Introduction and LDAP Design
Thanks to http://wiki.makethemove.net/index.php?title=LDAP-Samba. A lot of this is taken directly from there with modifications for my setup.
Our domain will take the form of dc=simonandkate,dc=lan and OpenLDAP will be installed on Server01.
Our domain requires an administration user, which is called ‘manager’: cn=Manager,dc=simonandkate,dc=lan
The tree is structured like this:
dc=lan
>dc=simonandkate
>>cn=Manager
>>ou=users
>>>cn=simon
>>>cn=... etc
>>ou=groups
>>>cn=admins
>>>cn=users
>>ou=machines
>>>uid=computer$
>>ou=accounts
>>>cn=horde
>>ou=personal_addressbook
>>ou=shared_addressbook
We will be using LDAP to store our users and groups for our network. Samba on Server05 will then serve out the simonandkate.lan domain for Windows clients, while Linux clients can authenticate directly to LDAP.
The domain is called ”simonandkate.lan”
The ”root dn” refers to the root domain structure, which is:
dc=simonandkate,dc=lan
Note that some of the configuration in this setup has been done to allow operation of Horde mail, including LDAP address book entries.
LDAP Installation
First, we need to install the various packages that are required to get LDAP working.
yum openldap openldap-servers openldap-clients
LDAP – Configuration
Use slappasswd to get the LDAP admin password hash.
Place the basic auth information into /etc/openldap/slapd.conf…
suffix "dc=simonandkate,dc=lan"
rootdn "cn=Manager,dc=simonandkate,dc=lan"
rootpw {SSHA}**********************************
Copy the basic LDAP database structure:
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Start LDAP:
service ldap start
You should now be able to connect to LDAP on port 389. You may want to install PHPLDAPAdmin to assist in managing LDAP.
Open UDP and TCP ports 389 through IPTables.
Write base.ldif:
dn: dc=simonandkate,dc=lan
objectclass: dcObject
objectclass: organization
objectclass: top
o: SimonandKate
dc: simonandkate
dn: cn=Manager,dc=simonandkate,dc=lan
objectclass: organizationalRole
objectclass: simpleSecurityObject
cn: Manager
description: LDAP Administrator
userPassword: {SSHA}**************************
Import to the LDAP database:
ldapadd -f base.ldif -x -D "cn=Manager, dc=simonandkate, dc=lan" -W
You will be prompted for the password.
You now have the base entries in the database.
Schema
Add horde.schema, rfc2739.schema (both from Horde). Rfc2739 needs to be loaded before horde.
Add samba.schema if you plan on using samba (install samba on a server, then it is located at /usr/share/doc/samba-xxxxxx/LDAP/samba.schema).
LDAP TLS
In OpenSSL create TLS certificates (not documented here), configure LDAP to use them (including CA certificate):
in /etc/openldap/slapd.conf:
TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/simonandkate.lan-cert.pem TLSCertificateKeyFile /etc/openldap/simonandkate.lan-key.pem
Restart LDAP.
Configure each LDAP client CentOS server to use TLS (authconfig-tui) – copying the CA certificate to its /etc/openldap/ directory.
Also configure applications to use TLS
- Horde (note this needs Horde 3.3.4 or later) – configure through Horde – Administration – Setup – Horde
- Imp set to use Hordeauth, however ensure that server.php contains:
$servers[‘cyrus’] = array(
‘name’ => ‘Cyrus IMAP Server’,
‘server’ => ‘localhost’,
‘hordeauth’ => true,
‘protocol’ => ‘imap/ssl/novalidate-cert’,
‘port’ => 993,
- Turba – config/sources.php
- Passwd – config/backends.php
- Samba – smb.conf
- Saslauthd (for Cyrus and Postfix) saslauthd.conf
- PHPLdapAdmin – config directory
LDAP – Test
Test it:
ldapsearch -x -b dc=simonandkate,dc=lan
*”’NOTE:”’ Passing option ‘-x’ is ”’required”’ else it will try to authenticate through SASL.
You should get a result that looks something like:
# extended LDIF
#
# LDAPv3
# base <dc=simonandkate,dc=lan> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# simonandkate.lan
dn: dc=simonandkate,dc=lan
objectClass: dcObject
objectClass: organization
objectClass: top
o: SimonandKate dc: simonandkate
# Manager, simonandkate.lan
dn: cn=Manager,dc=simonandkate,dc=lan
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: Manager
description: LDAP Administrator
userPassword:: *************************************
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
If all that was successful you have LDAP installed, running and configured.
