====== Server ======
Install LDAP server :
$ sudo apt-get install slapd ldap-utils
Keep all options by default.
To use TLS encrypted connections to OpenLDAP server, it is necessary to create a certificate for this server. Here this certificate is signed by an CA with self-signed certificate :
== To create a self-signed certificate to represent our Certification Authority (CA), first generate a private key : ==
$ certtool --generate-privkey --outfile ca-key.pem
Generating a 2048 bit RSA private key...
== Next create the self-signed certificate based on the previous private key (use the server FQDN for Common Name (TODO : verify really needed for CA)) : ==
$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): FR
Organization name: Example
Organizational unit name:
Locality name:
State or province name: Brittany
Common name: server.example.org
UID: server
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1262902964):
Activation/Expiration time.
The certificate will expire in (days): 365
Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N):
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used for time stamping? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 4b465eb4
Validity:
Not Before: Thu Jan 07 22:22:46 UTC 2010
Not After: Fri Jan 07 22:22:48 UTC 2011
Subject: C=FR,O=Example,ST=Brittany,CN=server.example.org,UID=server
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
be:72:0f:a5:46:c9:0e:0f:35:b9:cd:09:5a:8d:00:a0
23:a2:41:82:65:ba:2f:b8:a4:37:4a:0a:55:77:a6:3c
96:46:1f:30:0b:73:f1:d7:53:6f:6a:be:52:0d:80:e1
e2:3c:e3:3b:31:14:a6:3c:f0:a5:32:4f:43:5d:7d:3b
ca:cf:c9:53:fc:0c:d0:43:51:29:ab:36:30:b9:19:f2
e2:43:6a:67:7a:68:20:d8:3c:2e:88:88:a9:93:b0:4d
bb:42:25:e2:b5:e1:ed:ce:a0:68:05:6e:be:44:ff:ab
2c:4b:76:c1:7b:f5:c5:9e:f2:f2:04:0e:5e:53:6f:ee
b6:bf:c7:a4:ef:9c:41:d4:83:31:9f:9e:f0:5f:94:3b
13:4b:5d:7b:88:cb:e9:ad:05:d2:a7:b9:1c:b2:83:8d
6a:4f:30:e2:42:d9:cf:7a:f3:ec:4b:0b:a2:1b:12:15
9b:08:6f:08:3d:1c:c7:4d:d3:63:05:66:1b:7b:0f:b3
40:46:2f:bd:3c:0a:a5:dc:94:46:36:a7:39:ba:23:b8
3f:75:d8:07:49:c7:63:7d:53:02:e8:9e:61:4a:7f:c1
23:13:95:ad:9a:13:94:3a:d8:5b:da:3e:3b:19:a5:95
21:ab:c9:4a:5b:6c:4d:0a:3f:bc:c8:66:2c:41:9b:23
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
CRL signing.
Subject Key Identifier (not critical):
d95838364a698844b7a9d60b1c32a28baee0da63
Other Information:
Public Key Id:
d95838364a698844b7a9d60b1c32a28baee0da63
Is the above information ok? (Y/N): Y
Signing certificate...
== Generate the private key for the LDAP server itself : ==
$ certtool --generate-privkey --outfile key.pem
Generating a 2048 bit RSA private key...
== Now with the CA certificate and private key, generate the LDAP server certificate (use the server FQDN for Common Name) : ==
$ certtool --generate-certificate --load-privkey server-key.pem --outfile server-cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
Generating a signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): FR
Organization name: Example
Organizational unit name:
Locality name:
State or province name: Brittany
Common name: server.example.org
UID: server
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1262903337):
Activation/Expiration time.
The certificate will expire in (days): 365
Extensions.
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
X.509 Certificate Information:
Version: 3
Serial Number (hex): 4b466029
Validity:
Not Before: Thu Jan 07 22:28:58 UTC 2010
Not After: Fri Jan 07 22:29:00 UTC 2011
Subject: C=FR,O=Example,ST=Brittany,CN=server.example.org,UID=server
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
b1:ea:e5:3b:7c:9b:fc:96:a4:d2:95:36:11:fb:1b:f4
ce:78:1a:c9:73:29:f2:ea:30:9d:ca:ac:36:a5:8f:e7
c4:32:ea:a2:87:9f:f1:27:4b:4d:28:d2:52:f1:d5:7c
aa:38:fe:d5:2a:7b:c9:c8:69:a5:fa:fe:40:f8:23:c1
37:7a:9f:ca:87:75:e9:3c:95:50:32:82:96:cc:a1:e6
ad:ec:1c:4a:50:60:a7:39:a9:33:1e:71:9d:bf:f8:20
1c:65:c1:d4:5d:a9:60:3d:d8:9c:dc:d1:8f:54:cf:40
4d:2f:71:5a:77:c7:39:dc:79:f9:0b:d4:63:25:53:30
35:5c:0c:cc:24:68:3a:36:51:20:e2:cb:f6:0b:22:e7
0f:59:bb:6c:3c:64:a0:7a:72:c8:30:f0:39:80:60:ca
a7:76:0f:bd:a8:f3:ee:4d:f6:af:ec:54:f8:2d:e9:be
70:1f:4a:ab:02:3c:c4:47:c8:3b:12:e6:e1:43:e5:68
95:a5:6d:d1:09:15:85:62:69:90:cf:e4:ca:8f:45:9c
ea:5a:8f:f0:65:69:9b:6d:c8:e2:5f:0c:86:52:50:0f
c9:11:77:9a:f0:12:54:3e:76:b1:5e:b3:c3:4c:42:8c
5d:c8:41:fb:3b:32:87:5e:4f:7e:79:5d:23:5c:9c:cb
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Server.
