Installation Setup Scenario.
I have setup one machine as a openldap server and one machine as a openldap client.
I have setup openldap server & samba server in one machine.
Machine 1 : Openldap server + Samba Server
Hostname : openldap.server
IP : 10.8.0.12
Machine 2 : Openldap Client
Hostname : openldap.client
IP : 10.8.0.15
Configure OpenLDP server
Step 1 : Installation of required packages
First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:
#apt-get install slapd ldap-utils
Step 2 : Configure slapd
# dpkg-reconfigure slapd
It will prompt you for server questions.
1. No
2. DNS domain name: openldap.server
3.Name of your organization: openldap.server
4.Admin password: 12345
5.Confirm password: 12345
6.OK
7.HDB
8. No
9. Yes
10.No
Step 3 : Test Configuration.
Use ldapsearch to view the tree, entering the admin password set during installation or reconfiguration:
# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=openldap,dc=server
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn=”cn=admin,dc=exampl
e,dc=server” write by anonymous auth by self write by * none
olcAccess: {1}to dn.base=”" by * read
olcAccess: {2}to * by dn=”cn=admin,dc=openldap,dc=server” write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
Step 4 : Add new schema using ldif file.
- First, create a conversion schema_convert.conf file containing the following lines:
#vi schema_convert.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
- Next, create a temporary directory to hold the output
#mkdir /tmp/ldif_output
- Now using slaptest convert the schema files to LDIF
# slaptest -f schema_convert.conf -F /tmp/ldif_output
- Edit the /tmp/ldif_output/cn=config/cn=schema/cn={8}misc.ldif file, changing the following attributes
#vi /tmp/ldif_output/cn=config/cn=schema/cn={8}misc.ldif
dn: cn=misc,cn=schema,cn=config
…
cn: misc
And remove the following lines from the bottom of the file
structuralObjectClass: olcSchemaConfig
entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
creatorsName: cn=config
createTimestamp: 20080826021140Z
entryCSN: 20080826021140.791425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080826021140Z
- Finally, using the ldapadd utility, add the new schema to the directory
# ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{8\}misc.ldif
Step : 5 Create Test account
#vi test_account.ldif
dn: ou=people,dc=openldap,dc=server
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=openldap,dc=server
objectClass: organizationalUnit
ou: groups
dn: uid=test,ou=people,dc=openldap,dc=server
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: test
sn:
givenName: Test
cn: Test
displayName: Test
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: Test
loginShell: /bin/bash
homeDirectory: /home/test
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: test@openldap.server
postalCode: 31000
l: Toulouse
o: Openldap
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: JD
dn: cn=openldap,ou=groups,dc=openldap,dc=server
objectClass: posixGroup
cn: openldap
gidNumber: 10000
Save the file.
#ldapadd -x -D cn=admin,dc=example,dc=com -W -f test_account.ldif
We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search of the LDAP directory:
#ldapsearch -xLLL -b “dc=openldap,dc=server” uid=test sn givenName cn
dn: uid=test,ou=people,dc=openldap,dc=server
cn: test
sn:
givenName: test
Configure OpenLDAP Client
Step 1 : Install Required packages
#apt-get install libnss-ldap smbfs
During the install a menu dialog will ask you connection details about your LDAP server.
Should debconf manage LDAP configuration?: Yes
LDAP server Uniform Resource Identifier: ldap://10.8.0.12
Distinguished name of the search base: dc=openldap,dc=server
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=openldap,dc=server
LDAP root account password: 12345
Step 2 : Backup useful files
# cp /etc/nsswitch.conf /etc/nsswitch.conf.org
# mkdir /root/pam.d_backup
# cp /etc/pam.d/* /root/pam.d_backup/
Step 3 : Enable the auth-client-config LDAP profile
#auth-client-config -t nss -p lac_ldap
- -t: only modifies /etc/nsswitch.conf.
- -p: name of the profile to enable, disable, etc.
- lac_ldap: the auth-client-config profile that is part of the ldap-auth-config package.
Step 4 : Configure the system to use LDAP for authentication
#pam-auth-update
Step 5 : Reboot the system
#reboot
Step 6 : Test OpenLDAP connection
#getent passwd
Above command will show the passwd file of Openldap server. If you see the account “test” which we have created in the OpenLDAP server then it shows that authentication working fine with OpenLDAP server. Try to ssh using test user on client machine.
Configure SAMBA server
Step 1 : Install required packages.
#apt-get install samba samba-doc smbldap-tools
Step 2 : OpenLDAP Configuration
Schema file needs to be unzipped and copied to /etc/ldap/schema.
# cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
#gzip -d /etc/ldap/schema/samba.schema.gz
Step 3 : Add a new schema to slapd
- First, create a configuration file named schema_convert.conf
#vi schema_convert.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
- Create a temporary directory to hold the output
# mkdir /tmp/ldif_output
- Slaptest to convert the schema files:
# slaptest -f schema_convert.conf -F /tmp/ldif_output
- Edit the generated /tmp/ldif_output/cn=config/cn=schema/cn={12}samba.ldif file, changing the following attributes:
dn: cn=samba,cn=schema,cn=config
…
cn: samba
And remove the following lines from the bottom of the file:
structuralObjectClass: olcSchemaConfig
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
creatorsName: cn=config
createTimestamp: 20080827045234Z
entryCSN: 20080827045234.341425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080827045234Z
- Finally, using the ldapadd utility, add the new schema to the directory
#ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}samba.ldif
- · Copy and paste the following into a file named samba_indexes.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
- · Using the ldapmodify utility load the new indexes:
# ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif
If all went well you should see the new indexes using ldapsearch:
#ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb
Step 4 : Configure smbldap-tools
# cd /usr/share/doc/smbldap-tools/examples/
# cp smbldap_bind.conf /etc/smbldap-tools/
#cp smbldap.conf.gz /etc/smbldap-tools/
#gzip -d /etc/smbldap-tools/smbldap.conf.gz
# net getlocalsid ( it will give you a id which you have to put in the smbldap.conf file)
#vi smbldap.conf
You need to edit the specific lines according to your individual setup
SID=”S-1-5-21-1169339956-3040674750-1689399154″
sambaDomain=”OPENLDAP”
slaveLDAP=”10.8.0.12″
slavePort=”389″
masterLDAP=”10.8.0.12″
masterPort=”389″
ldapTLS=”0″
verify=”require”
cafile=”"
clientcert=”"
clientkey=”"
suffix=”dc=openldap,dc=server”
usersdn=”ou=Users,${suffix}”
computersdn=”ou=Computers,${suffix}”
groupsdn=”ou=Groups,${suffix}”
idmapdn=”ou=Idmap,${suffix}”
sambaUnixIdPooldn=”sambaDomainName=OPENLDAP,${suffix}”
scope=”sub”
hash_encrypt=”SSHA”
crypt_salt_format=”%s”
userLoginShell=”/bin/bash”
userHome=”/home/%U”
userHomeDirectoryMode=”700″
userGecos=”System User”
defaultUserGid=”513″
defaultComputerGid=”515″
skeletonDir=”/etc/skel”
defaultMaxPasswordAge=”45″
userSmbHome=”"
userProfile=”"
userHomeDrive=”"
userScript=”"
mailDomain=”nextek.in”
with_smbpasswd=”0″
smbpasswd=”/usr/bin/smbpasswd”
with_slappasswd=”0″
slappasswd=”/usr/sbin/slappasswd”
Open the file /etc/smbldap-tools/smbldap_bind.conf file for editing
#vi smbldap_bind.conf
Edit the file so the following is correct according to your setup
slaveDN=”cn=admin,dc=openldap,dc=server”
slavePw=”12345″
masterDN=”cn=admin,dc=openldap,dc=server”
masterPw=”12345″
Change the permission of smbldap-tools files using below commands.
#chmod 0644 /etc/smbldap-tools/smbldap.conf
#chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
Step 5 : Populate LDAP using smbldap-tools
# smbldap-populate
It will promp for password to assign to user root.
Verify that you have several new entries in your LDAP directory by running the command
# ldapsearch -x -b dc=openldap,dc=server | less
Step 6 : Configure samba server
#cp /etc/samba/smb.conf /etc/samba/smb.conf.org
#vi /etc/samba/smb.conf
Edit the main Samba configuration file /etc/samba/smb.conf commenting the passdb backend option and adding the following(no need to change anything from smb.conf file just put below content in file)
# passdb backend = tdbsam
# LDAP Settings
passdb backend = ldapsam:ldap://openldap.server
ldap suffix = dc=openldap,dc=server
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=openldap,dc=server
ldap ssl = no
ldap passwd sync = yes
add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w “%u”
#put this content at end of file
[share]
path = /tmp
guest ok = yes
browseable = Yes
writable = yes
Step 7 : Restart samba to enable the new settings
# /etc/init.d/samba restart
Samba needs to know the LDAP admin password
# smbpasswd -w secret
Step 8 : useradd using smbldap-useradd
# smbldap-useradd -a -m -M test1 -c “test1″ test1
-a allows Windows as well as Linux login
-m makes a home directory, leave this off if you do not need local access. PAM will be configured to automatically create a home directory.
-M sets up the username part of their email address
-c specifies their full name
#smbldap-passwd test1
Automount using pam_mount
Step 1 : Install required packages.
#apt-get install libpam-ldap
Above command automatically add the modules in /etc/pam.d/common-* so no need to configure any files.
# cp pam_mount.conf.xml pam_mount.conf.xml.org
# vi pam_mount.conf.xml
<!– Volume definitions –>
<volume user=”test1″ fstype=”smbfs” noroot=”1″ server=”10.8.0.12″ path=”share” mountpoint=”/home/%(USER)” />
<!– Volume definitions –>
#reboot
Now login with test1 user and check /home/test1 directory. It will show the /tmp directory data from 10.8.0.12(OpenLDAP server). So we can remotely mount drive using pam_mount module.
