Ubuntu: LDAP Authentication
From ReceptiveIT
Contents |
Install LDAP
> apt-get install slapd ldap-utils
Install Samba Schema
> apt-get install samba-doc > zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema > mkdir -p /root/ldapsetup/ldif
Make a file called /root/ldapsetup/schema_convert.conf with the following
include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/samba.schema
> slaptest -f /root/ldapsetup/schema_convert.conf -F /root/ldapsetup/ldif
config file testing succeeded
Edit the /root/ldapsetip/ldif/cn=config/cn=schema/cn={12}samba.ldif file, changing the following attributes:
dn: cn=samba,cn=schema,cn=config ... cn: samba
And remove the following lines from the bottom of the file:
structuralObjectClass: olcSchemaConfig entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757 creatorsName: cn=config createTimestamp: 20080826021140Z entryCSN: 20080826021140.791425Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20080826021140Z
Using ldapadd, lets add the new schema
>ldapadd -x -D cn=admin,cn=config -W -f /root/ldapsetup/ldif/cn\=config/cn\=schema/cn\=\{8\}misc.ldif
Enter LDAP Password: ******
adding new entry "cn=misc,cn=schema,cn=config"
>ldapadd -x -D cn=admin,cn=config -W -f /root/ldapsetup/ldif/cn\=config/cn\=schema/cn\=\{12\}samba.ldif
Enter LDAP Password: ******
adding new entry "cn=samba,cn=schema,cn=config"
Automagic Script
Here is a little script that uses sed to perform the modifications detailed above.
#!/bin/bash
# Constants
prefix="converted-"
if [ -z "${1}" ]; then
echo "Usage: ${0} filename"
exit
else
filename=${1}
fi
echo "${filename} > ${prefix}${filename}"
cat ${filename} | sed '
/dn: / s/{[0-9]*}//
/dn: / s/$/,cn=schema,cn=config/
/cn: / s/{[0-9]*}//
/structuralObjectClass:/ d
/entryUUID:/ d
/creatorsName:/ d
/createTimestamp:/ d
/entryCSN:/ d
/modifiersName:/ d
/modifyTimestamp:/ d' > ${prefix}${filename}
Install smbldap cli
>apt-get install smbldap-tools >cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/ >chmod 640 /etc/smbldap-tools/smbldap_bind.conf >zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
Edit the two files to reflect your system
>smbldap-populate Populating LDAP directory for domain DOMAINNAME (S-1-5-21-2173374887-2173374887-2173374887) (using builtin directory structure) entry dc=domainname already exist. adding new entry: ou=users,dc=domainname adding new entry: ou=groups,dc=domainname adding new entry: ou=computers,dc=domainname adding new entry: ou=idmap,dc=domainname adding new entry: uid=root,ou=users,dc=domainname adding new entry: uid=nobody,ou=users,dc=domainname adding new entry: cn=Domain Admins,ou=groups,dc=domainname adding new entry: cn=Domain Users,ou=groups,dc=domainname adding new entry: cn=Domain Guests,ou=groups,dc=domainname adding new entry: cn=Domain Computers,ou=groups,dc=domainname adding new entry: cn=Administrators,ou=groups,dc=domainname adding new entry: cn=Account Operators,ou=groups,dc=domainname adding new entry: cn=Print Operators,ou=groups,dc=domainname adding new entry: cn=Backup Operators,ou=groups,dc=domainname adding new entry: cn=Replicators,ou=groups,dc=domainname adding new entry: sambaDomainName=DOMAINNAME,dc=domainname Please provide a password for the domain root: Changing UNIX and samba passwords for root New password: ******** Retype new password: ******** >
LDAP PAM Auth
>apt-get install libnss-ldap >auth-client-config -t nss -p lac_ldap >pam-auth-update
Install LDAP Account Manager Webfrontend
>apt-get install ldap-account-manager
Increase the PHP memory limit to 64M
vi /etc/php5/apache2/php.ini
Change memory_limit = 16M to memory_limit = 64M
Restart Apache2
>/etc/init.d/apache2 restart
Go to a web browser and put in the address http://server/lam
- Click on "LAM configuration"
- Click on "Edit server profiles"
The default password is "lam"
- Click on "Edit Account Types"
Change the LDAP suffix of each account to match
ou=users,dc=domain ou=groups,dc=domain ou=computers,dc=domain dc=domain
Change the Tree suffix, Samba Timezone and Security Settings to reflect your ldap configuration. You might also want to change the lam profile password.
- Click OK
