Hi, I have previously used openLDAP and read many of their howto documents for establishing an LDAP server. RH and CentOS provide <brand>-ds-base and related rpms and I like what I see and read about the product. I found the wiki article on installing the rpms and getting it running on a server - so far so good. Then I fall into a big hole. What are the key items that need to be put in place to actually make it useful for my domain? Is there a document somewhere for those of us that want to bridge from openLDAP to the RH based product? I have read many hundreds of pages, have purchased O'reilly's LDAP System Administration but cannot seem to get my dirsrv based LDAP to function. I do understand that ds uses LDIF files to store and set things up, but seem unable to grasp the arcane entries that need to exist so I can access it with a basic LDAP client to load my users etc. Also I guess there are certain schemas that need to be used to allow basic functions to work. My wish list: linux user authentication and authorization windows user authentication and authorization (via samba?) customer contact list (name, address, company, phone numbers, email addresses) - this last one to be used by Thunderbird and my SIP phone system - both of which profess to speak LDAP I'm sure there are many small business folk that would like something like this, however I cannot find a template with all my searches, so for those of you with better LDAP and or google skills - please point me in the right direction. Thanks Rob
On Jul 30, 2009, at 1:03 PM, Rob Kampen wrote:
Hi, I have previously used openLDAP and read many of their howto documents for establishing an LDAP server. RH and CentOS provide <brand>-ds-base and related rpms and I like what I see and read about the product. I found the wiki article on installing the rpms and getting it running on a server - so far so good. Then I fall into a big hole. What are the key items that need to be put in place to actually make it useful for my domain? Is there a document somewhere for those of us that want to bridge from openLDAP to the RH based product? I have read many hundreds of pages, have purchased O'reilly's LDAP System Administration but cannot seem to get my dirsrv based LDAP to function. I do understand that ds uses LDIF files to store and set things up, but seem unable to grasp the arcane entries that need to exist so I can access it with a basic LDAP client to load my users etc. Also I guess there are certain schemas that need to be used to allow basic functions to work. My wish list: linux user authentication and authorization windows user authentication and authorization (via samba?) customer contact list (name, address, company, phone numbers, email addresses)
- this last one to be used by Thunderbird and my SIP phone system -
both of which profess to speak LDAP I'm sure there are many small business folk that would like something like this, however I cannot find a template with all my searches, so for those of you with better LDAP and or google skills
- please point me in the right direction.
Thanks Rob
Hi Rob,
The documentation for the 389 Directory Server (née Fedora Directory Server) may answer a lot of your questions. Since Red Hat Directory Server (and therefore CentOS Directory Server) is based on its code, I think you'll find much of its documentation applicable.
http://directory.fedoraproject.org/wiki/Documentation
Among other things, you should find pages on the linked site which talk about authentication, migration from OpenLDAP, Samba, etc.
Regards,
James
On Thu, Jul 30, 2009 at 1:03 PM, Rob Kampenrkampen@kampensonline.com wrote: [snip]
I have read many hundreds of pages, have purchased O'reilly's LDAP System Administration but cannot seem to get my dirsrv based LDAP to function. I do understand that ds uses LDIF files to store and set things up, but seem unable to grasp the arcane entries that need to exist so I can access it with a basic LDAP client to load my users etc. Also I guess there are certain schemas that need to be used to allow basic functions to work. My wish list: linux user authentication and authorization windows user authentication and authorization (via samba?) customer contact list (name, address, company, phone numbers, email addresses)
- this last one to be used by Thunderbird and my SIP phone system - both of
which profess to speak LDAP I'm sure there are many small business folk that would like something like this, however I cannot find a template with all my searches, so for those of you with better LDAP and or google skills - please point me in the right direction.
There's a pretty straightforward guide at HowToForge.com (search for "CentOS LDAP"). It's a little dated, but works as advertised. In a nutshell the installation requires installing the centos-ds packages (about 4), installing a Sun Java, and then populating the database. The client side is even simpler.
Linux and Windows user authentication is straightforward, with GUI based setup and editing.
The default schema I use doesn't include address, company, etc., but these are very easily added. I tested with kaddressbook and a couple other LDAP browsers without any glitches.
