Ubuntu: LDAP Authentication

From ReceptiveIT
Jump to: navigation, search

Install LDAP

> apt-get install slapd ldap-utils

Install Samba Schema

> apt-get install samba-doc
> zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
> mkdir -p /root/ldapsetup/ldif

Make a file called /root/ldapsetup/schema_convert.conf with the following

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
> slaptest -f /root/ldapsetup/schema_convert.conf -F /root/ldapsetup/ldif

config file testing succeeded

Edit the /root/ldapsetip/ldif/cn=config/cn=schema/cn={12}samba.ldif file, changing the following attributes:

dn: cn=samba,cn=schema,cn=config
cn: samba

And remove the following lines from the bottom of the file:

structuralObjectClass: olcSchemaConfig
entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
creatorsName: cn=config
createTimestamp: 20080826021140Z
entryCSN: 20080826021140.791425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080826021140Z

Using ldapadd, lets add the new schema

>ldapadd -x -D cn=admin,cn=config -W -f /root/ldapsetup/ldif/cn\=config/cn\=schema/cn\=\{8\}misc.ldif
Enter LDAP Password: ******
adding new entry "cn=misc,cn=schema,cn=config"
>ldapadd -x -D cn=admin,cn=config -W -f /root/ldapsetup/ldif/cn\=config/cn\=schema/cn\=\{12\}samba.ldif
Enter LDAP Password: ******
adding new entry "cn=samba,cn=schema,cn=config"

Automagic Script

Here is a little script that uses sed to perform the modifications detailed above.


# Constants

if [ -z "${1}" ]; then
  echo "Usage: ${0} filename"

echo "${filename} > ${prefix}${filename}"

cat ${filename} | sed '
  /dn: / s/{[0-9]*}//
  /dn: / s/$/,cn=schema,cn=config/
  /cn: / s/{[0-9]*}//
  /structuralObjectClass:/ d
  /entryUUID:/ d
  /creatorsName:/ d
  /createTimestamp:/ d
  /entryCSN:/ d
  /modifiersName:/ d
  /modifyTimestamp:/ d' > ${prefix}${filename}

Install smbldap cli

>apt-get install smbldap-tools
>cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/
>chmod 640 /etc/smbldap-tools/smbldap_bind.conf
>zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf

Edit the two files to reflect your system

Populating LDAP directory for domain DOMAINNAME (S-1-5-21-2173374887-2173374887-2173374887)
(using builtin directory structure)

entry dc=domainname already exist. 
adding new entry: ou=users,dc=domainname
adding new entry: ou=groups,dc=domainname
adding new entry: ou=computers,dc=domainname
adding new entry: ou=idmap,dc=domainname
adding new entry: uid=root,ou=users,dc=domainname
adding new entry: uid=nobody,ou=users,dc=domainname
adding new entry: cn=Domain Admins,ou=groups,dc=domainname
adding new entry: cn=Domain Users,ou=groups,dc=domainname
adding new entry: cn=Domain Guests,ou=groups,dc=domainname
adding new entry: cn=Domain Computers,ou=groups,dc=domainname
adding new entry: cn=Administrators,ou=groups,dc=domainname
adding new entry: cn=Account Operators,ou=groups,dc=domainname
adding new entry: cn=Print Operators,ou=groups,dc=domainname
adding new entry: cn=Backup Operators,ou=groups,dc=domainname
adding new entry: cn=Replicators,ou=groups,dc=domainname
adding new entry: sambaDomainName=DOMAINNAME,dc=domainname

Please provide a password for the domain root: 
Changing UNIX and samba passwords for root
New password: ********
Retype new password: ********


>apt-get install libnss-ldap
>auth-client-config -t nss -p lac_ldap

Install LDAP Account Manager Webfrontend

>apt-get install ldap-account-manager

Increase the PHP memory limit to 64M

vi /etc/php5/apache2/php.ini

Change memory_limit = 16M to memory_limit = 64M

Restart Apache2

>/etc/init.d/apache2 restart

Go to a web browser and put in the address http://server/lam

  • Click on "LAM configuration"
  • Click on "Edit server profiles"

The default password is "lam"

  • Click on "Edit Account Types"

Change the LDAP suffix of each account to match


Change the Tree suffix, Samba Timezone and Security Settings to reflect your ldap configuration. You might also want to change the lam profile password.

  • Click OK