====== Хранение учетных записей UNIX в LDAP ======
===== Сокращения =====
* dn - distinguished name
* dc - domainComponent
* ou - organizationalUnitName
* o - organizationName
===== Импорт данных в каталог =====
==== Описание элементов схемы ====
* [[http://oav.net/mirrors/LDAP-ObjectClasses.html|Common LDAP schemas]]
==== Импорт данных про организацию и структуру ====
!!! Объект dc=corpX,dc=un создается автоматически при инсталляции из dcObject наследуется атрибут dc, из organization наследуется атрибут o
server# cat organization.ldif
#dn: dc=corpX,dc=un
#objectClass: dcObject
#objectClass: organization
#o: Corporation X
#dc: corpX
dn: ou=People,dc=corpX,dc=un
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=corpX,dc=un
objectClass: organizationalUnit
ou: Group
server# ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f organization.ldif
==== Чтение каталога ====
server:~# ldapsearch -x -b "dc=corpX,dc=un"
==== Импорт данных о пользователях и группах ====
* [[http://www.padl.com/OSS/MigrationTools.html|MigrationTools]]
* [[https://wiki.debian.org/LDAP/MigrationTools|Migrating /etc Flat File Databases to LDAP]]
* [[#Использование migrationtools]]
server# cat passwdgroup.ldif
dn: cn=user1,ou=Group,dc=corpX,dc=un
objectClass: posixGroup
cn: user1
gidnumber: 10001
dn: cn=user2,ou=Group,dc=corpX,dc=un
objectClass: posixGroup
cn: user2
gidnumber: 10002
dn: uid=user1,ou=People,dc=corpX,dc=un
objectClass: inetOrgPerson
objectClass: posixAccount
uid: user1
sn: Ivanov
cn: Ivan Ivanovitch Ivanov
gecos: Ivan Ivanovitch Ivanov,RA7,401,499-239-45-23
uidNumber: 10001
gidNumber: 10001
loginshell: /bin/sh
homeDirectory: /home/user1
userpassword: *
#userpassword: password1
dn: uid=user2,ou=People,dc=corpX,dc=un
objectClass: inetOrgPerson
objectClass: posixAccount
uid: user2
sn: Petrov
cn: Petr Petrovitch Petrov
gecos: Petr Petrovitch Petrov,RA7,402,499-323-55-53
uidnumber: 10002
gidnumber: 10002
loginshell: /bin/sh
homedirectory: /home/user2
userpassword: *
#userpassword: password2
dn: cn=group1,ou=Group,dc=corpX,dc=un
cn: group1
gidNumber: 15001
memberUid: user1
memberUid: user2
objectClass: posixGroup
server# ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f passwdgroup.ldif
...
==== Поиск информации в ldap каталоге ====
server# ldapsearch -x -b"dc=corpX,dc=un" "uid=user1"
==== Удаление информации из ldap каталога ====
server# ldapdelete -x -D "cn=admin,dc=corpX,dc=un" -w secret "uid=user1,ou=People,dc=corpX,dc=un"
==== Модификация информации в ldap каталоге =====
=== Пример изменения пароля ===
server# cat replacepasswd.ldif
dn: uid=user1,ou=People,dc=corpX,dc=un
changetype: modify
replace: userPassword
userPassword: password1
dn: uid=user2,ou=People,dc=corpX,dc=un
changetype: modify
replace: userPassword
userPassword: password2
server# ldapmodify -x -D "cn=admin,dc=corpX,dc=un" -w secret -f replacepasswd.ldif
=== Пример назначения номеров телефонов и адресов email ===
server:~# cat addmailphone.ldif
dn: uid=user1,ou=People,dc=corpX,dc=un
changetype: modify
add: telephoneNumber
telephoneNumber: 401
dn: uid=user1,ou=People,dc=corpX,dc=un
changetype: modify
add: mail
mail: user1@corpX.un
dn: uid=user2,ou=People,dc=corpX,dc=un
changetype: modify
add: telephoneNumber
telephoneNumber: 402
dn: uid=user2,ou=People,dc=corpX,dc=un
changetype: modify
add: mail
mail: user2@corpX.un
server# ldapmodify -x -D "cn=admin,dc=corpX,dc=un" -w secret -f addmailphone.ldif
=== Пример назначения UNIX атрибутов в Microsoft AD ===
!!! Объекты guser1, guser2 и group1 должны быть созданы заранее
gate:~# cat addunixattr.ldif
#==== add and set attr to user1 ====
dn: CN=guser1,CN=Users,DC=corpX,DC=un
changetype: modify
add: gidNumber
gidNumber: 10001
dn: CN=Ivan I. Ivanov,CN=Users,DC=corpX,DC=un
changetype: modify
add: uidNumber
uidNumber: 10001
dn: CN=Ivan I. Ivanov,CN=Users,DC=corpX,DC=un
changetype: modify
add: gidNumber
gidNumber: 10001
dn: CN=Ivan I. Ivanov,CN=Users,DC=corpX,DC=un
changetype: modify
add: unixHomeDirectory
unixHomeDirectory: /home/user1
dn: CN=Ivan I. Ivanov,CN=Users,DC=corpX,DC=un
changetype: modify
add: loginShell
loginShell: /bin/sh
#==== add and set attr to user2 ====
dn: CN=guser2,CN=Users,DC=corpX,DC=un
changetype: modify
add: gidNumber
gidNumber: 10002
dn: CN=Petr P. Petrov,CN=Users,DC=corpX,DC=un
changetype: modify
add: uidNumber
uidNumber: 10002
dn: CN=Petr P. Petrov,CN=Users,DC=corpX,DC=un
changetype: modify
add: gidNumber
gidNumber: 10002
dn: CN=Petr P. Petrov,CN=Users,DC=corpX,DC=un
changetype: modify
add: unixHomeDirectory
unixHomeDirectory: /home/user2
dn: CN=Petr P. Petrov,CN=Users,DC=corpX,DC=un
changetype: modify
add: loginShell
loginShell: /bin/sh
#==== add and set attr to group1 ====
dn: CN=group1,CN=Users,DC=corpX,DC=un
changetype: modify
add: gidNumber
gidNumber: 15001
dn: CN=group1,CN=Users,DC=corpX,DC=un
changetype: modify
add: memberUid
memberUid: user1
dn: CN=group1,CN=Users,DC=corpX,DC=un
changetype: modify
add: memberUid
memberUid: user2
gate:~# ldapmodify -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -f addunixattr.ldif
===== Использование migrationtools =====
# apt install migrationtools
# cat /etc/migrationtools/migrate_common.ph
...
$DEFAULT_MAIL_DOMAIN = "corpX.un";
...
$DEFAULT_BASE = "dc=corpX,dc=un";
...
$EXTENDED_SCHEMA = 1;
...
$IGNORE_UID_BELOW = 1001;
$IGNORE_GID_BELOW = 1001;
...
$IGNORE_UID_ABOVE = 65500;
$IGNORE_GID_ABOVE = 65500;
...
# ln -s /etc/migrationtools/migrate_common.ph /etc/perl/migrate_common.ph
# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd | tee users.ldif
!!! удалить все про krb5
# ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f users.ldif
# /usr/share/migrationtools/migrate_group.pl /etc/group | tee groups.ldif
# ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f groups.ldif