Install LDAP server :
$ sudo apt-get install slapd ldap-utils
Keep all options by default.
To use TLS encrypted connections to OpenLDAP server, it is necessary to create a certificate for this server. Here this certificate is signed by an CA with self-signed certificate :
$ certtool --generate-privkey --outfile ca-key.pem Generating a 2048 bit RSA private key...
$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem Generating a self signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. Country name (2 chars): FR Organization name: Example Organizational unit name: Locality name: State or province name: Brittany Common name: server.example.org UID: server This field should not be used in new certificates. E-mail: Enter the certificate's serial number in decimal (default: 1262902964): Activation/Expiration time. The certificate will expire in (days): 365 Extensions. Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): Is this a TLS web client certificate? (y/N): Is this also a TLS web server certificate? (y/N): Enter the e-mail of the subject of the certificate: Will the certificate be used to sign other certificates? (y/N): y Will the certificate be used to sign CRLs? (y/N): y Will the certificate be used to sign code? (y/N): Will the certificate be used to sign OCSP requests? (y/N): Will the certificate be used for time stamping? (y/N): Enter the URI of the CRL distribution point: X.509 Certificate Information: Version: 3 Serial Number (hex): 4b465eb4 Validity: Not Before: Thu Jan 07 22:22:46 UTC 2010 Not After: Fri Jan 07 22:22:48 UTC 2011 Subject: C=FR,O=Example,ST=Brittany,CN=server.example.org,UID=server Subject Public Key Algorithm: RSA Modulus (bits 2048): be:72:0f:a5:46:c9:0e:0f:35:b9:cd:09:5a:8d:00:a0 23:a2:41:82:65:ba:2f:b8:a4:37:4a:0a:55:77:a6:3c 96:46:1f:30:0b:73:f1:d7:53:6f:6a:be:52:0d:80:e1 e2:3c:e3:3b:31:14:a6:3c:f0:a5:32:4f:43:5d:7d:3b ca:cf:c9:53:fc:0c:d0:43:51:29:ab:36:30:b9:19:f2 e2:43:6a:67:7a:68:20:d8:3c:2e:88:88:a9:93:b0:4d bb:42:25:e2:b5:e1:ed:ce:a0:68:05:6e:be:44:ff:ab 2c:4b:76:c1:7b:f5:c5:9e:f2:f2:04:0e:5e:53:6f:ee b6:bf:c7:a4:ef:9c:41:d4:83:31:9f:9e:f0:5f:94:3b 13:4b:5d:7b:88:cb:e9:ad:05:d2:a7:b9:1c:b2:83:8d 6a:4f:30:e2:42:d9:cf:7a:f3:ec:4b:0b:a2:1b:12:15 9b:08:6f:08:3d:1c:c7:4d:d3:63:05:66:1b:7b:0f:b3 40:46:2f:bd:3c:0a:a5:dc:94:46:36:a7:39:ba:23:b8 3f:75:d8:07:49:c7:63:7d:53:02:e8:9e:61:4a:7f:c1 23:13:95:ad:9a:13:94:3a:d8:5b:da:3e:3b:19:a5:95 21:ab:c9:4a:5b:6c:4d:0a:3f:bc:c8:66:2c:41:9b:23 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Key Usage (critical): Certificate signing. CRL signing. Subject Key Identifier (not critical): d95838364a698844b7a9d60b1c32a28baee0da63 Other Information: Public Key Id: d95838364a698844b7a9d60b1c32a28baee0da63 Is the above information ok? (Y/N): Y Signing certificate...
$ certtool --generate-privkey --outfile key.pem Generating a 2048 bit RSA private key...