Key Usage (critical):
Key encipherment.
Subject Key Identifier (not critical):
de2cc1e956e44e196a9396ea7e98c4f25b725a60
Authority Key Identifier (not critical):
d95838364a698844b7a9d60b1c32a28baee0da63
Other Information:
Public Key Id:
de2cc1e956e44e196a9396ea7e98c4f25b725a60
Is the above information ok? (Y/N): Y
Signing certificate...
== Copy all the .pem files in ''/etc/ldap/ssl/'' and give rights to this folder : ==
$ sudo mkdir /etc/ldap/ssl/
$ sudo mv *.pem /etc/ldap/ssl/
$ sudo chown -R openldap.openldap /etc/ldap/ssl
$ sudo chmod -R 500 /etc/ldap/ssl
== Create a ''tls.ldif'' file which contains the config modifications to support tls : ==
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/mycerts/ldap/ca-cert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/mycerts/ldap/cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/mycerts/ldap/key.pem
== Apply the modifications : ==
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
== In ''/etc/default/slapd'', modify the line : ==
SLAPD_SERVICES="ldap:/// ldapi:///"
== by : ==
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
== Finaly force slapd daemon to reload your configuration : ==
$ sudo /etc/init.d/slapd force-reload
====== ======
Your base configuration is now ok.
Install Samba schema dependancies first :
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
Prepare Samba schema :
$ sudo aptitude install samba-doc
$ sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
$ sudo gzip -d /etc/ldap/schema/samba.schema.gz
Samba schema is writed in the old slapd format. We need to convert it to new format.
== Create a configuration file ''/tmp/schema_convert.conf'' containing the following : ==
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema
== Generate ''slapd'' configuration directory from the previous configuration file : ==
$ sudo sh -c "slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output/ -n0 -s 'cn={3}samba,cn=schema,cn=config' | sed '/structuralObjectClass: olcSchemaConfig/,//d' > /etc/ldap/schema/samba.ldif"
====== ======
Install Samba_schema :
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
Now create a database configuration file ''~/db.ldif'' :
# Load modules for database type
dn: cn=module,cn=config
objectclass: olcModuleList
cn: module
olcModuleLoad: back_bdb.la
# Create directory database
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
# Domain name (e.g. home.local)
olcSuffix: dc=example,dc=org
# Location on system where database is stored
olcDbDirectory: /var/lib/ldap
# Manager of the database
olcRootDN: cn=admin,dc=example,dc=org
olcRootPW: {SSHA}BLhNGX3831HaRhY3sasCBd+2rW2k+ZFK
# Indices in database to speed up searches
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
# Allow users to change their own password
# Allow anonymous to authenciate against the password
# Allow admin to change anyone's password
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=admin,dc=example,dc=org" write
by * none
# Allow users to change their own record
olcAccess: to *
by self write
by dn.base="cn=admin,dc=example,dc=org" write
by dn.base="cn=reader,dc=example,dc=org" read
by * none
Create the database with previous file :
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ~/db.ldif
Create a file ''reader.ldif'' to describe a reader for the LDAP directory :
dn: cn=reader,dc=example,dc=org
objectClass: top
objectClass: person
sn: reader
cn: reader
userPassword: {SSHA}MdqRyZv18JLY8/EDbd0W/x0ertVIM00g
Add this user to the directory :
$ ldapadd -x -f reader.ldif -W -D cn=admin,dc=example,dc=org
Install samba and smbldap tools :
$ sudo apt-get install samba smbldap-tools
Edit the ''/etc/smbldap-tools/smbldap.conf'' configuration file :
SID="S-1-5-21-495087901-2487403515-1027126461"
sambaDomain="REDSQUADRON"
slaveLDAP=""
slavePort="389"
masterLDAP="server"
masterPort="389"
ldapTLS="0"
suffix="dc=example,dc=org"
usersdn="ou=users,${suffix}"
computersdn="ou=computers,${suffix}"
groupsdn="ou=groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=REDSQUADRON,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format=""
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\\%U"
userProfile="\\\profiles\%U"
userHomeDrive=""
userScript=""
mailDomain=""
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
Edit ''/etc/smbldap-tools/smbldap_bind.conf'' to set credentials :
masterDN="cn=admin,dc=example,dc=org"
masterPw="admin"
#slaveDN=""
#slavePw=""
Populate the database :
$ sudo smbldap-populate
Install Samba server :
$ sudo aptitude install samba
Configure Samba by editing ''/etc/samba/smb.conf'' :
[global]
workgroup = REDSQUADRON
netbios name = SERVER
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = ldapsam:ldap://localhost
ldap suffix = dc=example,dc=org
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=example,dc=org
ldap ssl = off
ldap passwd sync = yes
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
====== Client ======
Install client :
$ sudo aptitude install libnss-ldap
Edit ''/etc/ldap.conf'' :
base dc=example,dc=org
uri ldap://server:389
ldap_version 3
binddn cn=reader,dc=example,dc=org
bindpw reader
bind_policy soft
pam_password md5
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,openldap,polkituser,proxy,pulse,root,rtkit,saned,speech-dispatcher,statd,sync,sys,syslog,uml-net,uucp,www-data
Modify ''/etc/nsswitch.conf'' as follow :
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Install pam_mount and smbfs :
sudo aptitude install libpam-mount smbfs
Next, edit the pammount configuration file ''/etc/security/pam_mount.conf.xml'' :
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin