OpenLDAP installation notes
history
-------
2007.02.19 removed more sensitive stuff
2006.08.22 removed sensitive password information, changed directive to bdb
2006.07.26 added try_first_pass to pam.d/common-auth to resolve double typing of passwords for non-ldap user logins
2006.03.29 based on max's ldap notes
Installing LDAP for Linux Login/SAMBA/ssh/Plone/CourierMRA/EximMTA on Debian Linux Sarge
-----------------------------------------------
To show a list of ldap users, type
getent {passwd,groups}
install slapd packages
su
apt-get install slapd
apt-get install ldap-utils
addgroup --gid 777 slapd
adduser --gid 777 --uid 777 slapd
password:{enter the password for the unix user "slapd"}
chown -R slapd.slapd /etc/ldap
chmod 770 /etc/ldap
#make files readable only by group and self
find /etc/ldap -type f -exec chmod 440 {} \;
#make directories changeable only by group and self
find /etc/ldap -type d -exec chmod 770 {} \;
chown -R slapd.slapd /var/lib/ldap
chmod 750 /var/lib/ldap
rm /var/lib/ldap/*
chown -R slapd.slapd /var/spool/slurpd
rm /var/spool/slurpd/*
cd /etc/ldap/
mv slapd.conf slapd.conf_DEB-orig
edit /etc/ldap/slapd.conf and generate rootpw with
slappasswd -h {CRYPT}
######################### /etc/ldap/slapd.conf #########################
# http://homex.subnet.at/~max/ldap/
#
# Basic slapd.conf
#
# 2005.02.08 ZHANG.Guiyu@example.com
########################################################################
# Global Directives:
#
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
# not all required, if you get errors about missing schema, comment out the missing schema here
# some are provided by other packages such as samba
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 0
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
#moduleload back_passwd
#######################################################################
# Specific Backend Directives for ldbm:
# Backend specific directives apply to this backend until another
# backend' directive occurs
backend bdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
# backend <other>
#######################################################################
# Specific Directives for database #1, of type ldbm:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#
# important: use bdb format, other formats like ldbm can cause data corruption
database bdb
# The base of your directory in database #1
suffix "dc=example,dc=com"
rootdn "cn=manager,dc=example,dc=com"
password-hash {CRYPT}
rootpw {CRYPT}adfasfdsafdsa
#
# use "/usr/sbin/slappasswd -h {CRYPT}" to create a rootpw-string below
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
#
access to attribute=userPassword,sambaLMPassword,sambaNTPassword
by dn="cn=manager,dc=example,dc=com" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=manager,dc=example,dc=com" write
by dn="cn=nss,dc=example,dc=com" read
by * auth
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
#access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=manager,dc=example,dc=com" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=mail,dc=example,dc=com" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
#
#The base of your directory for database #2
#suffix "dc=debian,dc=org"
#######################################################################
chown slapd.slapd slapd.conf
chmod 440 slapd.conf
#populate database using slapadd, i.e. write directily to database
file (no need to run ldap server).
The following ldif file cannot have any comments.
Each entry (i.e. record) must be separated by a blank line(return)
/etc/ldap/example.ldif
----------------------------------------------------------------------
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: Example Inc
dc: example
dn: cn=root, dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: root
description: LDAP administrator
userPassword: {CRYPT}asafdafdafdaf
dn: cn=nss, dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: nss
description: LDAP NSS user for user-lookups
userPassword: {CRYPT}qerqreqrewq
dn: ou=People, dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups, dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Groups
dn: uid=zhangguiyu, ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetLocalMailRecipient
uid: zhangguiyu
cn: Zhang Guiyu
sn: Zhang
givenname: Guiyu
title: Admin
departmentNumber: IT
mobile: +65 1234-5678
postalAddress: 80 Raffles Place$Level 36 UOB Plaza 1$Singapore 048624
telephoneNumber: +65 6248-4720
facsimileTelephoneNumber: +65 6248-4531
userpassword: {CRYPT}fdafdafdasfdsafdsa
labeleduri: http://www.example.com
mail: zhangguiyu@example.com
mailRoutingAddress: zhangguiyu@mail.example.com
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/zhangguiyu/
gecos: ZHANG.Guiyu
description: Test User
localityName: Singapore
dn: cn=example, ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: example
gidNumber: 1000
----------------------------------------------------------------------
/etc/init.d/slapd restart
# copy the two schema files /etc/ldap/schema/{samba.schema,horde.schema}
su - slapd
chown slapd.slapd /var/lib/ldap
/usr/sbin/slapadd -l /etc/ldap/example.ldif
/usr/sbin/slapcat
If successful, you should see a dump of your entries after you type slapcat
----------------------------------------------------------------------
restart (may already be running when you first installed it) ldap server:
/etc/init.d/slapd restart
check that it is running by doing simple search:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
you will get no results!:
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts
#
# search result
search: 2
result: 0 Success
# numResponses: 1
This is normal, because the initial database is not readable by anywone.
If you instead specify the root to bind to:
ldapsearch -D "cn=root,dc=example,dc=com" -W -x -b '' -s base '(objectclass=*)' namingContexts
and you will be prompted for LDAP password (the cleartext you entered in /etc/ldap/slap.conf under rootpw)
then you will get some results:
ldapsearch -D "cn=root,dc=example,dc=com" -W -x -b '' -s base '(objectclass=*)' namingContexts
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
----------------------------------------------------------------------
Install NSS
apt-get install libnss-ldap
mv /etc/libnss-ldap.conf /etc/libnss-ldap.conf_DEB-orig
install the following new libnss-ldap.conf
########################### /etc/libnss-ldap.conf ###################
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1
# The distinguished name of the search base.
base ou=People,dc=example,dc=com
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=nss,dc=example,dc=com
# The credentials for nss to bind with.
# Optional: default is no credential.
#bindpw secret
bindpw {replace this with plain text password for the ldap user cn=nss,dc=example,dc=com}
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored as cleartext in /etc/ldap.secret (mode 600)
rootbinddn cn=manager,dc=example,dc=com
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=Groups,dc=example,dc=com?one
#####################################################################
edit /etc/nsswitch.conf by adding ldap before compat for the 3 lines:
----------------------------------------------------------------------
passwd: ldap compat
group: ldap compat
shadow: ldap compat
----------------------------------------------------------------------
Now you (as root) should be able to
finger zhangguiyu
however, you can't finger zhangguiyu as any other user, because
/etc/libnss-ldap.conf is not world readable. i.e. if you chmod a+r
/etc/libnss-ldap.conf, any user other than root can finger the ldap user
Partial Solution: install nscd
----------------------------------------------------------------------
Install NSCD (should already be installed)
apt-get install nscd
edit /etc/nscd.conf
----------------------------------------------------------------------
logfile /var/log/nscd.log
# threads 6
server-user root
# stat-user somebody
debug-level 0
enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
enable-cache hosts yes
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
----------------------------------------------------------------------
restart nscd
/etc/init.d/nscd restart
note: whenever you stop slapd server, you might want to stop nscd too,
otherwise it might hold up your system, i.e.
stop slapd
stop nscd
start slapd
start nscd
NSCD still does *not* allow any user to finger an LDAP user, however,
it at least allow a LDAP user to see himself when he logs in, instead of
"I have no name!"
----------------------------------------------------------------------
PAM
apt-get install libpam-ldap
edit /etc/pam_ldap.conf
----------------------------------------------------------------------
host 127.0.0.1
# The distinguished name of the search base.
base dc=example,dc=com
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com
binddn cn=nss,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credential.
bindpw {same password you entered previously for cn=nss,...}
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=root,dc=example,dc=com
pam_password crypt
----------------------------------------------------------------------
edit /etc/pam.d/common-account
----------------------------------------------------------------------
account sufficient pam_ldap.so
account required pam_unix.so
----------------------------------------------------------------------
edit /etc/pam.d/common-auth
----------------------------------------------------------------------
auth sufficient pam_ldap.so
auth required pam_unix.so try_first_pass nullok_secure
----------------------------------------------------------------------
edit /etc/pam.d/common-password
----------------------------------------------------------------------
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
----------------------------------------------------------------------
edit /etc/pam.d/common-session
----------------------------------------------------------------------
session sufficient pam_ldap.so
session required pam_unix.so
----------------------------------------------------------------------
This should cover most of your services
Now you should be able to ssh to the LDAP machine using login:zhangguiyu
Note: a non-LDAP user will be prompted twice for password, probably
the first time for LDAP match, and the 2nd time for the local file match.
