Différences

Cette page vous affiche les différences entre la révision choisie et la version actuelle de la page.

--- en:computing:network_system:secured_pdc_samba_openldap_install [2011/10/11 13:10]
gdo removed
+++ — (Version actuelle)
@@ Ligne 1: / Ligne 1: @@
-====== Server ======
-Install LDAP server :
-<code>$ sudo apt-get install slapd ldap-utils</code>
-Keep all options by default.
-To use TLS encrypted connections to OpenLDAP server, it is necessary to create a certificate for this server. Here this certificate is signed by an CA with self-signed certificate :
-== To create a self-signed certificate to represent our Certification Authority (CA), first generate a private key : ==
-<code>$ certtool --generate-privkey --outfile ca-key.pem
-Generating a 2048 bit RSA private key...</code>
-== Next create the self-signed certificate based on the previous private key (use the server FQDN for Common Name (TODO : verify really needed for CA)) : ==
-<code>$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
-Generating a self signed certificate...
-Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
-Country name (2 chars): FR
-Organization name: Example
-Organizational unit name:
-Locality name:
-State or province name: Brittany
-Common name: server.example.org
-UID: server
-This field should not be used in new certificates.
-E-mail:
-Enter the certificate's serial number in decimal (default: 1262902964):
-Activation/Expiration time.
-The certificate will expire in (days): 365
-Extensions.
-Does the certificate belong to an authority? (y/N): y
-Path length constraint (decimal, -1 for no constraint):
-Is this a TLS web client certificate? (y/N):
-Is this also a TLS web server certificate? (y/N):
-Enter the e-mail of the subject of the certificate:
-Will the certificate be used to sign other certificates? (y/N): y
-Will the certificate be used to sign CRLs? (y/N): y
-Will the certificate be used to sign code? (y/N):
-Will the certificate be used to sign OCSP requests? (y/N):
-Will the certificate be used for time stamping? (y/N):
-Enter the URI of the CRL distribution point:
-X.509 Certificate Information:
-	Version: 3
-	Serial Number (hex): 4b465eb4
-	Validity:
-		Not Before: Thu Jan 07 22:22:46 UTC 2010
-		Not After: Fri Jan 07 22:22:48 UTC 2011
-	Subject: C=FR,O=Example,ST=Brittany,CN=server.example.org,UID=server
-	Subject Public Key Algorithm: RSA
-		Modulus (bits 2048):
-			be:72:0f:a5:46:c9:0e:0f:35:b9:cd:09:5a:8d:00:a0
-:a2:41:82:65:ba:2f:b8:a4:37:4a:0a:55:77:a6:3c
-:46:1f:30:0b:73:f1:d7:53:6f:6a:be:52:0d:80:e1
-			e2:3c:e3:3b:31:14:a6:3c:f0:a5:32:4f:43:5d:7d:3b
-			ca:cf:c9:53:fc:0c:d0:43:51:29:ab:36:30:b9:19:f2
-			e2:43:6a:67:7a:68:20:d8:3c:2e:88:88:a9:93:b0:4d
-			bb:42:25:e2:b5:e1:ed:ce:a0:68:05:6e:be:44:ff:ab
-c:4b:76:c1:7b:f5:c5:9e:f2:f2:04:0e:5e:53:6f:ee
-			b6:bf:c7:a4:ef:9c:41:d4:83:31:9f:9e:f0:5f:94:3b
-:4b:5d:7b:88:cb:e9:ad:05:d2:a7:b9:1c:b2:83:8d
-a:4f:30:e2:42:d9:cf:7a:f3:ec:4b:0b:a2:1b:12:15
-b:08:6f:08:3d:1c:c7:4d:d3:63:05:66:1b:7b:0f:b3
-:46:2f:bd:3c:0a:a5:dc:94:46:36:a7:39:ba:23:b8
-f:75:d8:07:49:c7:63:7d:53:02:e8:9e:61:4a:7f:c1
-:13:95:ad:9a:13:94:3a:d8:5b:da:3e:3b:19:a5:95
-:ab:c9:4a:5b:6c:4d:0a:3f:bc:c8:66:2c:41:9b:23
-		Exponent (bits 24):
-:00:01
-	Extensions:
-		Basic Constraints (critical):
-			Certificate Authority (CA): TRUE
-		Key Usage (critical):
-			Certificate signing.
-			CRL signing.
-		Subject Key Identifier (not critical):
-			d95838364a698844b7a9d60b1c32a28baee0da63
-Other Information:
-	Public Key Id:
-		d95838364a698844b7a9d60b1c32a28baee0da63
-Is the above information ok? (Y/N): Y
-Signing certificate...</code>
-== Generate the private key for the LDAP server itself : ==
-<code>$ certtool --generate-privkey --outfile key.pem
-Generating a 2048 bit RSA private key...</code>
-== Now with the CA certificate and private key, generate the LDAP server certificate (use the server FQDN for Common Name) : ==