On Thursday 30 July 2009 19:23:24 Kwan Lowe wrote:
On Thu, Jul 30, 2009 at 1:03 PM, Rob Kampenrkampen@kampensonline.com wrote: [snip]
I have read many hundreds of pages, have purchased O'reilly's LDAP System Administration but cannot seem to get my dirsrv based LDAP to function. I do understand that ds uses LDIF files to store and set things up, but seem unable to grasp the arcane entries that need to exist so I can access it with a basic LDAP client to load my users etc. Also I guess there are certain schemas that need to be used to allow basic functions to work. My wish list: linux user authentication and authorization windows user authentication and authorization (via samba?) customer contact list (name, address, company, phone numbers, email addresses)
- this last one to be used by Thunderbird and my SIP phone system - both
of which profess to speak LDAP I'm sure there are many small business folk that would like something like this, however I cannot find a template with all my searches, so for those of you with better LDAP and or google skills - please point me in the right direction.
I'm going through the same process as Rob ( the OP ) at the moment. I want to setup centos-directory server. initially I want it to replace a NIS and Samba system with about 1200 existing users.
There's a pretty straightforward guide at HowToForge.com (search for "CentOS LDAP"). It's a little dated, but works as advertised. In a nutshell the installation requires installing the centos-ds packages (about 4), installing a Sun Java, and then populating the database. The client side is even simpler.
Installing centos-ds is not a problem. It's what you do after it. Especially for people like me who have no experience with OpenLDAP.
Linux and Windows user authentication is straightforward, with GUI based setup and editing.
With 1200 existing users to be migrated then GUI based setup and editing is not very useful.
The default schema I use doesn't include address, company, etc., but these are very easily added. I tested with kaddressbook and a couple other LDAP browsers without any glitches.
I'm going through the Howto:Samba from <directory.fedoraproject.org> at the moment and hopefully that will get me started.
But what would be nice is:
1. Howto:migtate existing NIS to CentosDS 2. Howto:migrate existing Samba to CentosDS
Regards,
Tony
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, 2009-07-31 at 08:20 +0100, Tony Molloy wrote:
On Thursday 30 July 2009 19:23:24 Kwan Lowe wrote:
On Thu, Jul 30, 2009 at 1:03 PM, Rob Kampenrkampen@kampensonline.com wrote: [snip]
I have read many hundreds of pages, have purchased O'reilly's LDAP System Administration but cannot seem to get my dirsrv based LDAP to function. I do understand that ds uses LDIF files to store and set things up, but seem unable to grasp the arcane entries that need to exist so I can access it with a basic LDAP client to load my users etc. Also I guess there are certain schemas that need to be used to allow basic functions to work. My wish list: linux user authentication and authorization windows user authentication and authorization (via samba?) customer contact list (name, address, company, phone numbers, email addresses)
- this last one to be used by Thunderbird and my SIP phone system - both
of which profess to speak LDAP I'm sure there are many small business folk that would like something like this, however I cannot find a template with all my searches, so for those of you with better LDAP and or google skills - please point me in the right direction.
I'm going through the same process as Rob ( the OP ) at the moment. I want to setup centos-directory server. initially I want it to replace a NIS and Samba system with about 1200 existing users.
There's a pretty straightforward guide at HowToForge.com (search for "CentOS LDAP"). It's a little dated, but works as advertised. In a nutshell the installation requires installing the centos-ds packages (about 4), installing a Sun Java, and then populating the database. The client side is even simpler.
Installing centos-ds is not a problem. It's what you do after it. Especially for people like me who have no experience with OpenLDAP.
Linux and Windows user authentication is straightforward, with GUI based setup and editing.
With 1200 existing users to be migrated then GUI based setup and editing is not very useful.
The default schema I use doesn't include address, company, etc., but these are very easily added. I tested with kaddressbook and a couple other LDAP browsers without any glitches.
I'm going through the Howto:Samba from <directory.fedoraproject.org> at the moment and hopefully that will get me started.
But what would be nice is:
- Howto:migtate existing NIS to CentosDS
- Howto:migrate existing Samba to CentosDS
---- seriously...I don't think you are ever going to find such a beast.
There are some really good tools from padl to migrate nis to ldap (on Redhat/CentOS installed as part of openldap-servers package). This may require some amount of script-fu (perl, sed, awk, etc.) but not too much. Then to add the samba attributes/passwords/machine accounts will require a larger dose of script-fu.
But this all would be virtually impossible without a decent knowledge of how LDAP works and that is regardless of whether you use CentOS-DS or OpenLDAP.
Craig
On Friday 31 July 2009 15:05:29 Craig White wrote:
<snip>
I'm going through the Howto:Samba from <directory.fedoraproject.org> at the moment and hopefully that will get me started.
But what would be nice is:
- Howto:migtate existing NIS to CentosDS
- Howto:migrate existing Samba to CentosDS
seriously...I don't think you are ever going to find such a beast.