----------------------------------------------------------------------
Install SAMBA:
Run:
cp /usr/share/doc/samba-doc/examples/examples/LDAP/samba.schema.gz /etc/ldap/schema/
cd /etc/ldap/schema/
gunzip samba.schema.gz
chown slapd.slapd samba.schema
chmod 440 samba.schema
Add to /etc/ldap/slapd.conf:
include /etc/ldap/schema/samba.schema
Change the already exiting password ACL rule in /etc/ldap/slapd.conf:
access to attribute=userPassword,sambaLMPassword,sambaNTPassword
by dn="cn=root,dc=example,dc=com" write
by anonymous auth
by self write
by * none
/etc/samba/smb.conf:
----------------------------------------------------------------------
[global]
workgroup = EXAMPLE
netbios name = PDCÂEXAMPLE
server string = %h server (Samba %v)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
passdb backend = ldapsam:ldap://127.0.0.1/
ldap suffix = dc=example,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap admin dn = cn=root,dc=example,dc=com
# ldap ssl = start tls
ldap ssl = No
ldap passwd sync = yes
ldap delete dn = Yes
obey pam restrictions = No
time server = Yes
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -w "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = "/usr/sbin/smbldap-usermod -g "%g" "%u"
; guest account = nobody
invalid users = root
# Name mangling options
preserve case = yes
short preserve case = yes
mangling method = hash2
Dos charset = 437
Unix charset = UTF-8
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
----------------------------------------------------------------------
smbpasswd -w $LDAP_BINDPW"
apt-get install smbclient
(not necessary:?)
apt-get install smbldap-tools
----------------------------------------------------------------------
Install webmin-ldap-useradmin using the following
/etc/webmin/ldap-useradmin/config
----------------------------------------------------------------------
auth_ldap=/usr/share/libnss-ldap/ldap.conf
imap_login=
samba_class=sambaSamAccount
imap_class=
imap_folders=
md5=0
given=1
slappasswd=slappasswd
quota=
addressbook=
user_base=ou=People,dc=example,dc=com
domain=example.com
other_class=inetOrgPerson top organizationalPerson inetLocalMailRecipient
ldap_host=
ldap_port=
imap_host=
pass=lijiajia1994
samba_domain=S-1-5-21-1703584028-4154647082-3548221580
group_base=ou=Groups,dc=example,dc=com
login=
samba_props=
imap_props=
props=postalAddress:福州港迅通集装箱储运有限公司,福州马尾经济技术开发区,新港区4号门 labeledURI: http://www.example.com localityName: China preferredLanguage: Chinese
fields=displayName 显示中文姓名 title 主要职位 secretary 秘书(LDAP格式,例:uid=zhangguiyu,ou=People,dc=example,dc=com) departmentNumber 部门编号 roomNumber 办公室房号 manager 直属上司(LDAP格式,例:uid=zhangguiyu,ou=People,dc=example,dc=com) employeeNumber 员工编号 employeeType 雇用性质 telephoneNumber 电话号码 fax 传真号码 mobile 手机号码 pager 传呼机号码 homePhone 住宅电话号码 homePostalAddress 住宅邮政地址 carLicense 汽车牌照 description 备注
imap_pass=
----------------------------------------------------------------------
----------------------------------------------------------------------
install ldap module for courier
apt-get install courier-ldap
modify /etc/courier/authldaprc
----------------------------------------------------------------------
LDAP_SERVER localhost
LDAP_PORT 389
LDAP_PROTOCOL_VERSION 3
LDAP_BASEDN ou=People,dc=example,dc=com
LDAP_BINDDN cn=root, dc=example, dc=com
LDAP_BINDPW example2005
LDAP_TIMEOUT 5
LDAP_AUTHBIND 1
LDAP_MAIL mail
LDAP_HOMEDIR homeDirectory
LDAP_MAILDIR Maildir
LDAP_DEFAULTDELIVERY defaultDelivery
LDAP_FULLNAME cn
LDAP_CLEARPW clearPassword
LDAP_CRYPTPW userPassword
LDAP_UID uidNumber
LDAP_GID gidNumber
LDAP_DEREF never
LDAP_TLS 0
----------------------------------------------------------------------
MTA: no need to change anything if you are using EXIM, and if your exim is
using SASLauth (uses linux system auth) for authentication
---------------------------------------------------------------------
Install LDAP User folder on Plone Products Folder
* you need to install python-ldap module in order for this plone product
to work
apt-get install python-ldap
in ZMI
click on ACL_USERS
click sources
add a new LDAP User Folder
(I am unable to add a groups folder; error saying I need to create an acl_users in USers#2 folder first?)
Configure the LDAP user folder to:
Title: Anytitle you like
Login Name Attribute: uid
User ID Attribute: uid
RDN Attribute: uid
Users Base DN: ou=People, dc=example,dc=com
Group storage Groups stored on LDAP server
Groups Base DN: ou=Groups, dc=example, dc=com
Manager DN: cn=root,dc=example,dc=com
Password:example2005
Manager DN Usage Always
User Object classes: top,person,inetOrgPerson,posixAccount,organizationalPerson
User password encryption: crypt
Default User Roles: Member
