Geonobot Wiki

Outils pour utilisateurs

Outils du site

Piste: pdc_samba_openldap_securise
en:computing:network_system:pdc_samba_openldap_securise

Table des matières

Server

Install LDAP server : 

$ sudo apt-get install slapd ldap-utils

Keep all options by default.

To use TLS encrypted connections to OpenLDAP server, it is necessary to create a certificate for this server. Here this certificate is signed by an CA with self-signed certificate :

To create a self-signed certificate to represent our Certification Authority (CA), first generate a private key :
$ certtool --generate-privkey --outfile ca-key.pem
Generating a 2048 bit RSA private key...
Next create the self-signed certificate based on the previous private key (use the server FQDN for Common Name (TODO : verify really needed for CA)) :
$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): FR
Organization name: Example
Organizational unit name: 
Locality name: 
State or province name: Brittany
Common name: server.example.org
UID: server
This field should not be used in new certificates.
E-mail: 
Enter the certificate's serial number in decimal (default: 1262902964): 


Activation/Expiration time.
The certificate will expire in (days): 365


Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): 
Is this a TLS web client certificate? (y/N): 
Is this also a TLS web server certificate? (y/N): 
Enter the e-mail of the subject of the certificate: 
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N): 
Will the certificate be used to sign OCSP requests? (y/N): 
Will the certificate be used for time stamping? (y/N): 
Enter the URI of the CRL distribution point: 
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 4b465eb4
	Validity:
		Not Before: Thu Jan 07 22:22:46 UTC 2010
		Not After: Fri Jan 07 22:22:48 UTC 2011
	Subject: C=FR,O=Example,ST=Brittany,CN=server.example.org,UID=server
	Subject Public Key Algorithm: RSA
		Modulus (bits 2048):
			be:72:0f:a5:46:c9:0e:0f:35:b9:cd:09:5a:8d:00:a0
			23:a2:41:82:65:ba:2f:b8:a4:37:4a:0a:55:77:a6:3c
			96:46:1f:30:0b:73:f1:d7:53:6f:6a:be:52:0d:80:e1
			e2:3c:e3:3b:31:14:a6:3c:f0:a5:32:4f:43:5d:7d:3b
			ca:cf:c9:53:fc:0c:d0:43:51:29:ab:36:30:b9:19:f2
			e2:43:6a:67:7a:68:20:d8:3c:2e:88:88:a9:93:b0:4d
			bb:42:25:e2:b5:e1:ed:ce:a0:68:05:6e:be:44:ff:ab
			2c:4b:76:c1:7b:f5:c5:9e:f2:f2:04:0e:5e:53:6f:ee
			b6:bf:c7:a4:ef:9c:41:d4:83:31:9f:9e:f0:5f:94:3b
			13:4b:5d:7b:88:cb:e9:ad:05:d2:a7:b9:1c:b2:83:8d
			6a:4f:30:e2:42:d9:cf:7a:f3:ec:4b:0b:a2:1b:12:15
			9b:08:6f:08:3d:1c:c7:4d:d3:63:05:66:1b:7b:0f:b3
			40:46:2f:bd:3c:0a:a5:dc:94:46:36:a7:39:ba:23:b8
			3f:75:d8:07:49:c7:63:7d:53:02:e8:9e:61:4a:7f:c1
			23:13:95:ad:9a:13:94:3a:d8:5b:da:3e:3b:19:a5:95
			21:ab:c9:4a:5b:6c:4d:0a:3f:bc:c8:66:2c:41:9b:23
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Key Usage (critical):
			Certificate signing.
			CRL signing.
		Subject Key Identifier (not critical):
			d95838364a698844b7a9d60b1c32a28baee0da63
Other Information:
	Public Key Id:
		d95838364a698844b7a9d60b1c32a28baee0da63

Is the above information ok? (Y/N): Y


Signing certificate...
Generate the private key for the LDAP server itself :
$ certtool --generate-privkey --outfile key.pem
Generating a 2048 bit RSA private key...
Now with the CA certificate and private key, generate the LDAP server certificate (use the server FQDN for Common Name) :
$ certtool --generate-certificate --load-privkey server-key.pem --outfile server-cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey    ca-key.pem
Generating a signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): FR
Organization name: Example
Organizational unit name: 
Locality name: 
State or province name: Brittany
Common name: server.example.org
UID: server
This field should not be used in new certificates.
E-mail: 
Enter the certificate's serial number in decimal (default: 1262903337): 


