Setup OpenLDAP Server+OpenLDAP Client+Samba+auto mount in Ubuntu 9.04

Installation Setup Scenario.

I have setup one machine as a openldap server and one machine as a openldap client.

I have setup openldap server & samba server in one machine.

Machine 1 : Openldap server + Samba Server

Hostname : openldap.server

IP : 10.8.0.12

Machine 2 : Openldap Client

Hostname : openldap.client

IP : 10.8.0.15

Configure OpenLDP server

Step 1 :  Installation of required packages

First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:

#apt-get install slapd ldap-utils

Step 2 : Configure slapd

# dpkg-reconfigure slapd

It will prompt you for server questions.

1.  No

2. DNS domain name: openldap.server

3.Name of your organization: openldap.server

4.Admin password: 12345

5.Confirm password: 12345

6.OK

7.HDB

8. No

9. Yes

10.No

Step 3 : Test Configuration.

Use ldapsearch to view the tree, entering the admin password set during installation or reconfiguration:

# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb

Enter LDAP Password:

dn: olcDatabase={1}hdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcHdbConfig

olcDatabase: {1}hdb

olcDbDirectory: /var/lib/ldap

olcSuffix: dc=openldap,dc=server

olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exampl

e,dc=server" write by anonymous auth by self write by * none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to * by dn="cn=admin,dc=openldap,dc=server" write by * read

olcLastMod: TRUE

olcDbCheckpoint: 512 30

olcDbConfig: {0}set_cachesize 0 2097152 0

olcDbConfig: {1}set_lk_max_objects 1500

olcDbConfig: {2}set_lk_max_locks 1500

olcDbConfig: {3}set_lk_max_lockers 1500

olcDbIndex: objectClass eq

Step 4 : Add new schema using ldif file.

• First, create a conversion schema_convert.conf file containing the following lines:

#vi schema_convert.conf

include /etc/ldap/schema/core.schema

include /etc/ldap/schema/collective.schema

include /etc/ldap/schema/corba.schema

include /etc/ldap/schema/cosine.schema

include /etc/ldap/schema/duaconf.schema

include /etc/ldap/schema/dyngroup.schema

include /etc/ldap/schema/inetorgperson.schema

include /etc/ldap/schema/java.schema

include /etc/ldap/schema/misc.schema

include /etc/ldap/schema/nis.schema

include /etc/ldap/schema/openldap.schema

include /etc/ldap/schema/ppolicy.schema

• Next, create a temporary directory to hold the output

#mkdir /tmp/ldif_output

• Now using slaptest convert the schema files to LDIF

# slaptest -f schema_convert.conf -F /tmp/ldif_output

• Edit the /tmp/ldif_output/cn=config/cn=schema/cn={8}misc.ldif file, changing the following attributes

#vi /tmp/ldif_output/cn=config/cn=schema/cn={8}misc.ldif

dn: cn=misc,cn=schema,cn=config

...

cn: misc

And remove the following lines from the bottom of the file

structuralObjectClass: olcSchemaConfig

entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757

creatorsName: cn=config

createTimestamp: 20080826021140Z

entryCSN: 20080826021140.791425Z#000000#000#000000

modifiersName: cn=config

modifyTimestamp: 20080826021140Z

• Finally, using the ldapadd utility, add the new schema to the directory

# ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{8\}misc.ldif

Step : 5 Create Test account

#vi test_account.ldif

dn: ou=people,dc=openldap,dc=server

objectClass: organizationalUnit

ou: people

dn: ou=groups,dc=openldap,dc=server

objectClass: organizationalUnit

ou: groups

dn: uid=test,ou=people,dc=openldap,dc=server

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

uid: test

sn:

givenName: Test

cn: Test

displayName: Test

uidNumber: 1000

gidNumber: 10000

userPassword: password

gecos: Test

loginShell: /bin/bash

homeDirectory: /home/test

shadowExpire: -1

shadowFlag: 0

shadowWarning: 7

shadowMin: 8

shadowMax: 999999

shadowLastChange: 10877

mail: test@openldap.server

postalCode: 31000

l: Toulouse

o: Openldap

mobile: +33 (0)6 xx xx xx xx

homePhone: +33 (0)5 xx xx xx xx

title: System Administrator

postalAddress:

initials: JD

dn: cn=openldap,ou=groups,dc=openldap,dc=server

objectClass: posixGroup

cn: openldap

gidNumber: 10000

Save the file.

