Professional Documents
Culture Documents
7 5-4-2005)
OpenLDAP
Server Setup:
Install: openldap-<ver>.rpm
openldap-servers-<ver>.rpm
openldap-clients-<ver>.rpm
FEDORA:
samba-3.0.<ver>.i386.rpm
samba-common-3.0.<ver>.i386.rpm
samba-client-3.0.<ver>.i386.rpm
samba-swat-3.0.<ver>.i386.rpm
smbldap-tools-<ver>.rpm
Using apt-get:
# apt-get install openldap openldap-servers openldap-clients
# apt-get install samba samba-common samba-client samba-swat samba-winbind smbldap-tools
Copy: /usr/share/doc/samba-3.0.<ver>/LDAP/samba.schema /etc/openldap/schema/
MDK:
samba3-common-3.0.0-<ver>mdk.i586.rpm
samba3-server-3.0.0-<ver>mdk.i586.rpm
samba3-swat-3.0.0-<ver>mdk.i586.rpm
Using urpmi:
# urpmi samba3-common samba3-server samba3-swat
SLES 9:
Use YaST to configure LDAP (during install or later on)
Copy: /usr/share/doc/packages/samba/examples/LDAP/samba.schema /etc/openldap/schema
Server Setup:
Edit: /etc/openldap/slapd.conf
Edit:
database bdb
suffix <base dn> # i.e. o=mydomain
rootdn <root dn> # i.e. cn=root,o=mydomain
rootpw <root dn password>
# slappasswd –h {md5}
<password>
FEDORA: Add: include /etc/openldap/schema/samba.schema
MDK 9.x: Uncomment: include /usr/share/openldap/schema/samba.schema
SLES 9: Use YaST to configure LDAP (during install or later on)
Add: include /etc/openldap/schema/samba.schema
Uncomment:
TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
©Ron Terry 1
Edit: /etc/openldap/slapd.access.conf
Replace ‘mydomain’ with the name of your Base DN.
Run:
# touch /etc/openldap/slapd.access.conf
# chown :ldap /etc/openldap/slapd.access.conf
# chmod 640 /etc/openldap/slapd.access.conf
Start Server:
# chkconfig ldap on -insure server starts automatically
# /etc/init.d/ldap restart -start the LDAP service
Create: /etc/ldap.secret
Add your rootdn password (in plain text) on the first line of this file.
Edit: /etc/openldap/ldap.conf
Add at end of file:
TLS_REQCERT allow
©Ron Terry 2
NSS and PAM
Client Setup:
Install:
MDK 9.x: nss_ldap-<ver>.rpm
pam_ldap-<ver>.rpm
Using urpmi:
# urpmi nss_ldap pam_ldap
NSS:
FEDORA: Run authconfig to automatically configure /etc/nsswitch.conf.
MDK 9.x:
Edit: /etc/nsswitch.conf
PAM:
FEDORA: Run authconfig to automatically configure /etc/pam.d/system-auth.
MDK 9.x:
Edit: /etc/pam.d/system-auth
©Ron Terry 3
pam_mkhomedir
Client and/or Server Setup:
Edit: /etc/pam.d/system-auth
MDK 9.x:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0066
FEDORA:
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0066
SLES 9:
session required /lib.security/pam_mkhomedir.so skel=/etc/skel umask=0066
Change:
admin password (i.e. uid=admin,<base dn>)
fake’ root password (i.e. uid=root,ou=users,ou=accounts,<base dn>)
Note: You may change these passwords after you have installed and an administration utility (i.e. phpldapadmin).
©Ron Terry 4
Samba
Server Setup:
Edit: /etc/samba/smb.conf
Edit or Add:
workgroup = <your domain name>
netbios name = <your computer name>
passdb backend = ldapsam:ldap://<hostname or IP of LDAP server>
ldap suffix = <base dn> # i.e. o=mydomain
ldap machine suffix = <computer dn> # i.e. ou=computers,ou=accounts,o=mydomain
ldap user suffix = <user dn> # i.e. ou=users,ou=accounts,o=mydomain
ldap group suffix = <groups dn> # i.e. ou=groups, o=mydomain
ldap idmap suffix = <idmap dn> # i.e. ou=idmap,ou=accounts,o=mydomain
ldap admin dn = <admin dn> # i.e. cn=root,o=mydomain or uid=admin,o=mydomain
ldap port = 389
ldap ssl = start no (or start_tls)
ldap passwd sync = Yes
FEDORA:
Edit or Add:
ldap delete dn = yes
add machine script = /usr/sbin/smbldap-useradd –w “%u”
add user script = /usr/sbin/smbldap-useradd –m “%u”
delete user script = /usr/sbin/smbldap-userdel “%u”
add group script = /usr/sbin/smbldap-groupadd –p “%g”
delete group script = /usr/sbin/smbldap-groupdel “%g”
add user to group script = /usr/sbin/smbldap-groupmod –m “%u” “%g”
delete user from group script = /usr/sbin/smbldap-usermod –x “%u” “%g”
set primary group script = /usr/sbin/smbldap-usermod –g “%g” “%u”
Create:
mkdir /var/lib/samba
mkdir /var/lib/samba/netlogon
mkdir /var/lib/samba/profiles
mkdir /var/lib/samba/printers
mkdir /var/tmp
chmod 1757 /var/lib/samba/profiles
MDK 9.x:
Edit: add user script =
/usr/share/scripts//smbldap-useradd.pl –w –d /dev/null –g Machines –c “Machine Account” –s /bin/false %u
SLES 9: Use YaST to configure Samba to use LDAP as a backend.
