Intro
For the server end, this means at least the openldap package. This contains the server (slapd), and the migration scripts.
For the slapd server, you will need to edit /etc/openldap/slapd.conf. This is the primary configuration file for the slapd server.
You will need to change at least the "suffix" and "rootdn" lines, and probabaly the "rootpw" line. These need to point to some value, typically just your local domain, but there isnt anything in particular that requires that.
Netscape Messenger and Address Book look for a objectclass of the type "inetOrgPerson". The problem is, the default OpenLDAP 1.2.7 configuration does not include a defination for this.
You could just add the definations for this to /etc/openldap/slapd.oc.conf, but the wisdom seems to point to putting any additional definations in a seperate file and including it in slapd.conf.
Add the following lines to /etc/openldap/slapd.conf
---- cut here: do not include this line ---------- include /etc/openldap/local.at.conf include /etc/openldap/local.oc.conf ---- cut here: do not include this line ----------
---- cut here: do not include this line -------------
objectclass inetOrgPerson
requires
objectClass,
sn,
cn
allows
audio,
businessCategory,
carLicense,
departmentNumber,
employeeNumber,
employeeType,
givenName,
homePhone,
homePostalAddress,
initials,
jpegphoto,
labeledURI,
mail,
manager,
mobile,
pager,
photo,
roomNumber,
secretary,
uid,
userCertificate,
x500uniqueIdentifier,
preferredLanguage,
userSMIMECertificate,
userPKCS12
---- cut here: do not include this line -------------
For /etc/openldap/local.at.conf I jsut copied the contents of /etc/openldap/slapd.at.conf. ie:
---- cut here: do not include this line ------------- attribute photo bin attribute personalsignature bin attribute jpegphoto bin attribute audio bin attribute labeledurl ces attribute ref ces attribute userpassword ces attribute telephonenumber tel attribute facsimiletelephonenumber fax tel attribute pagertelephonenumber pager tel attribute homephone tel attribute mobiletelephonenumber mobile tel attribute aliasedObjectName dn attribute member dn attribute owner dn attribute seealso dn attribute manager dn attribute documentauthor dn attribute secretary dn attribute lastmodifiedby dn attribute associatedname dn attribute naminglink dn attribute reciprocalnaminglink dn attribute dn dn ---- cut here: do not include this line ----------------
Adding the above will allow slapd to server requests for the inetOrgPerson type. The defination for this type was found at:
http://www.hklc.com/ldapschema/objectclass.phtml?objectclass=inetOrgPerson
4. Migrate the data for slapd to read
The openldap rpms in Red Hat Linux 6.1 include a set of migration scripts for converting local data (/etc), nis, and nis+ maps into a form for ldap to serve.
It does this by converting the data in LDIF (ldap data interchange format?), and then converting the LDIF into a database format via the ldif2ldbm command.
The scripts get installed into /usr/share/openldap/migration. For the sake of this example, I'll demo doing a NIS migration.
NOTE: READ THE README
As mentioned in the readme, you need to edit the migrate_common.ph script, and edit the $DEFAULT_MAIL_DOMAIN, and $DEFAULT_BASE to approriate values. These should be set to the same values you use in /etc/openldap/slapd.conf.
It is also very important to change the $EXTENDED_SCHEMA variable to 1, so that extra info gets encoded, including the useful inetOrgPerson object.
After chainging these variables, you just need to run the script:
./migrate_all_nis_offline.sh
This should migrate all the data into /usr/tmp/*.dbd files.
I havent had any trouble with these scripts yet.
5. Restart the ldap server and test it.
/etc/rc.d/init.d/ldap stop /etc/rc.d/init.d/ldap startThen test the server setup with ldapsearch.
NOTE: it seems that for ldapsearch to work, you need to edit /etc/openldap/ldap.conf and point it to the LDAP server, and give it the approriate base name.
try:
ldapsearch "(objectclass=*)"This should return a big pile of data. If it does, the ldap server is working. If it doesnt, check out the info in "troubleshooting"
6. Configuring Netscape to use the new address server
Netscape can be configured to look up potential email address in an ldap server or "directory". Netscape comes with a few servers preconfigured, including Netscapes own netcenter directory.
This will open the Address book window. A list of currently available "directories" will be on the left side.
Select File->New Directory from the main address book menu. This will open the new directory dialog. The fields on this dialog need to be filled out as follows:
Description: anything. This is just a string to identtify the server.
LDAP server: the hostname or ip address of the ldap server you want to request. This should be the hostname of the host you setup the openldap server on.
Server Root: This is a bit odd. This is the defination for the root of the LDAP tree for your organization. I've had the best luck using something of the variety "dc=your_domain,dc=com".
Port number: The default is 389. No need to change this unless the ldap server is running on a strange port.
Secure: For OpenLDAP 1.2.7, this needs to be left un checked.
Login with name and passwd: Seems to work okay without this enabled.
Then click "ok". You should see a new directory listing in the column at the left.
In the address book dialog, type in some name in the "Show Names Containing" field and hit return. Assuming the name you enter is in the directory, you should get some addresses shown on the right.
If this works, your most of the way there.
The above steps just defined a new directory and tested it, now you need to actually configure netscape to use this directory for address completion in Messenger.
Open Communivator->Messenger from the main netscape menu.
Hit "New Msg" button.
In the "To:" field, type in the first part of an address. for example, the letters "sm". Then hit Tab.
You should get a list of all the email address that contain the string "sm". To select one, just click on the approriate entry in the list.
If that works, it works.
One of the more annoying things about the default netscape config is that mail aliases listed in /etc/aliases or NisMailAlias's do not get added to the email address the directory server is willing to serve. There are a couple potential solutions here.
The solution which seems to work best is to hack the migration scripts to add a "mail:" to the entries generated for either nisMailAlias or rfc822emailaddress. You basically just need to add a print line to migrate_aliases.pl. A diff follows:
--- migrate_aliases.pl~ Mon Sep 13 19:56:03 1999
+++ migrate_aliases.pl Wed Dec 1 14:08:37 1999
@@ -65,6 +65,7 @@
local(@aliases) = split(/,/, $memberstr);
print $HANDLE "dn: cn=$name,$NAMINGCONTEXT\n";
print $HANDLE "cn: $name\n";
+ print $HANDLE "mail: $name@","$DEFAULT_MAIL_DOMAIN\n";
print $HANDLE "objectClass: nisMailAlias\n";
print $HANDLE "objectClass: top\n";
foreach $_ (@aliases) {
The other alternative seem to be configuring netscape to search on other fields than just "mail:". For more info on how to do this, take a look at:
Things Not Covered Here
I've skipped ldap authentication entirely. Probabaly not a great idea for a ldap server sitting exposed on the internet. With the current setup, a user can query the server and get all the info anoynmously. It is possible to restrict the access method, but I havent quite figured that out yet. For an internal, firewalled, intranet server, this config should be fairly safe. I think. No guarantees, caveat emptor, etc.