Portrait of Edd Dumbill, taken by Giles Turnbull

Subscribe to updates

Feed icon Atom or RSS

or get email updates

What I make

expectnation
a conference management web application


XTech Conference
a European web technology conference

Turn your world LDAP-tastic

I've danced around the idea of using an LDAP server for storing user accounts for several years. However, LDAP's not the kind of thing you can sneak up on. You have to stare it right in the eyes and face it down.

Oh, and it helps if you have a tough-looking friend nearby. In my case, that's Ubuntu or Debian Linux.

Because Google was a bit lacking on good instructions on how to configure Samba and Linux logins using LDAP, I thought I'd write them down. This setup's for the LDAP, Samba and Linux logins all on the same machine. To configure other clients, just repeat the client parts elsewhere.

Theory

An LDAP server is a hierarchical database system. The L in LDAP stands for "lightweight", which is an enduring irony.

To make the database do anything useful, it needs schemas, which name the information items that can be stored in the database. LDAP's no different from a regular relational database in this regard.

Getting LDAP to work on Linux with the OpenLDAP tools is largely a matter of figuring out the right schemas, filling the database, and pointing things at it.

Happily, there are tools and instructions that makes this pretty straightforward under Debian and Ubuntu.

Some random jargon: you don't connect to an LDAP server, you bind to it.

Finally, why would you do this? When administering a network of more than trivial size, it soon becomes a pain to create and maintain user accounts. An LDAP server can be used to provide a central point of control for Unix and Samba accounts, as well as email and web server authentication.

Install the software you need

$ sudo aptitude install slapd ldap-utils libnss-ldap libpam-ldap \
    samba smbldap-tools smbclient \
    samba-doc perl-doc

The installation will ask you some configuration questions. If you feel up to answering them on installation, just do it. Otherwise, put in best guesses and we'll fix them up below.

Configure slapd

slapd is the LDAP server. Configure everything it's got by running sudo dpkg-reconfigure -plow slapd.

First up, enter your domain name, yourdomain.com. This will lead to a base "distinguished name" (DN) of dc=yourdomain,dc=com. Then enter your organisation's name. After that, you'll be asked for the password for the administrator account--make this a good secure password. You can take the defaults for the rest of the questions.

Next, set up your local LDAP tools to speak to your new server, change the following entries in /etc/ldap/ldap.conf:

 BASE     dc=yourdomain,dc=com
 URI      ldap://localhost

You now have an LDAP server with just the administrator account in. Take a look with ldapsearch -x cn=admin. This account is the equivalent of root access to your LDAP server.

Next up, to get the required smarts into your LDAP server for Samba, follow steps 1-5 under "LDAP server configuration" from /usr/share/doc/smbldap-tools/README.Debian.gz.

While you're editing the schema imports in /etc/ldap/slapd.conf, add in:

  include         /etc/ldap/schema/misc.schema

This will let you use your LDAP server for configuring email accounts, which comes in handy later on in the process.

Whenever you want to see the effects of a change on slapd, just run sudo /etc/init.d/slapd restart to restart the daemon.

Configure smbldap-tools

These tools are replacements for programs like adduser that talk to the LDAP server instead.

Follow the steps to configure these under the "SMBLDAP TOOLS" configuration section in /usr/share/doc/smbldap-tools/README.Debian.gz. If you don't want to mess around with certificates, turn TLS support off for now. I also turned off password aging in /etc/smbldap-tools/smbldap.conf for now.

Don't forget to set up your email domain address in mailDomain in the smbldap.conf file. This is automatically appended to mail names you set up with smbldap-useradd.

Configure access to your server in smbldap_bind.conf, replacing sekrit with the password you entered while configuring slapd:

  slaveDN="cn=admin,dc=yourdomain,dc=com"
  slavePw="sekrit"
  masterDN="cn=admin,dc=yourdomain,dc=com"
  masterPw="sekrit"

Now smbldap-tools know how to talk to your LDAP server, it's time to put the basic users and groups that Samba expects into the LDAP server. Run:

  $ sudo smbldap-populate

Check it's all gone in:

  $ ldapsearch -x | less

The user accounts that should exist will be Adminstrator and nobody. You can search for them explicitly, e.g.:

  $ ldapsearch -x uid=Administrator

Now, let's change the Administrator password to that which you want for the Samba domain:

  $ sudo smbldap-passwd Administrator

Configure Samba

Follow the steps for Samba configuration from /usr/share/doc/smbldap-tools/README.Debian.gz and restart your Samba server.