Run:
FEDORA: smbpasswd –w <admin dn password>
MDK 9.x: smbpasswd3 –w <admin dn password>
SLES9: YaST configures this automatically
Restart servers:
# chkconfig smb on -insure server starts automatically.
# /etc/init.d/smb restart -start Samba service.
©Ron Terry 5
smbldap-tools
Server Setup:
Edit:
FEDORA: /etc/smbldap-tools/smbldap.conf
MDK 9.x: /etc/samba/smbldap_conf.pm
SLES 9: ?
Edit:
# General Configuration
SID = “<machine SID>” (from net getlocalsid)
# LDAP Configuration
slaveLDAP = “<ldap server hostname/IP address>”
masterLDAP = “<ldap server hostname/IP address>”
ldapTLS = “0” (or 1)
suffix = “<base dn>”
usersdn = “ou=users,ou=accounts,$[suffix}”
computersdn = “ou=computers,ou=accounts,${suffix}”
groupsdn = “ou=groups,${suffix}”
idmap = “ou=idmap,ou=accounts,${suffix}”
sambaUnixIdPooldn= “sambaDomainName=<your NT domain name>,${suffix}”
scope = “sub”
hash_encrypt = “MD5”
# Unix Accounts Configuration
userLoginShell = “/bin/bash”
userHome = “<path to home dirs>” # i.e. “/home/users/%U”
userGecos = “System User”
defaultUserGid = “513”
defaultComputerGid = “515”
skeletonDir = “/etc/skel”
defaultMaxPasswordAge = “99999”
# Samba
userSmbHome = “\\<servername>\homes\%U”
userProfile = “\\<servername>\profiles\%U”
userHomeDrive = “H:”
mailDomain = “<your DNS domain>”
# SMBLDAP-TOOLS
smbpasswd = “/usr/bin/smbpasswd”
MDK 9.x:
$smbpasswd = /usr/bin/smbpasswd3
Edit:
FEDORA: /etc/smbldap-tools/smbldap_bind.conf
MDK 9.x: ?
SLES 9: ?
Edit:
slaveDN= “<your root dn>” # i.e. cn=root,o=mydomain -or- uid=admin,o=mydomain
slavePw= “<root dn password in plain text>”
masterDN= “<your root dn>” # i.e. cn=root,o=mydomain -or- uid=admin,o=mydomain
masterPw= “<root dn password in plain text>”
©Ron Terry 6
Install GUI Administration Tools
Client and/or Server Setup:
Install and configure phpLDAPadmin
• To download phpLDAPadmin go to:
o http://phpldapadmin.sourceforge.net/download.php
o http://pronetworkconsulting.com/linux/docs/phpldapadmin-0.9.6c-1-rct.tgz (pre-patched)
• Download the latest tarball (i.e. phpldapadmin-0.9.6c.tar.gz).
• Extract tarball into to /usr/share.
• Create (or download) a file called /etc/httpd/conf.d/phpldapadmin.conf and add the following line:
o Alias /ldapadmin /usr/share/phpldapadmin-<ver>
• Restart the web server. (service httpd restart or /etc/init.d/httpd restart)
• Set Apache to start automatically. (chkconfig httpd on)
• cd into the /usr/share/phpldapadmin-<ver> directory.