-<code>$ certtool --generate-certificate --load-privkey server-key.pem --outfile server-cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey    ca-key.pem
-Generating a signed certificate...
-Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
-Country name (2 chars): FR
-Organization name: Example
-Organizational unit name:
-Locality name:
-State or province name: Brittany
-Common name: server.example.org
-UID: server
-This field should not be used in new certificates.
-E-mail:
-Enter the certificate's serial number in decimal (default: 1262903337):
-Activation/Expiration time.
-The certificate will expire in (days): 365
-Extensions.
-Does the certificate belong to an authority? (y/N):
-Is this a TLS web client certificate? (y/N):
-Is this also a TLS web server certificate? (y/N): y
-Enter a dnsName of the subject of the certificate:
-Enter the IP address of the subject of the certificate:
-Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
-Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
-X.509 Certificate Information:
-	Version: 3
-	Serial Number (hex): 4b466029
-	Validity:
-		Not Before: Thu Jan 07 22:28:58 UTC 2010
-		Not After: Fri Jan 07 22:29:00 UTC 2011
-	Subject: C=FR,O=Example,ST=Brittany,CN=server.example.org,UID=server
-	Subject Public Key Algorithm: RSA
-		Modulus (bits 2048):
-			b1:ea:e5:3b:7c:9b:fc:96:a4:d2:95:36:11:fb:1b:f4
-			ce:78:1a:c9:73:29:f2:ea:30:9d:ca:ac:36:a5:8f:e7
-			c4:32:ea:a2:87:9f:f1:27:4b:4d:28:d2:52:f1:d5:7c
-			aa:38:fe:d5:2a:7b:c9:c8:69:a5:fa:fe:40:f8:23:c1
-:7a:9f:ca:87:75:e9:3c:95:50:32:82:96:cc:a1:e6
-			ad:ec:1c:4a:50:60:a7:39:a9:33:1e:71:9d:bf:f8:20
-c:65:c1:d4:5d:a9:60:3d:d8:9c:dc:d1:8f:54:cf:40
-d:2f:71:5a:77:c7:39:dc:79:f9:0b:d4:63:25:53:30
-:5c:0c:cc:24:68:3a:36:51:20:e2:cb:f6:0b:22:e7
-f:59:bb:6c:3c:64:a0:7a:72:c8:30:f0:39:80:60:ca
-			a7:76:0f:bd:a8:f3:ee:4d:f6:af:ec:54:f8:2d:e9:be
-:1f:4a:ab:02:3c:c4:47:c8:3b:12:e6:e1:43:e5:68
-:a5:6d:d1:09:15:85:62:69:90:cf:e4:ca:8f:45:9c
-			ea:5a:8f:f0:65:69:9b:6d:c8:e2:5f:0c:86:52:50:0f
-			c9:11:77:9a:f0:12:54:3e:76:b1:5e:b3:c3:4c:42:8c
-d:c8:41:fb:3b:32:87:5e:4f:7e:79:5d:23:5c:9c:cb
-		Exponent (bits 24):
-:00:01
-	Extensions:
-		Basic Constraints (critical):
-			Certificate Authority (CA): FALSE
-		Key Purpose (not critical):
-			TLS WWW Server.
-		Key Usage (critical):
-			Key encipherment.
-		Subject Key Identifier (not critical):
-			de2cc1e956e44e196a9396ea7e98c4f25b725a60
-		Authority Key Identifier (not critical):
-			d95838364a698844b7a9d60b1c32a28baee0da63
-Other Information:
-	Public Key Id:
-		de2cc1e956e44e196a9396ea7e98c4f25b725a60
-Is the above information ok? (Y/N): Y
-Signing certificate...</code>
-== Copy all the .pem files in ''/etc/ldap/ssl/'' and give rights to this folder : ==
-<code>$ sudo mkdir /etc/ldap/ssl/
-$ sudo mv *.pem /etc/ldap/ssl/
-$ sudo chown -R openldap.openldap /etc/ldap/ssl
-$ sudo chmod -R 500 /etc/ldap/ssl</code>
-== Create a ''tls.ldif'' file which contains the config modifications to support tls : ==
-<file>dn: cn=config
-add: olcTLSCACertificateFile
-olcTLSCACertificateFile: /etc/ssl/mycerts/ldap/ca-cert.pem
-add: olcTLSCertificateFile
-olcTLSCertificateFile: /etc/ssl/mycerts/ldap/cert.pem
-add: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: /etc/ssl/mycerts/ldap/key.pem</file>
-== Apply the modifications : ==
-<code>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif</code>
-== In ''/etc/default/slapd'', modify the line : ==
-<file>SLAPD_SERVICES="ldap:/// ldapi:///"</file>
-== by : ==
-<file>SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"</file>
-== Finaly force slapd daemon to reload your configuration : ==
-<code>$ sudo /etc/init.d/slapd force-reload</code>
-====== ======
-Your base configuration is now ok.
-Install Samba schema dependancies first :
-<code>$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
-$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
