computers-networking:ldap_authentication_for...

http://damiensolley.com/content/computers-net...

Damien Solley
[[ computers-networking:ldap_authentication_for_windows_apache_postfix_dovecot_linux ]]

LDAP Authentication for Windows, Linux, Apache, Postfix,

Samba
Copy and Paste Howto based on Debian Squeeze

1. Configure the LDAP Server

From: 1 [http://www.server-world.info/en/note?os=Debian_6.0&p=ldap]
aptitude -y install slapd ldap-utils

# Input LDAP admin password during installation # check working

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn

#SASL/EXTERNAL
authentication
started
#SASL
username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth #SASL SSF: 0 #dn: cn=config #dn:
cn=module{0},cn=config #dn: cn=schema,cn=config #dn: cn={0}core,cn=schema,cn=config #dn:
cn={1}cosine,cn=schema,cn=config
#dn:
cn={2}nis,cn=schema,cn=config
#dn:
cn={3}inetorgperson,cn=schema,cn=config #dn: olcBackend={0}hdb,cn=config #dn: olcDatabase=
{-1}frontend,cn=config #dn: olcDatabase={0}config,cn=config #dn: olcDatabase={1}hdb,cn=config
#[2] Edit existing directories
slappasswd # generate password

#record this password! #{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

# set admin password to config directory
ldapmodify -Y EXTERNAL -H ldapi:///

#SASL/EXTERNAL
authentication
started
#SASL
username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth #SASL SSF: 0 # input follows ( set
password generated above for 'olcRootPW' )
dn: olcDatabase={0}config,cn=config
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# push 'Ctrl+D' to quit
vi config.ldif
# change to your own suffix for the field 'dc=damiensolley,dc=com'
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=damiensolley,dc=com
replace: olcRootDN
olcRootDN: cn=admin,dc=damiensolley,dc=com
replace: olcAccess
olcAccess: to attrs=userPassword by dn="cn=admin,dc=damiensolley,dc=com" write by anonymous auth by self write
olcAccess: to attrs=shadowLastChange by self write by * read

1 of 10

2015-02-02 19:36

computers-networking:ldap_authentication_for...

http://damiensolley.com/content/computers-net...

olcAccess: to dn.base="" by * read

olcAccess: to * by dn="cn=admin,dc=damiensolley,dc=com" write by * read
-

# edit 'olcDatabase={1}hdb'
ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif

#SASL/EXTERNAL authentication started

#SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
#SASL SSF: 0
#modifying entry olcDatabase={1}hdb,cn=config
# check working
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb

Enter LDAP Password:# password set above dn: olcDatabase={1}hdb,cn=config objectClass:

olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap
olcLastMod: TRUE olcRootPW: {SSHA}XXXXXXXXXXZZZZZZZZZZZZZZZ olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig:
{2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcSuffix:
dc=damiensolley,dc=com
olcRootDN:
cn=admin,dc=damiensolley,dc=com
olcAccess:
{0}to
attrs=userPassword by dn=cn=admin,dc=damiensolley,dc=com write by anonymous auth by self write by
* none olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to dn.base= by *
read olcAccess: {3}to * by dn=cn=admin,dc=damiensolley,dc=com write by * read
[3] Add new directory
vi base.ldif
# create new
# change to your own suffix for the field 'dc=damiensolley,dc=com'
dn: dc=damiensolley,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server
description: LDAP Server
dn: ou=people,dc=damiensolley,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=damiensolley,dc=com
objectClass: organizationalUnit
ou: groups
ldapadd -x -D cn=admin,dc=damiensolley,dc=com -W -f base.ldif
#### This step has a naming conflict error.
#Enter LDAP Password:# LDAP admin password (set in installation of openldap)
#adding new entry "dc=damiensolley,dc=com"
#adding new entry "ou=people,dc=damiensolley,dc=com"
#adding new entry "ou=groups,dc=damiensolley,dc=com"

Adding and LDAP deleting users from Command Line

[6] If you'd like to delete User or Group in LDAP, Do as below. root@master:~#

2 of 10

2015-02-02 19:36

computers-networking:ldap_authentication_for...

http://damiensolley.com/content/computers-net...

ldapdelete -x -W -D 'cn=admin,dc=damiensolley,dc=com' "uid=debian,ou=people,dc=damiensolley,dc=com"