Activation/Expiration time.
The certificate will expire in (days): 365


Extensions.
Does the certificate belong to an authority? (y/N): 
Is this a TLS web client certificate? (y/N): 
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): 
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 4b466029
	Validity:
		Not Before: Thu Jan 07 22:28:58 UTC 2010
		Not After: Fri Jan 07 22:29:00 UTC 2011
	Subject: C=FR,O=Example,ST=Brittany,CN=server.example.org,UID=server
	Subject Public Key Algorithm: RSA
		Modulus (bits 2048):
			b1:ea:e5:3b:7c:9b:fc:96:a4:d2:95:36:11:fb:1b:f4
			ce:78:1a:c9:73:29:f2:ea:30:9d:ca:ac:36:a5:8f:e7
			c4:32:ea:a2:87:9f:f1:27:4b:4d:28:d2:52:f1:d5:7c
			aa:38:fe:d5:2a:7b:c9:c8:69:a5:fa:fe:40:f8:23:c1
			37:7a:9f:ca:87:75:e9:3c:95:50:32:82:96:cc:a1:e6
			ad:ec:1c:4a:50:60:a7:39:a9:33:1e:71:9d:bf:f8:20
			1c:65:c1:d4:5d:a9:60:3d:d8:9c:dc:d1:8f:54:cf:40
			4d:2f:71:5a:77:c7:39:dc:79:f9:0b:d4:63:25:53:30
			35:5c:0c:cc:24:68:3a:36:51:20:e2:cb:f6:0b:22:e7
			0f:59:bb:6c:3c:64:a0:7a:72:c8:30:f0:39:80:60:ca
			a7:76:0f:bd:a8:f3:ee:4d:f6:af:ec:54:f8:2d:e9:be
			70:1f:4a:ab:02:3c:c4:47:c8:3b:12:e6:e1:43:e5:68
			95:a5:6d:d1:09:15:85:62:69:90:cf:e4:ca:8f:45:9c
			ea:5a:8f:f0:65:69:9b:6d:c8:e2:5f:0c:86:52:50:0f
			c9:11:77:9a:f0:12:54:3e:76:b1:5e:b3:c3:4c:42:8c
			5d:c8:41:fb:3b:32:87:5e:4f:7e:79:5d:23:5c:9c:cb
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Key Purpose (not critical):
			TLS WWW Server.
		Key Usage (critical):
			Key encipherment.
		Subject Key Identifier (not critical):
			de2cc1e956e44e196a9396ea7e98c4f25b725a60
		Authority Key Identifier (not critical):
			d95838364a698844b7a9d60b1c32a28baee0da63
Other Information:
	Public Key Id:
		de2cc1e956e44e196a9396ea7e98c4f25b725a60

Is the above information ok? (Y/N): Y


Signing certificate...
Copy all the .pem files in ''/etc/ldap/ssl/'' and give rights to this folder :
$ sudo mkdir /etc/ldap/ssl/
$ sudo mv *.pem /etc/ldap/ssl/
$ sudo chown -R openldap.openldap /etc/ldap/ssl
$ sudo chmod -R 500 /etc/ldap/ssl
Create a ''tls.ldif'' file which contains the config modifications to support tls :
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/mycerts/ldap/ca-cert.pem

add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/mycerts/ldap/cert.pem

add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/mycerts/ldap/key.pem
Apply the modifications :
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
In ''/etc/default/slapd'', modify the line :
SLAPD_SERVICES="ldap:/// ldapi:///"
by :
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Finaly force slapd daemon to reload your configuration :
$ sudo /etc/init.d/slapd force-reload

Your base configuration is now ok.

Install Samba schema dependancies first : 

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Prepare Samba schema : 

$ sudo aptitude install samba-doc
$ sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
$ sudo gzip -d /etc/ldap/schema/samba.schema.gz

Samba schema is writed in the old slapd format. We need to convert it to new format.

Create a configuration file ''/tmp/schema_convert.conf'' containing the following :
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema
Generate ''slapd'' configuration directory from the previous configuration file :
$ sudo sh -c "slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output/ -n0 -s 'cn={3}samba,cn=schema,cn=config' | sed '/structuralObjectClass: olcSchemaConfig/,//d' > /etc/ldap/schema/samba.ldif"

Install Samba_schema : 

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif

Now create a database configuration file ~/db.ldif : 

# Load modules for database type
dn: cn=module,cn=config
objectclass: olcModuleList
cn: module
olcModuleLoad: back_bdb.la