Check LDAP logs for successful TLS negotiation entries.
Set /etc/init.d/ldap to chkconfig at 21 instead of 27 to avoid a startup conflict.
chkconfig ldap on
Reboot to confirm successful startup.
LDAP Backups
Export LDAP to LDIF:
Create a script file (backupopenldap.sh):
#!/bin/sh
#
# Program: Backup openldap server to ldif file <openldapbackup.sh>
#
# Author: Matty < matty91 at gmail dot com >
#
# Current Version: 1.0
#
# Revision History:
#
# Version 1.0
# Initial Release
#
# Last Updated: 01-06-2007
#
# Purpose:
# This program can be used to dump the contents of an openldap
# server to an ldif file. To restore the ldif file, the slapadd
# utility can be used:
# $ slapadd -v -f slapd.conf -b "dc=prefetch,dc=net" -l ldif
#
# License:
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Installation:
# Copy the shell script to a suitable location
PATH=/bin:/usr/bin:/usr/local/bin:/usr/sfw/bin:/usr/sbin
export PATH
# Global variables
DATE=`date “+%Y%m%d”`
BACKUPDIR=”/backup”
BACKUPFILE=”${BACKUPDIR}/simonandkate.lan.${DATE}.ldif”
CONFIG=”/etc/openldap/slapd.conf”
#Delete files older than 7 days:
find ${BACKUPDIR}* -mtime +7 -exec rm {} \;
# Parse the options that are passed to the script
while getopts c:d: option
do
case “${option}”
in
c) CONFIG=${OPTARG} ;;
d) BACKUPDIR=${OPTARG} ;;
\?) usage
exit 1;;
esac
done
if [ ! -d ${BACKUPDIR} ]
then
echo “The directory ${BACKUPDIR} does not exist”
exit 1
fi
if [ -f ${CONFIG} ]
then
slapcat -f ${CONFIG} > ${BACKUPFILE}
chmod 600 ${BACKUPFILE}
else
echo “Configuration file ${CONFIG} does not exist”
exit 1
fi
Cron job to run nightly, then backup the created LDIF files by your ususal backup methods.
SLAPD.CONF
Finalised /etc/openldap/slapd.conf with modifications to allow for Samba and Horde operation (comment lines removed for brevity):
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/rfc2739.schema
include /etc/openldap/schema/horde.schema
include /etc/openldap/schema/misc.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/simonandkate.lan-cert.pem
TLSCertificateKeyFile /etc/openldap/simonandkate.lan-key.pem
database bdb
suffix “dc=simonandkate,dc=lan”
rootdn “cn=Manager,dc=simonandkate,dc=lan”
rootpw {SSHA}**************************************
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
access to dn.base=”” by * read
access to *
attrs=userPassword
by self write
by anonymous auth
by * none
access to *
attrs=sambaLMPassword
by self write
by * none
access to *
attrs=sambaNTPassword
by self write
by * none
access to *
attrs=sambaPwdLastSet
by self write
by * none
access to *
attrs=userPassword
by self write
by * none
access to *
attrs=sambaPwdMustChange
by self write
by * none
access to dn.regex=”ou=(.+),ou=personal_addressbook,dc=simonandkate,dc=lan”
by dn.exact,expand=”uid=$1,ou=users,dc=simonandkate,dc=lan” write
by * none
access to dn.subtree=”ou=shared_addressbook,dc=simonandkate,dc=lan”
by dn.children=”ou=users,dc=simonandkate,dc=lan” write
by * none
access to dn.subtree=”ou=hordegroups,dc=simonandkate,dc=lan”
by dn=”cn=horde,ou=accounts,dc=simonandkate,dc=lan” write
by * read
access to *
attrs=@hordePerson
by dn=”cn=horde,ou=accounts,dc=simonandkate,dc=lan” write
by self write
by * read
access to *
by * read
Discover more from SimonandKate.net
Subscribe to get the latest posts sent to your email.
I’ll follow up with Samba information later.
I would be interested in seeing the SAMBA configuration. I can’t find it on your website so I am guessing you have not posted it yet?
Thanks
I’ll post it up next week…. it’s all in and working, I just need to grab the info from my doco.
Hi Simon,
What a godsend your blog has been.
I’ve been bashing my head against a brick wall with the official documents for a week or so now.
I found your examples clear and easy to understand, and especially appreciated the quick explanation of how you structured your directory / domain.
I’ve looked at your SAMBA info as well.
Thanks heaps for clearing away the fog which was dogging every step I took!
No probs! Glad it was of some assistance… 🙂