$ certtool --generate-certificate --load-privkey server-key.pem --outfile server-cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem Generating a signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. Country name (2 chars): FR Organization name: Example Organizational unit name: Locality name: State or province name: Brittany Common name: server.example.org UID: server This field should not be used in new certificates. E-mail: Enter the certificate's serial number in decimal (default: 1262903337): Activation/Expiration time. The certificate will expire in (days): 365 Extensions. Does the certificate belong to an authority? (y/N): Is this a TLS web client certificate? (y/N): Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: Enter the IP address of the subject of the certificate: Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y X.509 Certificate Information: Version: 3 Serial Number (hex): 4b466029 Validity: Not Before: Thu Jan 07 22:28:58 UTC 2010 Not After: Fri Jan 07 22:29:00 UTC 2011 Subject: C=FR,O=Example,ST=Brittany,CN=server.example.org,UID=server Subject Public Key Algorithm: RSA Modulus (bits 2048): b1:ea:e5:3b:7c:9b:fc:96:a4:d2:95:36:11:fb:1b:f4 ce:78:1a:c9:73:29:f2:ea:30:9d:ca:ac:36:a5:8f:e7 c4:32:ea:a2:87:9f:f1:27:4b:4d:28:d2:52:f1:d5:7c aa:38:fe:d5:2a:7b:c9:c8:69:a5:fa:fe:40:f8:23:c1 37:7a:9f:ca:87:75:e9:3c:95:50:32:82:96:cc:a1:e6 ad:ec:1c:4a:50:60:a7:39:a9:33:1e:71:9d:bf:f8:20 1c:65:c1:d4:5d:a9:60:3d:d8:9c:dc:d1:8f:54:cf:40 4d:2f:71:5a:77:c7:39:dc:79:f9:0b:d4:63:25:53:30 35:5c:0c:cc:24:68:3a:36:51:20:e2:cb:f6:0b:22:e7 0f:59:bb:6c:3c:64:a0:7a:72:c8:30:f0:39:80:60:ca a7:76:0f:bd:a8:f3:ee:4d:f6:af:ec:54:f8:2d:e9:be 70:1f:4a:ab:02:3c:c4:47:c8:3b:12:e6:e1:43:e5:68 95:a5:6d:d1:09:15:85:62:69:90:cf:e4:ca:8f:45:9c ea:5a:8f:f0:65:69:9b:6d:c8:e2:5f:0c:86:52:50:0f c9:11:77:9a:f0:12:54:3e:76:b1:5e:b3:c3:4c:42:8c 5d:c8:41:fb:3b:32:87:5e:4f:7e:79:5d:23:5c:9c:cb Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Server. Key Usage (critical): Key encipherment. Subject Key Identifier (not critical): de2cc1e956e44e196a9396ea7e98c4f25b725a60 Authority Key Identifier (not critical): d95838364a698844b7a9d60b1c32a28baee0da63 Other Information: Public Key Id: de2cc1e956e44e196a9396ea7e98c4f25b725a60 Is the above information ok? (Y/N): Y Signing certificate...
$ sudo mkdir /etc/ldap/ssl/ $ sudo mv *.pem /etc/ldap/ssl/ $ sudo chown -R openldap.openldap /etc/ldap/ssl $ sudo chmod -R 500 /etc/ldap/ssl
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/mycerts/ldap/ca-cert.pem add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/mycerts/ldap/cert.pem add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/mycerts/ldap/key.pem
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
SLAPD_SERVICES="ldap:/// ldapi:///"
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
$ sudo /etc/init.d/slapd force-reload
Your base configuration is now ok.
Install Samba schema dependancies first :
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
Prepare Samba schema :
$ sudo aptitude install samba-doc $ sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ $ sudo gzip -d /etc/ldap/schema/samba.schema.gz
Samba schema is writed in the old slapd format. We need to convert it to new format.