Enter LDAP Password: root@master:~#

ldapdelete -x -W -D 'cn=admin,dc=damiensolley,dc=com' "cn=debian,ou=groups,dc=damiensolley,dc=com"

Enter LDAP Password:

Try adding users with LDAP-Account-Manager

2. Configure an LDAP Linux Client for LDAP logins:

From: 2 [http://www.server-world.info/en/note?os=Debian_6.0&p=ldap&f=2].
apt-get -y install libnss-ldap libpam-ldap ldap-utils

#Answers are as follows;

# ldap://localhost:389/ or ldaps://damiensolley.com:636, or ldaps://loungetv.local:636 (if libnss-mdns is insta

#Lookup should be: ou=People,dc=damiensolley,dc=com (works for remote and local client) or
#dc=damiensolley,dc=com (works locally for some reason.). Needs testing.
# #LDAP account for root is: cn=admin,dc=damiensolley,dc=com

Also, if using SSL with self-signed certs, the CLIENT must be set to:
vim /etc/ldap/ldap.conf

And change as follows:

#hash out the certs, unless you have created custom ones to distribute:
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
#then, allow any old thing:
TLS_REQCERT allow
vi /etc/nsswitch.conf

# line 7: add
passwd:compat ldap
group:compat ldap
shadow:compat ldap
# line 19: change
netgroup:ldap
vi /etc/pam.d/common-password

# line 26: change ( remove 'use_authtok' )

#should read:
password

3 of 10

[success=1 user_unknown=ignore default=die]

pam_ldap.so try_first_pass

2015-02-02 19:36

computers-networking:ldap_authentication_for...

http://damiensolley.com/content/computers-net...

vi /etc/pam.d/common-session
# add last line if needed (to create home directory automatically at first login )
session optional pam_mkhomedir.so skel=/etc/skel umask=077

''shutdown -r now
#You can now login as a LDAP user!

3. Configure Domain Controller

From: 3 [http://www.server-world.info/en/note?os=Debian_6.0&p=samba&f=4].
aptitude -y install samba-doc
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
gzip -d /etc/ldap/schema/samba.schema.gz

vi schema_convert.conf
# create new
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema

mkdir -p ./tmp/ldif_output
slapcat -f schema_convert.conf -F ./tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./tmp/cn=samba.
vi ./tmp/cn=samba.ldif
# line 1,3: change by removing "{12}"
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba

# remove these 7 lines below ( last in file )

structuralObjectClass: olcSchemaConfig
entryUUID: bd8a7a82-3cb8-102f-8d5f-070b4e5d16f8
creatorsName: cn=config
createTimestamp: 20100815125953Z
entryCSN: 20100815125953.198505Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20100815125953Z
ldapadd -Y EXTERNAL -H ldapi:/// -f ./tmp/cn=samba.ldif
#SASL/EXTERNAL authentication started
#SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
#SASL SSF: 0
#adding new entry "cn=samba,cn=schema,cn=config"
vi samba_indexes.ldif

4 of 10

2015-02-02 19:36

computers-networking:ldap_authentication_for...

http://damiensolley.com/content/computers-net...

# create new
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif

#SASL/EXTERNAL authentication started
#SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
#SASL SSF: 0
#modifying entry "olcDatabase={1}hdb,cn=config"

/etc/init.d/slapd restart
#Stopping OpenLDAP: slapd.
#Starting OpenLDAP: slapd.

#[2]
Change Samba's settings. Samba PDC is also a LDAP Client.
aptitude -y install smbldap-tools
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
cp /usr/share/doc/smbldap-tools/examples/smb.conf /etc/samba/smb.conf
vi /etc/samba/smb.conf
# line 3: change workgroup name to any one you like
workgroup = ServerWorld
# line 12: make it comment
#min passwd length = 3
# line 22: change
ldap passwd sync = yes
# line 33,34: change
Dos charset = CP932
Unix charset = UTF-8
# line 47: specify ldap server
passdb backend = ldapsam:ldap://localhost/
# line 48: change LDAP admin DN (LDAP server's one)
ldap admin dn = cn=admin,dc=damiensolley,dc=com
# line 50: change LDAP suffix (LDAP server's one)
ldap suffix = dc=damiensolley,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
# line 60: uncomment
delete group script = /usr/sbin/smbldap-groupdel "%g"
# line 64: add (specify admin user), no SSL
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
admin users = ds
ldap ssl = no