#ldapadd -x -D cn=admin,dc=example,dc=com -W -f test_account.ldif

We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search of the LDAP directory:

#ldapsearch -xLLL -b "dc=openldap,dc=server" uid=test sn givenName cn

dn: uid=test,ou=people,dc=openldap,dc=server

cn: test

sn:

givenName: test

Configure OpenLDAP Client

Step 1 : Install Required packages

#apt-get install libnss-ldap smbfs

During the install a menu dialog will ask you connection details about your LDAP server.

Should debconf manage LDAP configuration?: Yes

LDAP server Uniform Resource Identifier: ldap://10.8.0.12

Distinguished name of the search base: dc=openldap,dc=server

LDAP version to use: 3

Make local root Database admin: Yes

Does the LDAP database require login? No

LDAP account for root: cn=admin,dc=openldap,dc=server

LDAP root account password: 12345



Step 2 : Backup useful files

# cp /etc/nsswitch.conf /etc/nsswitch.conf.org

# mkdir /root/pam.d_backup

# cp /etc/pam.d/* /root/pam.d_backup/

Step 3 : Enable the auth-client-config LDAP profile

#auth-client-config -t nss -p lac_ldap

• -t: only modifies /etc/nsswitch.conf.


• -p: name of the profile to enable, disable, etc.


• lac_ldap: the auth-client-config profile that is part of the ldap-auth-config package.

Step 4 : Configure the system to use LDAP for authentication

#pam-auth-update

Step 5 : Reboot the system

#reboot

Step 6 : Test OpenLDAP connection

#getent passwd

Above command will show the passwd file of Openldap server. If you see the account “test” which we have created in the OpenLDAP server then it shows that authentication working fine with OpenLDAP server. Try to ssh using test user on client machine.

Configure SAMBA server

Step 1 : Install required packages.

#apt-get install samba samba-doc smbldap-tools

Step 2 : OpenLDAP Configuration

Schema file needs to be unzipped and copied to /etc/ldap/schema.

# cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/

#gzip -d /etc/ldap/schema/samba.schema.gz





Step 3 : Add a new schema to slapd

• First, create a configuration file named schema_convert.conf

#vi schema_convert.conf

include /etc/ldap/schema/core.schema

include /etc/ldap/schema/collective.schema

include /etc/ldap/schema/corba.schema

include /etc/ldap/schema/cosine.schema

include /etc/ldap/schema/duaconf.schema

include /etc/ldap/schema/dyngroup.schema

include /etc/ldap/schema/inetorgperson.schema

include /etc/ldap/schema/java.schema

include /etc/ldap/schema/misc.schema

include /etc/ldap/schema/nis.schema

include /etc/ldap/schema/openldap.schema

include /etc/ldap/schema/ppolicy.schema

include /etc/ldap/schema/samba.schema

• Create a temporary directory to hold the output

# mkdir /tmp/ldif_output

• Slaptest to convert the schema files:

# slaptest -f schema_convert.conf -F /tmp/ldif_output

• Edit the generated /tmp/ldif_output/cn=config/cn=schema/cn={12}samba.ldif file, changing the following attributes:

dn: cn=samba,cn=schema,cn=config

...

cn: samba

And remove the following lines from the bottom of the file:

structuralObjectClass: olcSchemaConfig

entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95

creatorsName: cn=config

createTimestamp: 20080827045234Z

entryCSN: 20080827045234.341425Z#000000#000#000000

modifiersName: cn=config

modifyTimestamp: 20080827045234Z

• Finally, using the ldapadd utility, add the new schema to the directory

#ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}samba.ldif

• · Copy and paste the following into a file named samba_indexes.ldif

dn: olcDatabase={1}hdb,cn=config

changetype: modify

add: olcDbIndex

olcDbIndex: uidNumber eq

olcDbIndex: gidNumber eq

olcDbIndex: loginShell eq

olcDbIndex: uid eq,pres,sub

olcDbIndex: memberUid eq,pres,sub

olcDbIndex: uniqueMember eq,pres

olcDbIndex: sambaSID eq

olcDbIndex: sambaPrimaryGroupSID eq

olcDbIndex: sambaGroupType eq

olcDbIndex: sambaSIDList eq

olcDbIndex: sambaDomainName eq

olcDbIndex: default sub

• · Using the ldapmodify utility load the new indexes:

# ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif

If all went well you should see the new indexes using ldapsearch:

#ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb

Step 4 : Configure smbldap-tools

# cd /usr/share/doc/smbldap-tools/examples/

# cp smbldap_bind.conf /etc/smbldap-tools/

#cp smbldap.conf.gz /etc/smbldap-tools/

#gzip -d /etc/smbldap-tools/smbldap.conf.gz

# net getlocalsid  ( it will give you a id which you have to put in the smbldap.conf file)

#vi smbldap.conf

You need to edit the specific lines according to your individual setup

SID="S-1-5-21-1169339956-3040674750-1689399154"

sambaDomain="OPENLDAP"

slaveLDAP="10.8.0.12"

slavePort="389"

masterLDAP="10.8.0.12"

masterPort="389"

ldapTLS="0"

verify="require"

cafile=""

clientcert=""

clientkey=""

suffix="dc=openldap,dc=server"

usersdn="ou=Users,${suffix}"

computersdn="ou=Computers,${suffix}"

groupsdn="ou=Groups,${suffix}"

idmapdn="ou=Idmap,${suffix}"

sambaUnixIdPooldn="sambaDomainName=OPENLDAP,${suffix}"

scope="sub"

hash_encrypt="SSHA"

crypt_salt_format="%s"

userLoginShell="/bin/bash"

userHome="/home/%U"

userHomeDirectoryMode="700"

userGecos="System User"

defaultUserGid="513"

defaultComputerGid="515"

skeletonDir="/etc/skel"

defaultMaxPasswordAge="45"

userSmbHome=""

userProfile=""

userHomeDrive=""

userScript=""

mailDomain="nextek.in"

with_smbpasswd="0"

smbpasswd="/usr/bin/smbpasswd"

with_slappasswd="0"

slappasswd="/usr/sbin/slappasswd"

Open the file /etc/smbldap-tools/smbldap_bind.conf file for editing

#vi smbldap_bind.conf

Edit the file so the following is correct according to your setup

slaveDN="cn=admin,dc=openldap,dc=server"

slavePw="12345"

masterDN="cn=admin,dc=openldap,dc=server"

masterPw="12345"

Change the permission of smbldap-tools files using below commands.

#chmod 0644 /etc/smbldap-tools/smbldap.conf

#chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Step 5 : Populate LDAP using smbldap-tools

# smbldap-populate

It will promp for password to assign to user root.

Verify that you have several new entries in your LDAP directory by running the command

# ldapsearch -x -b dc=openldap,dc=server | less

Step 6 : Configure samba server

#cp /etc/samba/smb.conf /etc/samba/smb.conf.org

#vi /etc/samba/smb.conf

Edit the main Samba configuration file /etc/samba/smb.conf commenting the passdb backend option and adding the following(no need to change anything from smb.conf file just put below content in file)

#   passdb backend = tdbsam

# LDAP Settings

passdb backend = ldapsam:ldap://openldap.server

ldap suffix = dc=openldap,dc=server

ldap user suffix = ou=People

ldap group suffix = ou=Groups

ldap machine suffix = ou=Computers

ldap idmap suffix = ou=Idmap

ldap admin dn = cn=admin,dc=openldap,dc=server

ldap ssl = no

ldap passwd sync = yes

add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"

#put this content at end of file

[share]

path = /tmp

guest ok = yes

browseable = Yes

writable = yes

Step 7 : Restart samba to enable the new settings

# /etc/init.d/samba restart

Samba needs to know the LDAP admin password

# smbpasswd -w secret

Step 8 :  useradd using smbldap-useradd

# smbldap-useradd -a -m -M test1 -c "test1" test1

-a allows Windows as well as Linux login

-m makes a home directory, leave this off if you do not need local access. PAM will be configured to automatically create a home directory.

-M sets up the username part of their email address

-c specifies their full name

#smbldap-passwd test1

Automount using pam_mount

Step 1 : Install required packages.

#apt-get install libpam-ldap

Above command automatically add the modules in /etc/pam.d/common-* so no need to configure any files.

# cp pam_mount.conf.xml pam_mount.conf.xml.org

# vi pam_mount.conf.xml

<!-- Volume definitions -->

<volume  user="test1"  fstype="smbfs" noroot="1" server="10.8.0.12"  path="share" mountpoint="/home/%(USER)" />

<!-- Volume definitions -->

#reboot

Now login with test1 user and check /home/test1 directory. It will show the /tmp directory data from 10.8.0.12(OpenLDAP server). So we can remotely mount drive using pam_mount module.