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/samba.schema
$ sudo sh -c "slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output/ -n0 -s 'cn={3}samba,cn=schema,cn=config' | sed '/structuralObjectClass: olcSchemaConfig/,//d' > /etc/ldap/schema/samba.ldif"
Install Samba_schema :
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
Now create a database configuration file ~/db.ldif
:
# Load modules for database type dn: cn=module,cn=config objectclass: olcModuleList cn: module olcModuleLoad: back_bdb.la # Create directory database dn: olcDatabase=bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: bdb # Domain name (e.g. home.local) olcSuffix: dc=example,dc=org # Location on system where database is stored olcDbDirectory: /var/lib/ldap # Manager of the database olcRootDN: cn=admin,dc=example,dc=org olcRootPW: {SSHA}BLhNGX3831HaRhY3sasCBd+2rW2k+ZFK # Indices in database to speed up searches olcDbIndex: uid pres,eq olcDbIndex: cn,sn,mail pres,eq,approx,sub olcDbIndex: objectClass eq # Allow users to change their own password # Allow anonymous to authenciate against the password # Allow admin to change anyone's password olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=admin,dc=example,dc=org" write by * none # Allow users to change their own record olcAccess: to * by self write by dn.base="cn=admin,dc=example,dc=org" write by dn.base="cn=reader,dc=example,dc=org" read by * none
Create the database with previous file :
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ~/db.ldif
Create a file reader.ldif
to describe a reader for the LDAP directory :
dn: cn=reader,dc=example,dc=org objectClass: top objectClass: person sn: reader cn: reader userPassword: {SSHA}MdqRyZv18JLY8/EDbd0W/x0ertVIM00g
Add this user to the directory :
$ ldapadd -x -f reader.ldif -W -D cn=admin,dc=example,dc=org
Install samba and smbldap tools :
$ sudo apt-get install samba smbldap-tools
Edit the /etc/smbldap-tools/smbldap.conf
configuration file :
SID="S-1-5-21-495087901-2487403515-1027126461" sambaDomain="REDSQUADRON" slaveLDAP="" slavePort="389" masterLDAP="server" masterPort="389" ldapTLS="0" suffix="dc=example,dc=org" usersdn="ou=users,${suffix}" computersdn="ou=computers,${suffix}" groupsdn="ou=groups,${suffix}" idmapdn="ou=Idmap,${suffix}" sambaUnixIdPooldn="sambaDomainName=REDSQUADRON,${suffix}" scope="sub" hash_encrypt="SSHA" crypt_salt_format="" userLoginShell="/bin/bash" userHome="/home/%U" userHomeDirectoryMode="700" userGecos="System User" defaultUserGid="513" defaultComputerGid="515" skeletonDir="/etc/skel" defaultMaxPasswordAge="45" userSmbHome="\\\%U" userProfile="\\\profiles\%U" userHomeDrive="" userScript="" mailDomain="" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" with_slappasswd="0" slappasswd="/usr/sbin/slappasswd"
Edit /etc/smbldap-tools/smbldap_bind.conf
to set credentials :
masterDN="cn=admin,dc=example,dc=org" masterPw="admin" #slaveDN="" #slavePw=""
Populate the database :
$ sudo smbldap-populate
Install Samba server :
$ sudo aptitude install samba
Configure Samba by editing /etc/samba/smb.conf
:
[global] workgroup = REDSQUADRON netbios name = SERVER server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = ldapsam:ldap://localhost ldap suffix = dc=example,dc=org ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=example,dc=org ldap ssl = off ldap passwd sync = yes obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [homes] comment = Home Directories browseable = no read only = yes create mask = 0700 directory mask = 0700 [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no
Install client :
$ sudo aptitude install libnss-ldap
Edit /etc/ldap.conf
:
base dc=example,dc=org uri ldap://server:389 ldap_version 3 binddn cn=reader,dc=example,dc=org bindpw reader bind_policy soft pam_password md5 nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,openldap,polkituser,proxy,pulse,root,rtkit,saned,speech-dispatcher,statd,sync,sys,syslog,uml-net,uucp,www-data
Modify /etc/nsswitch.conf
as follow :
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Install pam_mount and smbfs :
sudo aptitude install libpam-mount smbfs
Next, edit the pammount configuration file /etc/security/pam_mount.conf.xml
:
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- See pam_mount.conf(5) for a description. --> <pam_mount> <!-- Volume definitions --> <volume fstype="cifs" server="server" path="%(USER)" mountpoint="/home/%(USER)/" user="*" options="rw,auto,iocharset=utf8" /> <!-- pam_mount parameters: General tunables --> <debug enable="0" /> <!-- <luserconf name=".pam_mount.conf.xml" /> --> <!-- Note that commenting out mntoptions will give you the defaults. You will need to explicitly initialize it with the empty string to reset the defaults to nothing. --> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> <!-- <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="nosuid,nodev" /> <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path> <logout wait="0" hup="0" term="0" kill="0" /> <!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="true" /> </pam_mount>