1i
tbJNF8sXDjUUuas03XpNFoQ=
=CBJs
-----END PGP SIGNATURE-----
******************************************************************
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy.
******************************************************************
#!/bin/bash
# need perl-ldap perl-Convert-ASN1 to import samba passwords
echo "Before continuing, please check that your local LDAP server is running"
PASSWD_MIN=${PASSWD_MIN=500}
PASSWD_MAX=${PASSWD_MAX=65000}
GROUP_MIN=${GROUP_MIN=500}
GROUP_MAX=${GROUP_MAX=65000}
LDAP_MIGRATION=/usr/share/openldap/migration
BASE_CONFIRMED=0
while [ $BASE_CONFIRMED -eq 0 ]
do
read -p "Enter your LDAP BaseDN [$LDAP_BASEDN] :" ANSWER
[ -n "$ANSWER" ] && export LDAP_BASEDN="$ANSWER"
read -p "Enter your default mail domain [$LDAP_DEFAULT_MAIL_DOMAIN]: " ANSWER
[ -n "$ANSWER" ] && export LDAP_DEFAULT_MAIL_DOMAIN="$ANSWER"
read -p "Enter your default mail host [$LDAP_DEFAULT_MAIL_HOST]: " ANSWER
[ -n "$ANSWER" ] && export LDAP_DEFAULT_MAIL_HOST="$ANSWER"
read -p "Enter your LDAP Root DN: [$LDAP_ROOTDN]: " ANSWER
[ -n "$ANSWER" ] && export LDAP_ROOTDN="$ANSWER"
read -p "Did you enter the correct values? [(y)/n] :" ANSWER
[ "$ANSWER" = "n" ] || BASE_CONFIRMED=1
done
export LDAP_EXTENDED_SCHEMA=1
#export LDAP_BASEDN="dc=home,dc=control,dc=co,dc=za"
#export LDAP_DEFAULT_MAIL_DOMAIN="control.co.za"
#export LDAP_DEFAULT_MAIL_HOST="mail.home.control.co.za"
#export LDAP_ROOTDN="cn=root,dc=home,dc=control,dc=co,dc=za"
read -s -p "Enter LDAP Root DN Password: " LDAP_BINDPW
LDAP_ADD="ldapadd -x -H ldap://localhost -D $LDAP_ROOTDN -w $LDAP_BINDPW -c"
# These scripts need to be run from inside LDAP_MIGRATION to "use" the
# config file
pushd $LDAP_MIGRATION >&-
echo -e "\n\nImporting base entries:\n"
$LDAP_MIGRATION/migrate_base.pl | $LDAP_ADD
echo -e "\nEntering user import section\n"
PASSWD_CONFIRMED=0
while [ $PASSWD_CONFIRMED -eq 0 ];do
read -p "Enter the lowest UID you would like to import [$PASSWD_MIN]: " PASSWD_MIN1
read -p "Enter the higehst UID you would like to import [$PASSWD_MAX]:" PASSWD_MAX1
[ -n "$PASSWD_MIN1" ] && PASSWD_MIN=$PASSWD_MIN1
[ -n "$PASSWD_MAX1" ] && PASSWD_MAX=$PASSWD_MAX1
echo "The range you entered was $PASSWD_MIN - $PASSWD_MAX"
read -p "Is this correct [(y)/n]: " ANSWER
[ "$ANSWER" = "n" ] || PASSWD_CONFIRMED=1
done
awk -F: "/\\$/ {next}; { if (\$3>=$PASSWD_MIN && \$3<$PASSWD_MAX) print \$0}" /etc/passwd > /etc/passwd.ldap
#awk -F: '/\$/ {next}; { if ($3>=500) print $0}' /etc/passwd > /etc/passwd.ldap
echo "Importing users:"
ETC_SHADOW=/etc/shadow $LDAP_MIGRATION/migrate_passwd.pl /etc/passwd.ldap |$LDAP_ADD
rm -f /etc/passwd.ldap
echo -e "\nEntering group import section\n"
GROUP_CONFIRMED=0
while [ $GROUP_CONFIRMED -eq 0 ];do
read -p "Enter the lowest GID you would like to import [$GROUP_MIN]: " GROUP_MIN1
read -p "Enter the higehst GID you would like to import [$GROUP_MAX]:" GROUP_MAX1
[ -n "$GROUP_MIN1" ] && GROUP_MIN=$GROUP_MIN1
[ -n "$GROUP_MAX1" ] && GROUP_MAX=$GROUP_MAX1
echo "The range you entered was $GROUP_MIN - $GROUP_MAX"
read -p "Is this correct [(y)/n]: " ANSWER
[ "$ANSWER" = "n" ] || GROUP_CONFIRMED=1
done
awk -F: "/\\$/ {next}; { if (\$3>=$GROUP_MIN && \$3<$GROUP_MAX) print \$0}" /etc/group > /etc/group.ldap
echo "Importing groups:"
$LDAP_MIGRATION/migrate_group.pl /etc/group.ldap |$LDAP_ADD
rm -f /etc/group.ldap
popd >&-
if [ -e /etc/samba/smbpasswd ]
then
echo "Importing existing samba users requires preparation, by editing"
echo "/usr/share/samba/scripts/import_smbpasswd.pl"
read -p "Do you want to try and import Samba users [(y)/n]: " IMPORT_SAMBA
[ "$IMPORT_SAMBA" = "n" ] || /usr/share/samba/scripts/import_smbpasswd.pl < /etc/samba/smbpasswd
fi