5 of 10

2015-02-02 19:36

computers-networking:ldap_authentication_for...

http://damiensolley.com/content/computers-net...

mkdir /home/netlogon
/etc/init.d/samba restart
smbpasswd -W # add LDAP admin's password
gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
perl /usr/share/doc/smbldap-tools/configure.pl
$# is no longer supported at /usr/share/doc/smbldap-tools/configure.pl line 314.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=Looking for configuration files...
Samba Configuration File Path [/etc/samba/smb.conf] > # Enter
The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >
# Enter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba act as a PDC
workgroup name [ServerWorld] > # Enter
. netbios name: netbios name of the samba controler
netbios name [PDC-SRV] > # Enter
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] > # Enter
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\PDC-SRV\%U'
logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] > .
# input a period
. logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U'
logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] > .
# input a
. home directory prefix (use %U as username) [/home/%U] > # Enter
. default users' homeDirectory mode [700] > # Enter
. default user netlogon script (use %U as username) [logon.bat] >
# Enter
default password validation time (time in days) [45] > # Enter
. ldap suffix [dc=damiensolley,dc=com] > # Enter
. ldap group suffix [ou=groups] > # Enter
. ldap user suffix [ou=people] > # Enter
. ldap machine suffix [ou=Computers] > # Enter
. Idmap suffix [ou=Idmap] > # Enter
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ) [sambaDomainName=ServerWorld] >
# Enter
. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [10.0.0.100] > # Enter
. ldap master port [389] > # Enter
. ldap master bind dn [cn=admin,dc=damiensolley,dc=com] > # Enter
. ldap master bind password [] > # enter LDAP admin password
. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [10.0.0.100] > # specify LDAP slave's IP (Enter with empy if none)
. ldap slave port [389] > # Enter
. ldap slave bind dn [cn=admin,dc=damiensolley,dc=com] > # Enter
. ldap slave bind password [] > # Input if there is, if not input the same one with master
. ldap tls support (1/0) [0] > # Enter
. SID for domain SERVERWORLD: SID of the domain (can be obtained with 'net getlocalsid PDC-SRV')
SID for domain SERVERWORLD [S-1-5-21-2752024775-1437179205-4226352253] >
# Enter
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
# MD5 or SSHA
. default user gidNumber [513] > # Enter

6 of 10

2015-02-02 19:36

computers-networking:ldap_authentication_for...

http://damiensolley.com/content/computers-net...

. default computer gidNumber [515] > # Enter

. default login shell [/bin/bash] > # Enter
. default skeleton directory [/etc/skel] > # Enter
. default domain name to append to mail adress [] > # Enter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Use of uninitialized value $# in concatenation (.) or string at /usr/share/doc/smbldap-tools/configure.pl line
backup old configuration files:
/etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
/etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/etc/smbldap-tools/smbldap.conf done.
/etc/smbldap-tools/smbldap_bind.conf done.

smbldap-populate
entry dc=damiensolley,dc=com already exist.
entry ou=people,dc=damiensolley,dc=com already exist.
entry ou=groups,dc=damiensolley,dc=com already exist.
adding new entry: ou=Computers,dc=damiensolley,dc=com
adding new entry: ou=Idmap,dc=damiensolley,dc=com
adding new entry: uid=root,ou=people,dc=damiensolley,dc=com
adding new entry: uid=nobody,ou=people,dc=damiensolley,dc=com
adding new entry: cn=Domain Admins,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Domain Users,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Domain Guests,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Domain Computers,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Administrators,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Account Operators,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Print Operators,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Backup Operators,ou=groups,dc=damiensolley,dc=com
adding new entry: cn=Replicators,ou=groups,dc=damiensolley,dc=com
entry sambaDomainName=ServerWorld,dc=damiensolley,dc=com already exist. Updating it...
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password: # set root password
Retype new password:

# add admin user that is define in smb.conf

smbldap-groupadd -a ds
smbldap-useradd -am -g ds ds
smbldap-passwd ds
su - domainadm # test to switch to added user
Yay!