-$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
-</code>
-Prepare Samba schema :
-<code>
-$ sudo aptitude install samba-doc
-$ sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
-$ sudo gzip -d /etc/ldap/schema/samba.schema.gz
-</code>
-Samba schema is writed in the old slapd format. We need to convert it to new format.
-== Create a configuration file ''/tmp/schema_convert.conf'' containing the following : ==
-<file>include /etc/ldap/schema/core.schema
-include /etc/ldap/schema/cosine.schema
-include /etc/ldap/schema/inetorgperson.schema
-include /etc/ldap/schema/nis.schema
-include /etc/ldap/schema/samba.schema</file>
-== Generate ''slapd'' configuration directory from the previous configuration file : ==
-<code>$ sudo sh -c "slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output/ -n0 -s 'cn={3}samba,cn=schema,cn=config' | sed '/structuralObjectClass: olcSchemaConfig/,//d' > /etc/ldap/schema/samba.ldif"</code>
-====== ======
-Install Samba_schema :
-<code>$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif</code>
-Now create a database configuration file ''~/db.ldif'' :
-<file># Load modules for database type
-dn: cn=module,cn=config
-objectclass: olcModuleList
-cn: module
-olcModuleLoad: back_bdb.la
-# Create directory database
-dn: olcDatabase=bdb,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcBdbConfig
-olcDatabase: bdb
-# Domain name (e.g. home.local)
-olcSuffix: dc=example,dc=org
-# Location on system where database is stored
-olcDbDirectory: /var/lib/ldap
-# Manager of the database
-olcRootDN: cn=admin,dc=example,dc=org
-olcRootPW: {SSHA}BLhNGX3831HaRhY3sasCBd+2rW2k+ZFK
-# Indices in database to speed up searches
-olcDbIndex: uid pres,eq
-olcDbIndex: cn,sn,mail pres,eq,approx,sub
-olcDbIndex: objectClass eq
-# Allow users to change their own password
-# Allow anonymous to authenciate against the password
-# Allow admin to change anyone's password
-olcAccess: to attrs=userPassword
-  by self write
-  by anonymous auth
-  by dn.base="cn=admin,dc=example,dc=org" write
-  by * none
-# Allow users to change their own record
-olcAccess: to *
-  by self write
-  by dn.base="cn=admin,dc=example,dc=org" write
-  by dn.base="cn=reader,dc=example,dc=org" read
-  by * none</file>
-Create the database with previous file :
-<code>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ~/db.ldif</code>
-Create a file ''reader.ldif'' to describe a reader for the LDAP directory :
-<file>dn: cn=reader,dc=example,dc=org
-objectClass: top
-objectClass: person
-sn: reader
-cn: reader
-userPassword: {SSHA}MdqRyZv18JLY8/EDbd0W/x0ertVIM00g</file>
-Add this user to the directory :
-<code>$ ldapadd -x -f reader.ldif -W -D cn=admin,dc=example,dc=org</code>
-Install samba and smbldap tools :
-<code>$ sudo apt-get install samba smbldap-tools</code>
-Edit the ''/etc/smbldap-tools/smbldap.conf'' configuration file :
-<file>SID="S-1-5-21-495087901-2487403515-1027126461"
-sambaDomain="REDSQUADRON"
-slaveLDAP=""
-slavePort="389"
-masterLDAP="server"
-masterPort="389"
-ldapTLS="0"
-suffix="dc=example,dc=org"
-usersdn="ou=users,${suffix}"
-computersdn="ou=computers,${suffix}"
-groupsdn="ou=groups,${suffix}"
-idmapdn="ou=Idmap,${suffix}"
-sambaUnixIdPooldn="sambaDomainName=REDSQUADRON,${suffix}"
-scope="sub"
-hash_encrypt="SSHA"
-crypt_salt_format=""
-userLoginShell="/bin/bash"
-userHome="/home/%U"
-userHomeDirectoryMode="700"
-userGecos="System User"
-defaultUserGid="513"
-defaultComputerGid="515"
-skeletonDir="/etc/skel"
-defaultMaxPasswordAge="45"
-userSmbHome="\\\%U"
-userProfile="\\\profiles\%U"
-userHomeDrive=""
-userScript=""
-mailDomain=""
-with_smbpasswd="0"
-smbpasswd="/usr/bin/smbpasswd"
-with_slappasswd="0"
-slappasswd="/usr/sbin/slappasswd"
-</file>
-Edit ''/etc/smbldap-tools/smbldap_bind.conf'' to set credentials :
-<file>masterDN="cn=admin,dc=example,dc=org"
-masterPw="admin"
-#slaveDN=""
-#slavePw=""</file>
-Populate the database :
-<code>$ sudo smbldap-populate</code>
-Install Samba server :
-<code>$ sudo aptitude install samba</code>
-Configure Samba by editing ''/etc/samba/smb.conf'' :
-<file>[global]
-   workgroup = REDSQUADRON
-   netbios name =  SERVER
-   server string = %h server (Samba, Ubuntu)
-   dns proxy = no
-   log file = /var/log/samba/log.%m
-   max log size = 1000
-   syslog = 0
-   panic action = /usr/share/samba/panic-action %d
-   encrypt passwords = true
-   passdb backend = ldapsam:ldap://localhost
-   ldap suffix = dc=example,dc=org
-   ldap user suffix = ou=users
-   ldap group suffix = ou=groups
-   ldap machine suffix = ou=computers
-   ldap idmap suffix = ou=Idmap
-   ldap admin dn = cn=admin,dc=example,dc=org
-   ldap ssl = off
-   ldap passwd sync = yes
-   obey pam restrictions = yes
-   unix password sync = yes
-   passwd program = /usr/bin/passwd %u
-   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
-   pam password change = yes
-   map to guest = bad user
-   usershare allow guests = yes
-[homes]
-   comment = Home Directories
-   browseable = no
-   read only = yes
-   create mask = 0700
-   directory mask = 0700
-[printers]
-   comment = All Printers
-   browseable = no
-   path = /var/spool/samba
-   printable = yes
-   guest ok = no
-   read only = yes
-   create mask = 0700
-[print$]
-   comment = Printer Drivers
-   path = /var/lib/samba/printers
-   browseable = yes
-   read only = yes
-   guest ok = no
-</file>
-====== Client ======
-Install client :
-<code>$ sudo aptitude install libnss-ldap</code>
-Edit ''/etc/ldap.conf'' :
-<file>base dc=example,dc=org
-uri ldap://server:389
-ldap_version 3
-binddn cn=reader,dc=example,dc=org
-bindpw reader
-bind_policy soft
-pam_password md5
-nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,openldap,polkituser,proxy,pulse,root,rtkit,saned,speech-dispatcher,statd,sync,sys,syslog,uml-net,uucp,www-data</file>
-Modify ''/etc/nsswitch.conf'' as follow :
-<file># /etc/nsswitch.conf
-#
-# Example configuration of GNU Name Service Switch functionality.
-# If you have the `glibc-doc-reference' and `info' packages installed, try:
-# `info libc "Name Service Switch"' for information about this file.
-passwd:         compat ldap
-group:          compat ldap
-shadow:         compat ldap
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks:       files
-protocols:      db files
-services:       db files
-ethers:         db files
-rpc:            db files
-netgroup:       nis</file>
-Install pam_mount and smbfs :
-<code>sudo aptitude install libpam-mount smbfs</code>
-Next, edit the pammount configuration file ''/etc/security/pam_mount.conf.xml'' :
-<file><?xml version="1.0" encoding="utf-8" ?>
-<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
-<!--    See pam_mount.conf(5) for a description.    -->
-<pam_mount>
-        <!-- Volume definitions -->
-        <volume fstype="cifs" server="server" path="%(USER)" mountpoint="/home/%(USER)/" user="*" options="rw,auto,iocharset=utf8" />
-        <!-- pam_mount parameters: General tunables -->
-        <debug enable="0" />
-        <!-- <luserconf name=".pam_mount.conf.xml" /> -->
-        <!-- Note that commenting out mntoptions will give you the defaults.
-        You will need to explicitly initialize it with the empty string
-        to reset the defaults to nothing. -->
-        <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
-        <!-- <mntoptions deny="suid,dev" />
-        <mntoptions allow="*" />
-        <mntoptions deny="*" /> -->
-        <mntoptions require="nosuid,nodev" />
-        <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
-        <logout wait="0" hup="0" term="0" kill="0" />
-        <!-- pam_mount parameters: Volume-related -->
-        <mkmountpoint enable="1" remove="true" />
-</pam_mount></file>

Geonobot Wiki

Outils pour utilisateurs

Outils du site

Différences

Outils de la page