[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP bespoke schema to use 'ismemberof' to restrict user access to hosts



Buchan,

The power of Virtual environments, I roled back to my pre 2.4 upgrade snapshot and went through this again, steps I followed (for anyones ref) is:

service ldap stop
slapcat -f /etc/openldap/slapd.conf -b "dc=ldn,dc=sw,dc=com" -l /export/home/stuart/full_msldap01.ldif
Managed to rpm -ev openldap-servers-overlays-2.3.43-3.el5 openldap-clients-2.3.43-3.el5 openldap-servers-2.3.43-3.el5
Had to leave openldap-2.3.43-3.el5 32&64-bit versions as they're in too deep.
Removed the empty /usr/lib64/openldap directory which held 2.3 schemas and mv /var/lib/ldap to var/lib/ldap.23, mv /etc/openldap /etc/openldap.23

installed the 2.4 packages
rpm -ivh lib64ldap2.4_2-2.4.22-1.el5.x86_64.rpm openldap2.4-2.4.22-1.el5.x86_64.rpm libldap2.4_2-2.4.22-1.el5.i386.rpm openldap2.4-2.4.22-1.el5.i386.rpm openldap2.4-clients-2.4.22-1.el5.x86_64.rpm openldap2.4-servers-2.4.22-1.el5.x86_64.rpm unixODBC-2.2.11-7.1.x86_64.rpm openldap2.4-extra-schemas-1.3-10.el5.noarch.rpm openldap2.4-servers-2.4.22-1.el5.x86_64.rpm

vi /etc/openldap2.4/slapd.conf /etc/openldap2.4/slapd.access.conf and remov ed unrequired schemas and samba references.

Imported data with
slapadd2.4 -f /etc/openldap2.4/slapd.conf -l /export/home/stuart/full_msldap01.ldif

service ldap2.4 check - OK
service ldap2.4 start - OK

All works and I can login against this LDAP server.

Now - Onto attempting use of slapo-memberof overlay, as mentioned by Quanah.

Thanks guys, I'm sure I'll be back with more questions.

Stuart.

> From: bgmilne@staff.telkomsa.net
> To: stuart_cherrington@hotmail.co.uk
> Subject: Re: OpenLDAP bespoke schema to use 'ismemberof' to restrict user access to hosts
> Date: Wed, 5 May 2010 10:47:38 +0100
> CC: sjain@silverspringnet.com; openldap-technical@openldap.org
>
> On Wednesday, 5 May 2010 09:54:34 Stuart Cherrington wrote:
> > Buchan,
> >
> > Thanks for these, I saw your email yesterday in reply to another thread so
> > took them then :-)
> >
> > I've started an upgrade process by doing the following:
> >
> > shutdown ldap
> > slapcat -f /etc/openldap/slapd.conf -b
> > "dc=ldn,dc=sw,dc=com" -l /export/home/stuart/full_msldap01.ldif
> > removed all files from /var/lib/ldap except DB_CONFIG file.
>
> I would rather keep them, and use a version-specific directory path in the
> slapd.conf.
>
> > I couldn't remove the ldap 2.3 version packages as they're dependencies are
> > mad,
>
> No, most likely you have some packages that depend on libldap-2.3.so.0 (have
> been linked to it). This is precisely the reason I make the packages install
> in parallel.
>
> > so left them in place and did an Install of the 2.4 packages.
> > lib64ldap2.4_2-2.4.22-1.el5.x86_64.rpm,
> > openldap2.4-2.4.22-1.el5.x86_64.rpm, libldap2.4_2-2.4.22-1.el5.i386.rpm,
> > openldap2.4-2.4.22-1.el5.i386.rpm,
> > openldap2.4-clients-2.4.22-1.el5.x86_64.rpm,
> > openldap2.4-servers-2.4.22-1.el5.x86_64.rpm,
> > unixODBC-2.2.11-7.1.x86_64.rpm,
> > openldap2.4-extra-schemas-1.3-10.el5.noarch.rpm,
> > openldap2.4-servers-2.4.22-1.el5.x86_64.rpm. updated the
> > /etc/openldap2.4/sladp.conf and slapd.access.conf files to remove unwanted
> > references to SAMBA, change domain, passwd etc. Ran the service ldap check
> > until it was OK.
> > Trying to re-load the ldif gave me some errors though:
> >
> > slapadd -f /etc/openldap2.4/slapd.conf -l
> > /export/home/stuart/full_msldap01.ldif
> > /usr/share/openldap2.4/schema/core.schema:
> > line 100: AttributeType inappropriate SUPerior: "c"
>
> Did you over-write schema files from 2.4 with files from your 2.3 installation?
> The 2.4 schema file has the attribute c on line 100 commented out, as it is
> most likely built-in.
>
> > I found this line and decided to hash it out but then it failed on another
> > Country attribute and another then another in cosine.schema, so have
> > stopped hashing and started typing.
> >
> > Any reason why this would fail to like the 'c' AttributeType?
>
> Depends what you did to the schema files.
>
> $ rpm -Va openldap2.4-servers
>
> should not show any schema files having been modified ....
>
>
> Regards,
> Buchan


Get a free e-mail account with Hotmail. Sign-up now.