4. Configure a Windows 7 Client

The way to have Win7 in Samba 3 domain is quite tricky. You should disable security on your Windows
first. Then create the following .reg file and open is from Administrator account:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\DNSClient]
"NV PrimaryDnsSuffix"="DS-Domain"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
"NV Domain"="DS-Domain"

Change domain to your Samba domain name.

7 of 10

2015-02-02 19:36

computers-networking:ldap_authentication_for...

http://damiensolley.com/content/computers-net...

Base configuration without Kerberos [http://blog.salaros.com/2011/12/26/basic-domain-on-wheezy/]

5. Configure Apache, Postfix, Dovecot accounts

Apache2 with ldap
a2enmod authnz_ldap
vim /etc/apache2/sites-enabled/default-ssl
<Directory />
Options FollowSymLinks
AllowOverride None
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthName "Secure site, sign in with your LDAP username (eg ds)"
AuthLDAPURL "ldap://localhost:389/ou=People,dc=damiensolley,dc=com
Require valid-user
#Or: Require user ds
</Directory>

Then:
service apache2 restart

Then, login with your LDAP uid (eg user1).

Postfix with LDAP

Note: may not be necessary if your console allows LDAP logins already.
cd /etc/postfix
vim main.cf

Modify the alias_maps to add the following:

alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf

Then,
echo " server_host = localhost
search_base = dc=damiensolley, dc=com" > ldap-aliases.cf

And finally:
service postfix restart

SSL/TLS with LDAP for remote clients:

OpenSSL Certificate Creation (self signed)
Note: use gnu-tls for Debian Squeeze. The following has been tested and works.
Generate a self-signed certificate: You will be asked a number of questions to create your self-signed

8 of 10

2015-02-02 19:36

computers-networking:ldap_authentication_for...

http://damiensolley.com/content/computers-net...

certificate. When asked for the Common Name be sure to set it to the fully qualified domain name you will
be using for your OpenLDAP SSL secured server.
apt-get install

gnutls-bin

Run these two commands to generate a new self-signed key:

certtool --generate-privkey --outfile /etc/ldap/slapd-ca-key.pem

certtool --generate-self-signed --load-privkey /etc/ldap/slapd-ca-key.pem --outfile /etc/ldap/slapd-ca-cert.pem
addgroup openldap ssl-cert
chown openldap /etc/ldap/slapd-ca-key.pem
chown openldap /etc/ldap/slapd-ca-cert.pem

The Common Name (eg, YOUR name) []: entry must be set your your LDAP server name (e.g.
bux.somedomain.com).

Configure OpenLDAP to use SSL/TLS on Debian Squeeze

Then, update your certificate locations: (TLSCertificateFile points to ca-cert.pem and TLSCertificateKeyFile
points to ca-key.pem), comment out TLSCACertificateFile, and change TLSVerifyClient to never. #You may
need to use jxplorer to delete incorrect entries. Alternatively, stop the daemon, delete the incorrect config
from /etc/slapd.d/cn\=config.ldif and start the daemon.
echo "dn: cn=config
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/slapd-ca-cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/slapd-ca-key.pem
add: olcTLSVerifyClient
olcTLSVerifyClient: never
" > tls-config.ldif
ldapmodify -Y EXTERNAL -H ldapi:/// -f tls-config.ldif
vim /etc/default/slapd ;service slapd restart

Testing your TLS is working

openssl s_client -connect damiensolley.com:636 -showcerts

#modify to include ldaps: SLAPD_SERVICES=ldap:/// [ldap:///] ldapi:/ ldaps:/

Disable client verification

vim /etc/ldap/ldap.conf

as follows: #TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT never

Authenticating Windows Client Machines via LDAP

This works, using http://pgina.org/download.html [http://pgina.org/download.html]
1. Enable plugin LDAP Authentication.
2. Use damiensolley.com and LDAP Port 636
3. Use SSL.

9 of 10

2015-02-02 19:36

computers-networking:ldap_authentication_for...

http://damiensolley.com/content/computers-net...

4. DN Pattern is: uid=%u,ou=People,dc=damiensolley,dc=com

Back to top
computers-networking/ldap_authentication_for_windows_apache_postfix_dovecot_linux.txt Last modified: 2013/06/17 21:32 by ds

10 of 10

2015-02-02 19:36