ldap notes:

Goals:

  • Update kickstart configs to reflect new location for puppet code.

  • Review linux based installation and authentication particularly with rfc2307bis schema. Need to be able to use:

    • linux groups via pam for access control

    • See group membership as normal

    • Use both legacy and sssd

  • Develop cmdb style host information for use with puppet

  • Figure out replication

  • Figure out logging

  • Figure out monitoring

12/20/14: It’s close enough to the new year that I figure this’ll be the start (read: restart) of the ldap research. Things got a bit chaotic over the last 1/4 of 2014 and notes were getting scattered all over the place.

So, to restart the push, I’ve removed all of my vms and will be rebuilding them. Keeping it simple to start:

  • nap: napverville ldap server

  • napc1: naperville client1 - legacy authentication

  • napc2: naperville client2 - sssd authentication

Network setup:

Net name

DC

GW

Netmask

default

Naperville

192.168.122.1

255.255.255.0

rock

Rockville

192.168.100.1

255.255.255.0

waltham

Waltham

192.168.110.1

255.255.255.0

12/22/14:

Env’s set up, time to get going. Two openldap installations:

  1. Regular

  2. rfc2307bis

Starting in on regular.

12/23/14:

Got the CA going … again. Got the regular posixgroups openldap directory server going. Got the ldap repo reorganized a bit more cleanly and got the ldap wrapper script functional again.

I added doleary to the DS but am not able to see memberof functionality.

Just enabled legacy authentication on napc1. I’m able to access the account but it’s forcing a password reset every single time. I seem to remember that…

And, of course, I fucked up the ppolicy w/an example.com overlay pretty much like my notes said. wtf? dumbass!

I tried for awhile to delete the overlay with no success. Then, hit the googles and found out that you can’t. wtf?? so, I updated the incorrect default with the corrected one. Once I did that, napc1 couldn’t get group information for love nor money. Tried stopping/starting nscd/nslcd, no joy.

Finally, blew napc1 away. Refreshing and trying again. We’ll see if that works.

Mixed results. Was able to see doleary but still getting forced password changes Also, once I deleted doleary and recreated him, I”m not able to see him on napc1 with 1getent passwd doleary at all. Fuck me.

So, getting frustrated. Time to take a break. Goals for later:

  1. password resets via ldap script aren’t working. fix it.

  2. Get legacy ldap authentication working on napc1