Professional Documents
Culture Documents
Ldap Authentication Config
Ldap Authentication Config
http://damiensolley.com/content/computers-net...
Damien Solley
[[ computers-networking:ldap_authentication_for_windows_apache_postfix_dovecot_linux ]]
#SASL/EXTERNAL
authentication
started
#SASL
username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth #SASL SSF: 0 #dn: cn=config #dn:
cn=module{0},cn=config #dn: cn=schema,cn=config #dn: cn={0}core,cn=schema,cn=config #dn:
cn={1}cosine,cn=schema,cn=config
#dn:
cn={2}nis,cn=schema,cn=config
#dn:
cn={3}inetorgperson,cn=schema,cn=config #dn: olcBackend={0}hdb,cn=config #dn: olcDatabase=
{-1}frontend,cn=config #dn: olcDatabase={0}config,cn=config #dn: olcDatabase={1}hdb,cn=config
#[2] Edit existing directories
slappasswd # generate password
#SASL/EXTERNAL
authentication
started
#SASL
username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth #SASL SSF: 0 # input follows ( set
password generated above for 'olcRootPW' )
dn: olcDatabase={0}config,cn=config
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# push 'Ctrl+D' to quit
vi config.ldif
# change to your own suffix for the field 'dc=damiensolley,dc=com'
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=damiensolley,dc=com
replace: olcRootDN
olcRootDN: cn=admin,dc=damiensolley,dc=com
replace: olcAccess
olcAccess: to attrs=userPassword by dn="cn=admin,dc=damiensolley,dc=com" write by anonymous auth by self write
olcAccess: to attrs=shadowLastChange by self write by * read
1 of 10
2015-02-02 19:36
computers-networking:ldap_authentication_for...
http://damiensolley.com/content/computers-net...
# edit 'olcDatabase={1}hdb'
ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif
2 of 10
2015-02-02 19:36
computers-networking:ldap_authentication_for...
http://damiensolley.com/content/computers-net...
Also, if using SSL with self-signed certs, the CLIENT must be set to:
vim /etc/ldap/ldap.conf
# line 7: add
passwd:compat ldap
group:compat ldap
shadow:compat ldap
# line 19: change
netgroup:ldap
vi /etc/pam.d/common-password
3 of 10
pam_ldap.so try_first_pass
2015-02-02 19:36
computers-networking:ldap_authentication_for...
http://damiensolley.com/content/computers-net...
vi /etc/pam.d/common-session
# add last line if needed (to create home directory automatically at first login )
session optional pam_mkhomedir.so skel=/etc/skel umask=077
''shutdown -r now
#You can now login as a LDAP user!
vi schema_convert.conf
# create new
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
mkdir -p ./tmp/ldif_output
slapcat -f schema_convert.conf -F ./tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./tmp/cn=samba.
vi ./tmp/cn=samba.ldif
# line 1,3: change by removing "{12}"
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
4 of 10
2015-02-02 19:36
computers-networking:ldap_authentication_for...
http://damiensolley.com/content/computers-net...
# create new
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
/etc/init.d/slapd restart
#Stopping OpenLDAP: slapd.
#Starting OpenLDAP: slapd.
#[2]
Change Samba's settings. Samba PDC is also a LDAP Client.
aptitude -y install smbldap-tools
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
cp /usr/share/doc/smbldap-tools/examples/smb.conf /etc/samba/smb.conf
vi /etc/samba/smb.conf
# line 3: change workgroup name to any one you like
workgroup = ServerWorld
# line 12: make it comment
#min passwd length = 3
# line 22: change
ldap passwd sync = yes
# line 33,34: change
Dos charset = CP932
Unix charset = UTF-8
# line 47: specify ldap server
passdb backend = ldapsam:ldap://localhost/
# line 48: change LDAP admin DN (LDAP server's one)
ldap admin dn = cn=admin,dc=damiensolley,dc=com
# line 50: change LDAP suffix (LDAP server's one)
ldap suffix = dc=damiensolley,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
# line 60: uncomment
delete group script = /usr/sbin/smbldap-groupdel "%g"
# line 64: add (specify admin user), no SSL
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
admin users = ds
ldap ssl = no
5 of 10
2015-02-02 19:36
computers-networking:ldap_authentication_for...
http://damiensolley.com/content/computers-net...
mkdir /home/netlogon
/etc/init.d/samba restart
smbpasswd -W # add LDAP admin's password
gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
perl /usr/share/doc/smbldap-tools/configure.pl
$# is no longer supported at /usr/share/doc/smbldap-tools/configure.pl line 314.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=Looking for configuration files...
