This article is being updated. Please be aware the content herein, not limited to version numbers and slight syntax changes, may not match the output from the most recent versions of Bright. This notation will be removed when the content has been updated.
This is two step process:
1. Make LDAP use an HDB database instead of an BDB database.
2. Change the OU value.
1. Migrate LDAP from using BDB database to HDB database
This must be done to be able to modify the non-leaf entry (ou=Group,dc=cm,dc=cluster) which is not supported by the BDB-type database
a. stop LDAP service
# service ldap stop
b. export the current LDAP BDB database, so that it can be imported as an LDAP HDB database
# module load openldap# slapcat -f /cm/local/apps/openldap/etc/slapd.conf -l mydb.ldif
c. modify the database directory and the type of the database:
# cat /cm/local/apps/openldap/etc/slapd.conf[...]database hdb[...]# The database directory MUST exist prior to running slapd AND# should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /var/lib/ldap2[...]
d. create the database directory
# mkdir -p /var/lib/ldap2
e. import the ldap BDB database into a temporary file
# slapadd -f /cm/local/apps/openldap/etc/slapd.conf -l mydb.ldif53063275 hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap2: (2).Expect poor performance for suffix "dc=cm,dc=cluster".-#################### 100.00% eta none elapsed 02s spd 1.5 k/sClosing DB...
f. fix the permissions of the database directory:
# chown -R ldap:ldap /var/lib/ldap2/
g. restart the LDAP service
# service ldap restartStopping slapd: [ OK ][...]Starting slapd: [ OK ]
2. Create the Organizational Unit (OU) and modify the LDAP entries accordingly
This must be done to allow user management through cmsh/cmgui.
a. add the OU
# cat ou.ldifdn: ou=DisabledUsers,dc=cm,dc=clusterchangetype: addou: DisabledUsersobjectClass: topobjectClass: organizationalUnit# ldapmodify -x -h localhost -D 'cn=root,dc=cm,dc=cluster' -w <password> -c -f /root/ou.ldif
b. move the root bind under the OU:
# cat root.ldifdn: cn=root,dc=cm,dc=clusterchangetype: moddnnewrdn: cn=rootdeleteoldrdn: 1newsuperior: ou=DisabledUsers,dc=cm,dc=cluster# ldapmodify -x -h localhost -D 'cn=root,dc=cm,dc=cluster' -w <password> -c -f /root/root.ldif
c. move the read-only root under the OU:
# cat roroot.ldifdn: cn=readonlyroot,dc=cm,dc=clusterchangetype: moddnnewrdn: cn=readonlyrootdeleteoldrdn: 1newsuperior: ou=DisabledUsers,dc=cm,dc=cluster# ldapmodify -x -h localhost -D 'cn=root,dc=cm,dc=cluster' -w <password> -c -f /root/roroot.ldif
d. move the readonly group under the OU
[root@adel61-centos6-f ~]# cat rogroup.ldifdn: cn=rogroup,dc=cm,dc=clusterchangetype: moddnnewrdn: cn=rogroupdeleteoldrdn: 1newsuperior: ou=DisabledUsers,dc=cm,dc=cluster# ldapmodify -x -h localhost -D 'cn=root,dc=cm,dc=cluster' -w <password> -c -f /root/rogroup.ldif
e. move the non-leaf entry (ou=Group,dc=cm,dc=cluster) under the OU
# cat group.ldifdn: ou=Group,dc=cm,dc=clusterchangetype: moddnnewrdn: ou=Groupdeleteoldrdn: 0newsuperior: ou=DisabledUsers,dc=cm,dc=cluster# ldapmodify -x -h localhost -D 'cn=root,dc=cm,dc=cluster' -w <password> -c -f /root/group.ldif
f. move user(s) under the OU
# cat cmsupport.ldif
dn: uid=cmsupport,dc=cm,dc=clusterchangetype: moddnnewrdn: uid=cmsupportdeleteoldrdn: 1newsuperior: ou=DisabledUsers,dc=cm,dc=cluster# ldapmodify -x -h localhost -D 'cn=root,dc=cm,dc=cluster' -w <password> -c -f /root/cmsupport.ldif
g. modify LDAP configurations to use the OU
# cat /cm/local/apps/openldap/etc/slapd.conf[...]rootdn "cn=root,ou=DisabledUsers,dc=cm,dc=cluster"[...]# service ldap restart
h. modify CMDaemon configurations to use the OU
# cat /cm/local/apps/cmd/etc/cmd.conf[...]LDAPSearchDN = "ou=DisabledUsers,dc=cm,dc=cluster"[...]
i. restart CMDaemon
# service cmd restart