• cp config.php.example config.php. (Or edit config.php if using the pre-patched version)
• edit the config.php modify these variables to match your install:
o [‘name’] = ‘<what you want to call this server>’;
o [‘host’] = ‘<IP or Host name/FQDN of LDAP server>’;
o [‘base’] = ‘<your base dn>’;
o [‘auth_type’] = ‘session’;
o [‘login_dn’] = ‘<your root dn>’; # (or ‘uid=NSS,ou=LDAPadmin,<your base dn>’;)
o [‘login_pass’] = ‘<empty>’; # (or ‘nsspass’;)
o ['default_hash'] = ‘md5’;
o [‘login_attr’] = ‘dn’; # (or ‘uid’;)
o ['enable_auto_uid_numbers'] = true;
o ['auto_uid_number_mechanism'] = ‘search’;
o ['auto_uid_number_search_base'] = 'ou=accounts,<your base dn>’;
o [‘auto_uid_number_min’] = 1000;
o [‘auto_uid_number_search_dn’] = ‘uid=NSS,ou=LDAPadmin,<your base dn>’;
o [‘auto_uid_number_search_dn_pass’] = ‘nsspass’;
o [‘unique_attrs_dn’] = ‘uid=NSS,ou=LDAPadmin,<your base dn>’;
o [‘unique_attrs_dn_pass’] = ‘nsspass’;
o [‘unique_attrs_dn’] = ‘uid=unique_attrs,ou=LDAPadmin,0=<your base dn>’ ;
o [‘unique_attrs_dn_pass’] = ‘unique’ ;
o $enable_mass_delete = true;
o $unique_attrs = array(‘uid’,’uidNumber’,’mail’);
• Edit the default template values (i.e. Samba SID, etc.) in templates/template_config.php.
o $base_posix_groups = “ou=groups,<your base dn>”;
o $mkntpwdCommand = “/usr/local/bin/mkntpwd”;
o $samba3_domains[ ] = array( ‘name’ => ‘<your Samba domain name>’, ‘sid’ => ‘<your samba sid>’);
o $samba_base_groups = “ou=groups,<your base dn>”;
• Edit the language file value for Samba Domain Name in lang/en.php. (optional: for un patched version)
o $lang[‘samba_domain_name’] = ‘<your Samba domain name>’;
• Download or copy “mkntpwd” into /usr/local/bin. (http://pronetworkconsulting.com/linux/docs/utils/mkntpwd)
• Make the mkntpwd program executable. (chmod a+x /usr/local/bin/mkntpwd)
• Edit templates/creation/new_sbs_user_template.php
o $default_container = “ou=users,ou=accounts”;
o $default_home = “/home/users”;
o $inet_domain = “<your internet domain>”;
©Ron Terry 7
Sample Configuration Files
Samba
#=================================================================#
# -=Samba 3.x smb.conf for a PDC with LDAP backend =- #
# #
# This file assumes the following: #
# #
# -The samba server and LDAP server are on the same machine. #
# -netbios name = myserver #
# -workgroup/domain = mydomain #
# -LDAP base dn = o=mydomain #
# -LDAP rootdn = cn=root,o=mydomain #
#=================================================================#
#============ Global Settings =====================================
[global]
#-- Basic Server Options --#
netbios name = myserver
workgroup = mydomain
server string = Samba Server
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#-- PDC and Master Browser Settings --#
