Set up LDAP for a CVS integration server

Using LDAP on a CVS integration server can speed up performance for users.

By default, a source code integration server authenticates users via UNIX users and groups. However, managing a large number of users and repositories this way can be slow. To reduce the time required to create, manipulate, and synchronize users and groups, configure the CVS server to use LDAP.

Note: It is recommended that you perform this process under the guidance of CollabNet support or services personnel.

Do not use this technique to connect an integration to a pre-existing corporate LDAP system. This approach uses a local, private LDAP server to replace /etc/passwd and /etc/group for user and group management.

Take the following steps on each integration server you want to convert to LDAP.

Ensure that the following RPMs are installed:
- openldap
- openldap-clients
- openldap-servers
Verify that /etc/openldap/cacerts exists.
Note: In RHEL 4, installation of openldap may not create this directory, which is required by openldap to start.

In the /etc/openldap/slapd.conf file, change the following values:

Option	Value
suffix	"dc=teamforge,dc=com"
rootdn	"cn=Admin,dc=teamforge,dc=com"
rootpw	sfee
sizelimit	30000

Tip: To supply an encrypted password instead of clear text for rootpw, run the command

slappasswd

You are prompted for a password, and a string that looks like the following is displayed:

{SSHA} 7hC2H5OoEZOaT6rL3hAvyxy11jrZYB2

Use that string instead of the sfee used in the rootpw example.

Configure the LDAP service to start on boot.
- chkconfig --level 345 ldap on
Make sure the ldap database directory is clean and has the correct permissions.
- rm -f /var/lib/ldap/* chown -R ldap.ldap /var/lib/ldap
Start the LDAP server.
- /etc/init.d/ldap start
Create an initial LDIF (LDAP Interchange Format) file for your groups.
Important: Make sure no lines in the ldif content start with white space.

Refer to the following for ldif content:
- dn: dc=teamforge,dc=com dc: teamforge objectClass: top objectClass: domain dn: ou=Users,dc=teamforge,dc=com ou: Users objectClass: organizationalUnit dn: ou=Groups,dc=teamforge,dc=com ou: Groups objectClass: organizationalUnit dn: cn=sfee,ou=Groups,dc=teamforge,dc=com cn: sfee objectClass posixGroup gidNumber: 30000
Add the ldif information.
- ldapadd -x -DÂ”cn=Admin,dc=teamforge,dc=comÂ” -W < initial.ldif
When you are prompted for a password, type the password you used in slapd.conf.
Manually remove groups and users created by CollabNet TeamForge from /etc/group and /etc/passwd. These are usually grouped at the end of the respective files. The groups include sfall, sfunrest, and all groups named reps with a numeric suffix (for example: reps1001).
Note:
- If users are left in the /etc/passwd or /etc/shadow files, those users may get permission errors when committing code to repositories on that integration server.
- If groups created by CollabNet TeamForge are left in the /etc/group and /etc/gshadow files, users of those groups may get permission errors when checking in. If groups are removed from these files, a synchronize external system call will be required to restore correct permissions.
Configure the server to authenticate from LDAP.
Tip: On RHES, you can use the authconfig command. If you have a valid display defined, this command will pop up an X window. Otherwise you can use the command line interface.
1. Select Use LDAP.
2. Specify the base DN and server.
  Note: Do not select Use TLS.
3. Click Next.
4. Select Use LDAP Authentication. Fill in the DlDAP basedn and host information.
5. Click OK.
This program modifies some /etc/pam.d entries and writes out a valid /etc/ldap.conf file.
Restart sshd.
- /etc/init.d/sshd restart
In /etc/nsswitch.conf, verify that the passws, shadow, and group entries look like this: passwd: files ldap shadow: files ldap group: files ldap
Verify that /etc/ldap.conf contains these values: nss_base_passwd ou=Users,dc=teamforge,dc=com?one nss_base_shadow ou=Users,dc=teamforge,dc=com?one nss_base_group ou=Groups,dc=teamforge,dc=com?one pam_filter objectClass=posixAccount pam_login_attribute uid
Log onto the integration server.

To configure the CollabNet TeamForge integration server to update LDAP, add these entries to /conf/site-options.conf:

Entry	Value	Description
CVS_LDAP_HOST	localhost	The host of the LDAP server.
CVS_LDAP_PORT	389	The port of the LDAP server.
CVS_LDAP_USERS_DN	Example: ou=Users,dc=teamforge,dc=com)	Schema address that users are added into.
CVS_LDAP_GROUPS_DN	Example: ou=Groups,dc=teamforge,dc=com	Schema address that groups are added into.
CVS_LDAP_USERS_STARTID	30000	The numeric userid to start counting from when creating new users.
CVS_LDAP_GROUPS_STARTID	30005	The numeric groupid to start counting from when creating new groups.
CVS_LDAP_BIND_DN	Example: cn=Admin,dc=teamforge,dc=com	The "root dn" for the LDAP server. This must be the value specified in slapd.conf.
CVS_LDAP_BIND_PASSWORD		The password for the root dn.
INTEGRATION_OS	linux_ldap
CVS_USER_DEFAULT_GROUP	sfee

Restart the integration server.
- <SITE_DIR>/runtime/scripts/teamforge-integration-init.sh restart
Log into the CollabNet TeamForge site's web interface as site administrator.
On the Integration Systems page, synchronize permissions for all managed source code integration servers.
Note: Running synchronize permissions will send email to your entire user community. This occurs because the users need to click on the link in the email to set their LDAP password (by entering their current SoureceForge password). The password cannot be set automatically during migration because only the encrypted version is available.
When synchronize permissions has completed, correct the permissions on the home directories of your users. On each source code server that you have converted to LDAP, run these commands:
- cd /home for i in * do chown -R $i.root $i done
Note: You may see some errors. This is normal and indicates disabled/deleted users.