Samba Configuration File Path [/etc/samba/smb.conf] > # Enter
The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >
# Enter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba act as a PDC
workgroup name [ServerWorld] > # Enter
. netbios name: netbios name of the samba controler
netbios name [PDC-SRV] > # Enter
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] > # Enter
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\PDC-SRV\%U'
logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] > .
# input a period
. logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U'
logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] > .
# input a
. home directory prefix (use %U as username) [/home/%U] > # Enter
. default users' homeDirectory mode [700] > # Enter
. default user netlogon script (use %U as username) [logon.bat] >
# Enter
default password validation time (time in days) [45] > # Enter
. ldap suffix [dc=damiensolley,dc=com] > # Enter
. ldap group suffix [ou=groups] > # Enter
. ldap user suffix [ou=people] > # Enter
. ldap machine suffix [ou=Computers] > # Enter
. Idmap suffix [ou=Idmap] > # Enter
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ) [sambaDomainName=ServerWorld] >
# Enter
. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [10.0.0.100] > # Enter
. ldap master port [389] > # Enter
. ldap master bind dn [cn=admin,dc=damiensolley,dc=com] > # Enter
. ldap master bind password [] > # enter LDAP admin password
. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [10.0.0.100] > # specify LDAP slave's IP (Enter with empy if none)
. ldap slave port [389] > # Enter
. ldap slave bind dn [cn=admin,dc=damiensolley,dc=com] > # Enter
. ldap slave bind password [] > # Input if there is, if not input the same one with master
. ldap tls support (1/0) [0] > # Enter
. SID for domain SERVERWORLD: SID of the domain (can be obtained with 'net getlocalsid PDC-SRV')
SID for domain SERVERWORLD [S-1-5-21-2752024775-1437179205-4226352253] >
# Enter
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
# MD5 or SSHA
. default user gidNumber [513] > # Enter
6 of 10
2015-02-02 19:36
computers-networking:ldap_authentication_for...
http://damiensolley.com/content/computers-net...
smbldap-populate
entry dc=damiensolley,dc=com already exist.
entry ou=people,dc=damiensolley,dc=com already exist.
entry ou=groups,dc=damiensolley,dc=com already exist.
adding new entry: ou=Computers,dc=damiensolley,dc=com
adding new entry: ou=Idmap,dc=damiensolley,dc=com
adding new entry: uid=root,ou=people,dc=damiensolley,dc=com
adding new entry: uid=nobody,ou=people,dc=damiensolley,dc=com
adding new entry: cn=Domain Admins,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Domain Users,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Domain Guests,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Domain Computers,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Administrators,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Account Operators,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Print Operators,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Backup Operators,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Replicators,ou=groups,dc=damiensolley,dc=com
entry sambaDomainName=ServerWorld,dc=damiensolley,dc=com already exist. Updating it...
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password: # set root password
Retype new password:
7 of 10
2015-02-02 19:36
computers-networking:ldap_authentication_for...
http://damiensolley.com/content/computers-net...
Then:
service apache2 restart
Then,
echo " server_host = localhost
search_base = dc=damiensolley, dc=com" > ldap-aliases.cf
And finally:
service postfix restart
8 of 10
2015-02-02 19:36
computers-networking:ldap_authentication_for...
http://damiensolley.com/content/computers-net...
certificate. When asked for the Common Name be sure to set it to the fully qualified domain name you will
be using for your OpenLDAP SSL secured server.
apt-get install
gnutls-bin
The Common Name (eg, YOUR name) []: entry must be set your your LDAP server name (e.g.
bux.somedomain.com).
9 of 10
2015-02-02 19:36
computers-networking:ldap_authentication_for...
http://damiensolley.com/content/computers-net...
10 of 10
2015-02-02 19:36