True, it was a wish list after all ;-)
There are some really good tools from padl to migrate nis to ldap (on Redhat/CentOS installed as part of openldap-servers package). This may require some amount of script-fu (perl, sed, awk, etc.) but not too much. Then to add the samba attributes/passwords/machine accounts will require a larger dose of script-fu.
I've got them and they are useful. As I said I'm going through the Howto:Samba now.
But this all would be virtually impossible without a decent knowledge of how LDAP works and that is regardless of whether you use CentOS-DS or OpenLDAP.
Craig
After reading Carter's book I think i've got some idea of how LDAP works. Just a pity that most books/documentation seem to be about OpenLDAP so it takes a while to convert to Centos-DS.
regards, Tony
On Fri, 2009-07-31 at 16:00 +0100, Tony Molloy wrote:
But this all would be virtually impossible without a decent
knowledge of
how LDAP works and that is regardless of whether you use CentOS-DS
or
OpenLDAP.
Craig
After reading Carter's book I think i've got some idea of how LDAP works. Just a pity that most books/documentation seem to be about OpenLDAP so it takes a while to convert to Centos-DS.
---- I agree that Gerald Carter's book makes LDAP understandable.
The reality is that the LDAP API is pretty much the same and you actually use openldap-client and nss-ldap tools even with CentOS-DS. I haven't used CentOS-DS but I have used Fedora-DS and it is built from Fedora-DS. The difference between them is setup of schema, certificates, ACL's/ACI's and I found once I understood OpenLDAP, that Fedora-DS was easy enough to use with only a few questions.
I think you might want to subscribe to https://www.redhat.com/mailman/listinfo/fedora-directory-users
Craig
On Friday 31 July 2009 16:12:12 Craig White wrote:
On Fri, 2009-07-31 at 16:00 +0100, Tony Molloy wrote:
But this all would be virtually impossible without a decent
knowledge of
how LDAP works and that is regardless of whether you use CentOS-DS
or
OpenLDAP.
Craig
After reading Carter's book I think i've got some idea of how LDAP works. Just a pity that most books/documentation seem to be about OpenLDAP so it takes a while to convert to Centos-DS.
I agree that Gerald Carter's book makes LDAP understandable.
The reality is that the LDAP API is pretty much the same and you actually use openldap-client and nss-ldap tools even with CentOS-DS. I haven't used CentOS-DS but I have used Fedora-DS and it is built from Fedora-DS. The difference between them is setup of schema, certificates, ACL's/ACI's and I found once I understood OpenLDAP, that Fedora-DS was easy enough to use with only a few questions.
I think you might want to subscribe to https://www.redhat.com/mailman/listinfo/fedora-directory-users
Craig
Allready subscribed !!
Tony
On Fri, Jul 31, 2009 at 3:20 AM, Tony Molloytony.molloy@ul.ie wrote:
Installing centos-ds is not a problem. It's what you do after it. Especially for people like me who have no experience with OpenLDAP.
Linux and Windows user authentication is straightforward, with GUI based setup and editing.
With 1200 existing users to be migrated then GUI based setup and editing is not very useful.
I had to move about 200 Unix users from OpenLDAP to RHDS. For a brief moment I considered just manually doing it, but reason got the better of me. The approach I took:
1) Exported the database from OpenLDAP. Actually, just used an ldapsearch and pulled over all the users and groups and dropped it into and LDIF.
2) Created a few test users on Fedora DS then ran a similar export process. This gave me an LDIF that I could compare.
3) Next was a matter of writing a bunch of awk scripts to convert the OpenLDAP to Fedora LDIF format. The biggest problem I had was the password format. I don't recall much of the details exactly, but there were some issues with the crypt method. In the end I wrote another script that wrapped mkpasswd and then just did an update. It emailed the users with the new password. For those without an email address (maybe 30 or so), it set a default password based on the username.
The default schema I use doesn't include address, company, etc., but these are very easily added. I tested with kaddressbook and a couple other LDAP browsers without any glitches.
I'm going through the Howto:Samba from <directory.fedoraproject.org> at the moment and hopefully that will get me started.
But what would be nice is:
- Howto:migtate existing NIS to CentosDS
- Howto:migrate existing Samba to CentosDS
For the LDAP information itself, you could probably do a similar thing. E.g., parse the relevant passwd, group, shadow and login files then create an LDIF to import. OpenLDAP has a bunch of scripts to migrate from NIS/local files also, so they would be my first step.
-
Craig White -
James Chamberlain -
Kwan Lowe -
Rob Kampen -
Tony Molloy