Ubuntu: LDAP Authentication

From ReceptiveIT
Jump to: navigation, search

Install LDAP

> apt-get install slapd ldap-utils

Install Samba Schema

> apt-get install samba-doc
> zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
> mkdir -p /root/ldapsetup/ldif

Make a file called /root/ldapsetup/schema_convert.conf with the following

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
> slaptest -f /root/ldapsetup/schema_convert.conf -F /root/ldapsetup/ldif

config file testing succeeded

Edit the /root/ldapsetip/ldif/cn=config/cn=schema/cn={12}samba.ldif file, changing the following attributes:

dn: cn=samba,cn=schema,cn=config
...
cn: samba

And remove the following lines from the bottom of the file:

structuralObjectClass: olcSchemaConfig
entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
creatorsName: cn=config
createTimestamp: 20080826021140Z
entryCSN: 20080826021140.791425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080826021140Z

Using ldapadd, lets add the new schema

>ldapadd -x -D cn=admin,cn=config -W -f /root/ldapsetup/ldif/cn\=config/cn\=schema/cn\=\{8\}misc.ldif
Enter LDAP Password: ******
adding new entry "cn=misc,cn=schema,cn=config"
>ldapadd -x -D cn=admin,cn=config -W -f /root/ldapsetup/ldif/cn\=config/cn\=schema/cn\=\{12\}samba.ldif
Enter LDAP Password: ******
adding new entry "cn=samba,cn=schema,cn=config"

Automagic Script

Here is a little script that uses sed to perform the modifications detailed above.

#!/bin/bash

# Constants
prefix="converted-"

if [ -z "${1}" ]; then
  echo "Usage: ${0} filename"
  exit
else
  filename=${1}
fi

echo "${filename} > ${prefix}${filename}"

cat ${filename} | sed '
  /dn: / s/{[0-9]*}//
  /dn: / s/$/,cn=schema,cn=config/
  /cn: / s/{[0-9]*}//
  /structuralObjectClass:/ d
  /entryUUID:/ d
  /creatorsName:/ d
  /createTimestamp:/ d
  /entryCSN:/ d
  /modifiersName:/ d
  /modifyTimestamp:/ d' > ${prefix}${filename}

Install smbldap cli

>apt-get install smbldap-tools
>cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/
>chmod 640 /etc/smbldap-tools/smbldap_bind.conf
>zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf

Edit the two files to reflect your system

>smbldap-populate
Populating LDAP directory for domain DOMAINNAME (S-1-5-21-2173374887-2173374887-2173374887)
(using builtin directory structure)

entry dc=domainname already exist. 
adding new entry: ou=users,dc=domainname
adding new entry: ou=groups,dc=domainname
adding new entry: ou=computers,dc=domainname
adding new entry: ou=idmap,dc=domainname
adding new entry: uid=root,ou=users,dc=domainname
adding new entry: uid=nobody,ou=users,dc=domainname
adding new entry: cn=Domain Admins,ou=groups,dc=domainname
adding new entry: cn=Domain Users,ou=groups,dc=domainname
adding new entry: cn=Domain Guests,ou=groups,dc=domainname
adding new entry: cn=Domain Computers,ou=groups,dc=domainname
adding new entry: cn=Administrators,ou=groups,dc=domainname
adding new entry: cn=Account Operators,ou=groups,dc=domainname
adding new entry: cn=Print Operators,ou=groups,dc=domainname
adding new entry: cn=Backup Operators,ou=groups,dc=domainname
adding new entry: cn=Replicators,ou=groups,dc=domainname
adding new entry: sambaDomainName=DOMAINNAME,dc=domainname

Please provide a password for the domain root: 
Changing UNIX and samba passwords for root
New password: ********
Retype new password: ********
>

LDAP PAM Auth

>apt-get install libnss-ldap
>auth-client-config -t nss -p lac_ldap
>pam-auth-update

Install LDAP Account Manager Webfrontend

>apt-get install ldap-account-manager

Increase the PHP memory limit to 64M

vi /etc/php5/apache2/php.ini

Change memory_limit = 16M to memory_limit = 64M

Restart Apache2

>/etc/init.d/apache2 restart

Go to a web browser and put in the address http://server/lam

  • Click on "LAM configuration"
  • Click on "Edit server profiles"

The default password is "lam"

  • Click on "Edit Account Types"

Change the LDAP suffix of each account to match

ou=users,dc=domain
ou=groups,dc=domain
ou=computers,dc=domain
dc=domain

Change the Tree suffix, Samba Timezone and Security Settings to reflect your ldap configuration. You might also want to change the lam profile password.

  • Click OK