dn: uid=tim
dn: uid=tim,ou=People,dc=shellgrit,dc=com
dn: uid=u2,ou=People,dc=shellgrit,dc=com uid: u2 cn: User 2 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$Ht.ugE4R$wVps8Wj9UHqN5DYM1pILT0 shadowLastChange: 12836 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 602 gidNumber: 602 homeDirectory: /home/nfs/u2 gecos: User 2
:%s/padl/shellgrit/gc < $DEFAULT_MAIL_DOMAIN = "padl.com"; < $DEFAULT_BASE = "dc=padl,dc=com"; < #define(`confLDAP_DEFAULT_SPEC',`-h "ldap.padl.com"')dnl < $DEFAULT_MAIL_HOST = "mail.padl.com"; > $DEFAULT_MAIL_DOMAIN = "shellgrit.com"; > $DEFAULT_BASE = "dc=shellgrit,dc=com"; > #define(`confLDAP_DEFAULT_SPEC',`-h "ldap4.shellgrit.com"')dnl > $DEFAULT_MAIL_HOST = "mail.shellgrit.com";
./migrate_base.pl > /ldap/ldif/top.ldif ./migrate_group.pl /etc/group > /ldap/ldif/group.ldif ./migrate_passwd.pl /etc/passwd > /ldap/ldif/passwd.ldif
local4.* /var/log/slapd.logand restart syslogd:
service syslog restart
loglevel | effect | |
---|---|---|
-1 | log everything | |
0 | log nothing | |
otherwise, add values from this list to select what you want to log: | ||
1 | trace function calls | |
2 | debug packet handling | |
4 | heavy trace debugging | |
8 | connection management | |
16 | print out packets sent and received | |
32 | search filter processing | |
64 | configuration file processing | |
128 | access control list processing | |
256 | stats log connections/operations/results | |
512 | stats log entries sent | |
1024 | print communication with shell backends | |
2048 | entry parsing |
service ldap restart
tail -f /var/log/slapd.logThe OpenLDAP commandline tools often report useful diagnostics anyway, but this can be a particularly helpful method of debugging opaque 3rd-party applications.
pam_password exopThen log in to ldap2 as an LDAP-defined user, and try changing password.
access to * by self write by * readProbably a more realistic policy would be:
access to dn=".*,dc=shellgrit,dc=com" attr=userPassword by self write by * auth access to dn=".*,dc=shellgrit,dc=com" by * read
rootbinddn cn=Manager,dc=shellgrit,dc=comThen, if root is logged in, pam_ldap will attempt to bind to the LDAP directory using this dn with the cleartext password stored in /etc/ldap.secret. [This, of course, would be a really bad idea on a desktop machine that just anyone might be able to easily boot in single-user mode ....(!).] If you want to do this, perhaps do it just on the master LDAP server (which you wouldn't even allow general login access to, would you?).
sample question