Deploying Suse Linux Enterprise Server
 |
Purchase "Deploying Suse Linux Enterprise Server" at Lulu.com |
Installing Suse Linux Enterprise Server
LDAP Server Configuration
One of the most difficult, yet useful services to configure on GNU/Linux and Unix machines is the LDAP Server. Using an LDAP Server you can maintain a network wide database that contains all sorts of information regarding your network. For instance, it is widely used for User Authentication, Phone & Address storage, as well as storage for other services such as Samba and the Named (DNS) Server.
Fortunately, the Suse Linux Enterprise Server installation routine will configure the LDAP Server for you. All you have to do is ensure that you select the "Directory Server (LDAP)" pattern during the software selection portion of the routine. Then during the "Service" screen, it will automatically create the certificates required for LDAP to function properly, as well as ensure it starts upon boot-up.
Creating the Certifiate & Starting the Server and Using LDAP for Authentication
The installation procedure will also allow you to configure the LDAP Client information to allow the server to authenticate users using the LDAP Server instead of utilizing simple text files.
Maintaining LDAP Databases
After your server is completely configured, many services may depend upon the data located within your LDAP Server so it is of utmost importance that this data is backed up and archived. To do this, many network admins configure "Slave LDAP" servers on their network specifically for this purpose. I believe this may be overkill in many situations and for these installations a simple backup is preferred. However, if you have a larger network installation or have a situation where the LDAP server must be running 24/7 (although a backup only shuts down the LDAP server for a few seconds), then you should deploy a Slave LDAP server for redundancy and for backups.
To back up the LDAP database you simply run the following command while the service is NOT running.
slapcat > backup.ldif
This, of course, is hardly the answer since it relies on the fact that you must manually do this, so it is probably better to deploy a script that will backup your LDAP database automatically. The script that I usually use is as follows (create this in /etc/cron.daily so it will run on a daily basis).
#!/bin/bash
BACKUPDIR=/srv/ldap_backup
KEEPDAYS=180
FILENAME=$BACKUPDIR/ldap.backup.$(date +%Y%m%d)
# Create the directory
mkdir -p $BACKUPDIR
chmod 0700 $BACKUPDIR
# Stop the LDAP Server
rcldap stop
sleep 15
# Create a new backup
/usr/sbin/slapcat | gzip --best >${FILENAME}.new.gz
mv -f ${FILENAME}.new.gz ${FILENAME}.gz
# Start the LDAP Server
rcldap start
sleep 15
# Delete old copies
OLD=$(find $BACKUPDIR/ -ctime +$KEEPDAYS -and -name 'ldap.backup.*')
[ -n "$OLD" ] && rm -f $OLD
Now that you have backups of your LDAP data, it is fitting that I show you how to restore this data if you ever should need to. You must first stop the LDAP Server and move the current database to a different location (in case you need it again). Then you unzip one of the LDAP backups that you wish to use and "slapadd" it into a new database. Finally, ensure that the correct user "owns" the new database file and restart the LDAP server. So, an example would be:
rcldap stop mkdir /root/ldap_old mv /var/lib/ldap/* /root/ldap_old gunzip /srv/ldap_backup/ldap.backup.20080121.gz slapadd -l ldap.backup.20080121 chown ldap.ldap /var/lib/ldap/* rcldap start
Just remember that these LDAP backups are simple text files and you do not need to restore the entire database to simply restore specific "entries". For instance, if you happen to "accidentally" delete a Samba machine account within the database, you do not need to restore the entire database. Simply extract a backup, open it with a text editor and find the data that was deleted. Copy that data into a new text file, save it, then "slapadd" it into your current database (something similar to the slapadd command above).
This process can be very time consuming if you simply wish to change some entries in the LDAP server. Fortunately there are tools available to adjust the data within the LDAP Server without having to create text files and "slapadd" that data into the Server. In fact, Suse Linux Enterprise Server 10 (with Service Pack 1) now includes a utility to do just this called the "LDAP Browser Yast Module".
Using the Yast LDAP Browser and the GQ LDAP Client
Using the LDAP Browser Yast module is quite easy. It will ask you for your password when it starts up, then you simply highlight the Entry you need to change, go to the "Entry Data" tab and adjust the data you need to change (don't forget to hit save when finished). This module is excellent for changing personal information of your Users, or changing the Samba ID for certain groups, etc. The only thing it currently will not do is allow you to delete entire entries. To do this, you must use another LDAP Editor. The one I use (mainly to delete stale Samba computer accounts in the LDAP tree) is called GQ. The home page for this client is at http://gq-project.org/.
|
Purchase "Deploying Suse Linux Enterprise Server" at Lulu.com |