preferred master = Yes
domain master = Yes
local master = Yes
domain logons = Yes
os level = 64
dns proxy = No
wins support = Yes
#-- LDAP Setings --#
ldap suffix = o=mydomain
ldap machine suffix = ou=computers,ou=accounts,o=mydomain
ldap user suffix = ou=users,ou=accounts,o=mydomain
ldap group suffix = ou=groups,o=mydomain
ldap idmap suffix = ou=idmap,ou=accounts,o=mydomain
ldap admin dn = cn=root,o=mydomain
ldap ssl = no
ldap passwd sync = Yes
©Ron Terry 9
slapd.access.conf
# slapd.access.conf version 1.3 (5-4-2005)
# For use with OpenLDAP 2.1+
# and
# full-base.ldif v4.4+
#
# note: This file must be readable by the ldap user or ldap group
# and should not be readable by anyone else.
### UNIX Password Property Restrictions ###
access to attr=userPassword
by dn="uid=admin,o=mydomain" write
by dn="uid=root,ou=users,ou=accounts,o=mydomain" write
by dn="uid=replicator,ou=LDAPadmin,o=mydomain" read
by dn="uid=NSS,ou=LDAPadmin,o=mydomain" read
by anonymous auth
by self write
by * none
### NSS Information Properties Restrictions ###
access to attrs=uidNumber,uid,gidNumber,loginShell,homeDirectory
by dn="uid=admin,o=mydomain" write
by dn="uid=root,ou=users,ou=accounts,o=mydomain" write
by dn="uid=replicator,ou=LDAPadmin,o=mydomain" read
by dn="uid=NSS,ou=LDAPadmin,o=mydomain" read
by dn="uid=unique_attrs,ou=LDAPadmin,o=mydomain" read
by anonymous auth
by self read
by users read
by * read
©Ron Terry 10
full-base.ldif (v4.4)
### Domain ###
dn: o=mydomain
objectClass: top
objectClass: organization
o: mydomain
description: mydomain
dn: ou=accounts,o=mydomain
objectClass: top
objectClass: organizationalUnit
ou: accounts
description: User and Computer Accounts
dn: ou=groups,o=mydomain
objectClass: top
objectClass: organizationalUnit
ou: groups
description: User and Domain Groups
dn: ou=services,o=mydomain
objectClass: top
objectClass: organizationalUnit
ou: services
description: Network Services
dn: ou=LDAPadmin,o=mydomain
objectClass: top
objectClass: organizationalUnit
ou: LDAPadmin
description: LDAP administrative objects
dn: ou=computers,ou=accounts,o=mydomain
objectClass: top
objectClass: organizationalUnit
ou: computers
description: Samba Computer Accounts
dn: ou=users,ou=accounts,o=mydomain
objectClass: top
objectClass: organizationalUnit
ou: users
description: Linux and Samba User Accounts
dn: ou=addresses,ou=users,ou=accounts,o=mydomain
objectClass: top
objectClass: organizationalUnit
ou: addresses
description: Address Book Entries
#- groups OU -#
dn: ou=samba,ou=groups,o=mydomain
objectClass: top
objectClass: organizationalUnit
ou: samba
description: Samba User Groups
#- services OU -#
dn: ou=DHCP,ou=services,o=mydomain
objectClass: top
objectClass: organizationalUnit
ou: DHCP
©Ron Terry 11
description: DHCP Servers
dn: ou=DNS,ou=services,o=mydomain
objectClass: top
objectClass: organizationalUnit
ou: DNS
description: DNS Servers
dn: ou=automount,ou=services,o=mydomain
objectClass: top
objectClass: organizationalUnit
ou: automount
description: Autofs Automount Maps
dn: cn=root,ou=groups,o=mydomain
objectClass: posixGroup
gidNumber: 0
cn: root
description: 'Fake" root UNIX group
dn: cn=admins,ou=samba,ou=groups,o=mydomain
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
sambaGroupType: 5
SambaSID: S-1-5-21-484461966-3319382440-1790084091-512
displayName: Domain Admins
cn: admins
memberUID: root
description: Sysytem and Domain Administrators
dn: cn=users,ou=samba,ou=groups,o=mydomain
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
sambaGroupType: 5
SambaSID: S-1-5-21-484461966-3319382440-1790084091-513
displayName: Domain Admins
cn: users
description: System and Domain Users
dn: cn=guests,ou=samba,ou=groups,o=mydomain
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
sambaGroupType: 5
SambaSID: S-1-5-21-484461966-3319382440-1790084091-514
displayName: Domain Admins
cn: guests
description: System and Domain Guests
dn: cn=machines,ou=samba,ou=groups,o=mydomain
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
sambaGroupType: 5
SambaSID: S-1-5-21-484461966-3319382440-1790084091-515
displayName: Domain Admins
cn: machines
description: Domain Machines
dn: uid=admin,o=mydomain
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
uid: admin
userPassword: password
description: LDAP Administrator Object
dn: uid=root,ou=users,ou=accounts,o=mydomain
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
©Ron Terry 12
cn: root
sn: root
uid: root
gecos: root
uidNumber: 0
gidNumber: 0
homeDirectory: /root
loginShell: /bin/bash
description: 'Fake' root UNIX user
dn: uid=guest,ou=users,ou=accounts,o=mydomain
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
cn: guest
sn: guest
uid: guest
gecos: Guest User
uidNumber: 99
gidNumber: 514
homeDirectory: /dev/null
loginShell: /bin/false
dn: uid=MAIL,ou=LDAPadmin,o=mydomain
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
uid: MAIL
userPassword: nsspass
description: MAIL ACL Object
dn: cn=unique_attrs,ou=LDAPadmin,o=mydomain
objectClass: simpleSecurityObject
cn: unique_attrs
userPassword: unique
description: ACL Object used to ensure unique attributes
dn: uid=NSS,ou=LDAPadmin,o=mydomain
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
uid: NSS
userPassword: nsspass
description: LDAP NSS Object
dn: uid=replicator,ou=LDAPadmin,o=mydomain
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
uid: replicator
userPassword: replicator
description: LDAP Replication Object
©Ron Terry 13
Diagram of the full-base.ldif
o=mydomain
|
|-ou=accounts
| |
| |-ou=idmap
| |
| |-ou=computers
| |
| |-ou=users
| |
| |-ou=addresses
| |
| |-uid=root
| |-uid=guest
|
|-ou=groups
| |
| |-ou=samba
| | |-cn=admins
| | |-cn=users
| | |-cn=guests
| | |-cn=machines
| |
| |-cn=root
|
|-ou=services
| |
| |-ou=automount
| |
| |-ou=DHCP
| |
| |-ou=DNS
|
|-ou=LDAPadmin
| |-uid=MAIL
| |-uid=NSS
| |-uid=replicator
| |-uid=unique_attrs
|
|-uid=admin
©Ron Terry 14