# Create directory database
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
# Domain name (e.g. home.local)
olcSuffix: dc=example,dc=org
# Location on system where database is stored
olcDbDirectory: /var/lib/ldap
# Manager of the database
olcRootDN: cn=admin,dc=example,dc=org
olcRootPW: {SSHA}BLhNGX3831HaRhY3sasCBd+2rW2k+ZFK
# Indices in database to speed up searches
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
# Allow users to change their own password
# Allow anonymous to authenciate against the password
# Allow admin to change anyone's password
olcAccess: to attrs=userPassword
  by self write
  by anonymous auth
  by dn.base="cn=admin,dc=example,dc=org" write
  by * none
# Allow users to change their own record
olcAccess: to *
  by self write
  by dn.base="cn=admin,dc=example,dc=org" write
  by dn.base="cn=reader,dc=example,dc=org" read
  by * none

Create the database with previous file : 

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ~/db.ldif

Create a file reader.ldif to describe a reader for the LDAP directory : 

dn: cn=reader,dc=example,dc=org
objectClass: top
objectClass: person
sn: reader
cn: reader
userPassword: {SSHA}MdqRyZv18JLY8/EDbd0W/x0ertVIM00g

Add this user to the directory : 

$ ldapadd -x -f reader.ldif -W -D cn=admin,dc=example,dc=org

Install samba and smbldap tools : 

$ sudo apt-get install samba smbldap-tools

Edit the /etc/smbldap-tools/smbldap.conf configuration file : 

SID="S-1-5-21-495087901-2487403515-1027126461"
sambaDomain="REDSQUADRON"
slaveLDAP=""
slavePort="389"
masterLDAP="server"
masterPort="389"
ldapTLS="0"
suffix="dc=example,dc=org"
usersdn="ou=users,${suffix}"
computersdn="ou=computers,${suffix}"
groupsdn="ou=groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=REDSQUADRON,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format=""
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\\%U"
userProfile="\\\profiles\%U"
userHomeDrive=""
userScript=""
mailDomain=""
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

Edit /etc/smbldap-tools/smbldap_bind.conf to set credentials : 

masterDN="cn=admin,dc=example,dc=org"
masterPw="admin"
#slaveDN=""
#slavePw=""

Populate the database : 

$ sudo smbldap-populate

Install Samba server : 

$ sudo aptitude install samba

Configure Samba by editing /etc/samba/smb.conf : 

[global]
   workgroup = REDSQUADRON
   netbios name =  SERVER
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   encrypt passwords = true
   passdb backend = ldapsam:ldap://localhost
   ldap suffix = dc=example,dc=org
   ldap user suffix = ou=users
   ldap group suffix = ou=groups
   ldap machine suffix = ou=computers
   ldap idmap suffix = ou=Idmap
   ldap admin dn = cn=admin,dc=example,dc=org
   ldap ssl = off
   ldap passwd sync = yes
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes

[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

Client

Install client : 

$ sudo aptitude install libnss-ldap

Edit /etc/ldap.conf : 

base dc=example,dc=org
uri ldap://server:389
ldap_version 3
binddn cn=reader,dc=example,dc=org
bindpw reader
bind_policy soft
pam_password md5

nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,openldap,polkituser,proxy,pulse,root,rtkit,saned,speech-dispatcher,statd,sync,sys,syslog,uml-net,uucp,www-data

Modify /etc/nsswitch.conf as follow : 

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Install pam_mount and smbfs : 

sudo aptitude install libpam-mount smbfs

Next, edit the pammount configuration file /etc/security/pam_mount.conf.xml : 

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--    See pam_mount.conf(5) for a description.    -->

<pam_mount>

        <!-- Volume definitions -->
        <volume fstype="cifs" server="server" path="%(USER)" mountpoint="/home/%(USER)/" user="*" options="rw,auto,iocharset=utf8" />

        <!-- pam_mount parameters: General tunables -->
        <debug enable="0" />
        
        <!-- <luserconf name=".pam_mount.conf.xml" /> -->

        <!-- Note that commenting out mntoptions will give you the defaults.
        You will need to explicitly initialize it with the empty string
        to reset the defaults to nothing. -->
        <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
        <!-- <mntoptions deny="suid,dev" />
        <mntoptions allow="*" />
        <mntoptions deny="*" /> -->
        <mntoptions require="nosuid,nodev" />
        
        <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>

        <logout wait="0" hup="0" term="0" kill="0" />

        <!-- pam_mount parameters: Volume-related -->
        <mkmountpoint enable="1" remove="true" />
</pam_mount>
en/computing/network_system/pdc_samba_openldap_securise.txt · Dernière modification: 2012/09/20 10:52 (modification externe)

Outils de la page

Sauf mention contraire, le contenu de ce wiki est placé sous les termes de la licence suivante : GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki