Article

(View Disclaimer)

This AppNote provides information on how to migrate Samba from OpenLDAP to eDirectory, making sure that LDAP based applications do not break. OES offers eDirectory to be used as an alternate to OpenLDAP. But applications already using LDAP on SLES would break unless there is a provision to migrate the existing data from OpenLDAP to eDirectory.

Contents:

• Introduction
• Migrating from OpenLDAP to eDirectory
• Ensuring that Samba works properly with eDirectory
• Conclusion

Introduction

SLES contains OpenLDAP as the default directory. OES offering from Novell, makes eDirectory available to the customers. Hence, with OES, the administrator would have an option to use eDirectory as the default directory. Since there are some SLES applications that can use LDAP directory, there would be a need to have the existing data in OpenLDAP migrated to eDirectory. The existing documentation of OES can be referred to get information on eDirectory installation for various scenarios. Once the data is migrated to eDirectory, minor configuration changes might be needed to make the various directory enabled SLES applications work with eDirectory.

Wherever there is a mention of "SLES Applications" or "targeted applications", it refers to one or more of Samba.

Scope of this document

An install/upgrade to OES could be applied to various possible scenarios. Only those scenarios are focus of this document, where the OpenLDAP server has some data, which needs to be migrated to eDirectory. This activity is needed to prevent any breakage in LDAP based applications as part of upgrade to eDirectory/OES.

Scenarios not covered in this scope

Scenarios requiring any migration from "Do not use LDAP" configuration to "Use LDAP" with eDirectory are not in scope of this document.

Any scenarios where there are some applications other than the above mentioned ones are installed that use LDAP, and for which OpenLDAP schema has been extended, are not covered by this document.

Though all the issues arising out of such scenarios would not be addressed here, this document may be used as a set of broader guidelines about how to go about this migration and how to troubleshoot the issues.

Migrating from OpenLDAP to eDirectory

Migration from one directory to another usually involves two steps. First schema is migrated, and then the data conforming to that schema is migrated. Both the steps may require some troubleshooting, which we would describe in details.

All of the targeted SLES applications do not use LDAP compulsorily. They can be configured not to use LDAP at all. Hence, this step is performed only for those applications for which OpenLDAP schema has been extended.

OpenLDAP schema gets extended when an application is configured for the first time to use LDAP. This extension is not reverted back if the configuration for the application changes from "Use LDAP" to "Do not use LDAP".

Though there are multiple options to do the full migration, we take the following approach:

1. Extend eDirectory schema with posixAccount schema
2. Extend eDirectory schema with samba schema

For this approach to work, eDirectory should be running. Also we'll do this over the secure socket layer, which we recommend users to use. Prior to do this, we need the trusted root certificate (say, TrustedRootCertificate.der, which can me imported through iManager or ConsoleOne) of the server to which we are going to connect.

The default LDAP configuration for eDirectory includes "Require TLS for Simple Binds with Password=yes". In order to successfully execute the following commands, this configuration needs to be changed to "no" temporarily. It can be done using the following command:

ldapconfig -w <password> -a <admin fdn in eDirectory format> -s "Require TLS for Simple Binds with Password=<yes/no>"

Example:

ldapconfig -w secret -a admin.acme -s "Require TLS for Simple Binds with Password=no"

Extending eDirectory schema with posixAccount schema

To extend the eDirectory schema with the posixAccount schema with the fields necessary for creating posix compliant user accounts, e.g. User ID (UID), primary group (GID), shell, home folder etc., import the schema from LDIF file to eDirectory, execute the following command:

ice -v -e <name of ldif file for errors> -S SCH -f <the nds schema file> -c -D LDAP -p <destination ldap port> -d <fdn of admin for destination in LDAP format> -w <password> -L <the trusted root certificate of the eDirectory server>

Example:

ice -v -e errorlog.ldif -S SCH -f /opt/novell/eDirectory/lib/nds-schema/rfc2307-usergroup.sch -c -D LDAP -p 636 -d cn=admin,dc=acme -w secret -L /home/export/TrustedRootCertificate.der

By executing the above command, the following response can be seen in successful completion.

Getting source schema...done.
Schema Entry No 1:Parsed an attribute with entryname:uidNumber
Schema Entry No 2:Parsed an attribute with entryname:gidNumber
Schema Entry No 3:Parsed an attribute with entryname:gecos
Schema Entry No 4:Parsed an attribute with entryname:homeDirectory
Schema Entry No 5:Parsed an attribute with entryname:loginShell
Schema Entry No 6:Parsed an attribute with entryname:shadowLastChange
Schema Entry No 7:Parsed an attribute with entryname:shadowMin
Schema Entry No 8:Parsed an attribute with entryname:shadowMax
Schema Entry No 9:Parsed an attribute with entryname:shadowWarning
Schema Entry No 10:Parsed an attribute with entryname:shadowInactive
Schema Entry No 11:Parsed an attribute with entryname:shadowExpire
Schema Entry No 12:Parsed an attribute with entryname:shadowFlag
Schema Entry No 13:Parsed an attribute with entryname:memberUid
Schema Entry No 14:Parsed an objectclass with entryname:posixAccount
Schema Entry No 15:Parsed an objectclass with entryname:shadowAccount
Schema Entry No 16:Parsed an objectclass with entryname:posixGroup

Summary :
        Total Records Parsed    = 16
        Attributes Parsed       = 13
        ObjectClasses Parsed    = 3

Getting destination schema...done.
Starting schema update...
Done.

Extending eDirectory schema with samba schema

To extend the eDirectory schema with samba schema to create the attributes that samba need such as SID, hashed password etc, we need to import the samba schema from the LDIF file by executing the following command.

ice -v -e <name of ldif file for errors> -S LDIF -f <the samba nds schema file> -c -D LDAP -p <destination ldap port> -d <fdn of admin for destination in LDAP format> -w <password> -L <the trusted root certificate of the eDirectory server>

Example:

ice -v -e errorlog.ldif -S LDIF -f /usr/share/doc/packages/samba/examples/LDAP/samba-nds.schema -c -D LDAP -p 636 -d cn=admin,dc=acme -w secret -L /home/export/TrustedRootCertificate.der

Once you see no errors, we can validate the applications once with OpenLDAP itself.

Validating the applications

Before stopping OpenLDAP and configuring with eDirectory, it is recommended to test the individual SLES LDAP applications. For this purpose there might be a need for some generic configuration changes and some application specific ones. This section describes the generic modifications in LDAP Client.

1. Start yast2 and click on "Network Services" in the left pane.
2. Click on "LDAP Client" to launch the LDAP Client Configuration window.
3. For the field "Address of LDAP Servers", enter the correct IP Address and the port separated by colon. For example, if its local machine, and eDirectory is listening on port 1389, configure the value "127.0.0.1:1389" for this field.
4. Click on the button "Advanced Configuration..." in LDAP Client Configuration window.
5. In the "Advanced Configuration" window, configure appropriate value for "Administrator DN" field. For our example, this value would be "cn=admin,dc=acme".
6. Click on the button "Next" to come back to the "LDAP Client Configuration" window.
7. Click on button "Finish" in "LDAP Client Configuration" window.

In the following sections we describe how to ensure that the SLES applications that were using OpenLDAP before migration, continue to work with eDirectory. Obviously, this is applicable to only those applications that were using OpenLDAP before migration.

Ensuring that Samba works properly with eDirectory

Open iManager and login to the eDirectory server which needs to be connected.

Create users and add needed extensions

1. First create an OU in the tree (say, Users )
2. Within this OU, create a group (say, eDirectoryUsers)
3. Under the Schema section, click "Object Extensions"
4. Select the group you created above and click OK
5. Click Add, select posixGroup and click OK
6. Enter a group number that's not in use on the Linux server in the popped up window and click OK, and OK again

You should now see posixGroup listed as an extension

7. Create a user (say, testuser) in the OU you created earlier and set a password (no need to enter a simple password)
8. Click OK to save the user
9. Click on "Object Extensions"
10. Choose the user you have just created and add the posixAccount extension
11. Enter /home/username (/home/testuser here) in the 'homeDirectory' field
12. Enter the group number you used above in 'gidNumber ' and enter a unique user ID number in the 'uidNumber' field and click OK, and OK again

You should now see posixAccount listed as an extension

We will create the home folder later.

Configure Linux services for LDAP authentication

1. Start yast2 and click on "Network Services" in the left pane.
2. Click on "LDAP Client" to launch the LDAP Client Configuration window.
3. For the field "Address of LDAP Servers", enter the correct IP Address and the port separated by colon.
4. Enter the OU created earlier in the 'LDAP Base DN' field
5. Select 'LDAP TLS/SSL'
6. Click on the button "Advanced Configuration..." in LDAP Client Configuration window.
7. In the "Advanced Configuration" window, configure appropriate value for "Administrator DN" field. For our example, this value would be "cn=admin,dc=acme".
8. Ensure "File Server" and "Enable LDAP Users to Log In" fields are selected
9. Click on the button "Next" to come back to the "LDAP Client Configuration" window.
10. Click on button "Finish" in "LDAP Client Configuration" window.
11. As root edit the file /etc/ldap.conf/ and check the host and base statements match your eDirectory server
12. Uncomment the rootbinddn section and change the username to your administrator. Save the file and quit
13. Create a file called /etc/ldap.secret and put your admin password in it. Change the permissions of the file to root read only, chmod 600 /etc/ldap.secret

SLES should now authenticate to eDirectory...

Test Linux authentication

Now we will create a home directory for the user we created above (testuser). Copy the skeleton

home directory for the user using 

cp -r /etc/skel /home/testuser 

Change the ownership of it using

chown -R testuser.eDirectoryUsers /home/testuser

If no error messages are displayed, then the LDAP authentication is working fine.

Try logging in as the new user at a console prompt, or via ssh. Check that the user can create files/folders in their home directory

Configure samba, including LDAP authentication

Edit the file /etc/samba/smb.conf and change/add the following lines:

ldap admin dn = cn=admin,dc=acme
ldap suffix = ou=Users,dc=acme
passdb backend = ldapsam:ldaps://127.0.0.1:636 smbpasswd
encrypt passwords = yes
security = user

Make sure that there is a [homes] section such as

[homes]
     comment = Home Directories
     valid users = %S
     browseable = No
     read only = No
     guest ok = No

Save and quit, and then restart samba (rcsmb restart)

Add samba users

Apply the admin password to Samba using the command

smbpasswd -w secret 

where secret is the password for the account set in smb.conf.

Now we shall be able to see a line

"Setting stored password for 'cn=admin,dc=acme' in secrets.tdb".

That will give Samba access via LDAP, so we should now be able to add user accounts.

Try

smbpasswd -a testuser

and enter the password twice when prompted

You should see a line that says

"Added user testuser". 

If you get error messages complaining about ldapsam_search_one_group you can safely ignore them!

The user is now able to log in via Samba

Test samba connectivity

This can be tested through a windows machine as well. However the command smbclient allows you to test samba without leaving the command line.

Try

smbclient //127.0.0.1/testuser -W USERS -U testuser

and enter your password when prompted. You should get a prompt like

 smb: \>

Try typing ls and you should see the contents of the user's home directory.

Type exit to leave the smbclient, and change to /home/testuser.

Conclusion

Thus we can easily migrate Samba from OpenLDAP to eDirectory, making sure that LDAP based applications do not break. Though OES offers eDirectory to be used as an alternate to OpenLDAP, applications like Samba which use use LDAP on SLES would break unless there is a provision to migrate the existing data from OpenLDAP to eDirectory. This document will provide the same.

References:

1. 1.Imanager Help - http://www.novell.com/documentation/imanager25/index.html?page=/documentation/imanager25/imanager_admin_25/data/bu04qdu.html
2. 2.Migration Help - http://www.novell.com/coolsolutions/appnote/11788.html
3. 3.LDAP Tools Help - http://developer.novell.com/documentation/cldap/index.html?page=/documentation/cldap/ltoolenu/data/hevgtl7k.html

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.