Now, it's time to add a normal user into the LDAP database, and see if we can talk to Samba using their account:

  $ sudo smbldap-useradd -a -m -M fred.bloggs -c "Fred Bloggs" fred

An explanation of the options

  • -a gives Windows as well as Linux login
  • -m makes a home directory, leave this off if you need
  • -M sets up the username part of their email address (you configured the domain earlier, see mailDomain in smbldap.conf)
  • -c specifies their full name (gecos in POSIX-speak)

The final argument is the target login name. Now, change their password:

 $ sudo smbldap-passwd fred

Check it's all fine by using sudo smbldap-usershow fred. Now try logging into your server from a Windows machine or other other SMB client.

If you opted to make the home directory, you can now see it:

 $ ls -al /home/fred/
 drwx------  2 1007 513 4096 2005-09-23 15:06 .
 drwxr-xr-x  4 root root     4096 2005-09-23 15:06 ..
 -rw-r--r--  1 1007 513  414 2005-01-13 21:43 .bash_profile
 -rw-r--r--  1 1007 513 2044 2005-01-13 21:43 .bashrc

Notice that the group and user IDs are numeric: this is because we've not yet told Linux how to speak to the LDAP server. So, let's get on with that!

Configuring NSS to work with LDAP

NSS is the subsytem that tells Linux where to get information about users, groups, passwords and so on. If you bypassed configuring it when we installed it earlier, let's configure it now:

  $ sudo dpkg-reconfigure libnss-ldap

Use 127.0.0.1 as the IP address of your LDAP server, and enter your base DN as discussed above, dc=yourdomain,dc=com. Take the defaults for the rest of the questions.

Now we just need to add LDAP into the search mechanisms. Edit /etc/nsswitch.conf and change these lines:

 passwd:         files ldap
 group:          files ldap
 shadow:         files ldap

This makes local config files (/etc/passwd, etc) override LDAP. If you want it the other way, switch the order around.

Now you should be able to repeat the directory listing from above and get the UIDs and GIDs shown with their names:

 $ ls -al /home/fred
 total 16
 drwx------   2 fred Domain Users 4096 2005-09-23 15:06 .
 drwxr-xr-x  19 root root         4096 2005-09-25 15:06 ..
 -rw-r--r--   1 fred Domain Users  414 2005-01-13 21:43 .bash_profile
 -rw-r--r--   1 fred Domain Users 2044 2005-01-13 21:43 .bashrc

Try this:

 $ id fred
 uid=1016(fred) gid=513(Domain Users) groups=513(Domain Users)

You'll see that the default group for each user is the Samba users group. A bit ugly, but livable with. You can tweak the smbldap-tools configuration to change how group allocation works.

Changing groups

To the system, file-based groups and LDAP groups are merged. See them all by running getent group.

You'll want to add users into other groups. If the group exists on your system alone, use the conventional Linux way with adduser. If the group exists in LDAP, use the LDAP way:

 $ sudo smbldap-usermod -G mygroup fred

To see which groups LDAP knows about:

 $ ldapsearch -x objectClass=posixGroup | grep cn

So, we might do:

 $ sudo smbldap-usermod -G "Domain Admins" fred

Verify with:

 $ smbldap-groupshow "Domain Admins"

Setting up Linux logins

First up, configure /etc/pam_ldap.conf:

  host 127.0.0.1
  base dc=yourdomain,dc=com
  rootbinddn cn=admin,dc=yourdomain,dc=com

(The admin password will be in /etc/ldap.secret).

Now to configure PAM, which is a system for controlling authentication and authorisation on Linux. I based my edits on the information from this page, though with a few changes.

Caution: now's a good time to keep a few open shells around running as root, in case you really mess things up. Take a backup of the files you are about to edit.

Edit the following files from /etc/pam.d:

  common-account:

  account sufficient      pam_ldap.so
  account required        pam_unix.so

  common-auth:

  auth    sufficient      pam_ldap.so nullok_secure
  auth    required        pam_unix.so use_first_pass

  common-password:

  password   sufficient   pam_ldap.so
  password   required     pam_unix.so try_first_pass nullok obscure min=4 max=8 md5

  common-session:

  session sufficient      pam_ldap.so
  session required        pam_unix.so

Now try logging in as one of the LDAP users. All should be fine.

Debugging tips

Set the debug level of slapd to 256 in /etc/ldap/slapd.conf to see the searches being performed by Samba and PAM: it'll help you diagnose what's going wrong. slapd logs to /var/log/syslog by default.

Play around a bit getting to know ldapsearch, it'll help.

LDAP security

Right now, with the default configuration, anyone can read the contents of your LDAP server. You may want to lock this down. I've used the following stanza in my slapd configuration:

  access to *
        by dn="cn=admin,dc=yourdomain,dc=com" write
        by peername.regex="^IP=127\.0\..+" read
        by peername.regex="^IP=192\.168\..+" read
        by users read
        by * none

What this (hopefully) does is to limit read access to users on approved networks, as well as users who bind to the LDAP server using their login accounts. (In ldapsearch do this with the -D and -W options).

If you're going to make your LDAP server public, ensure it's running TLS. If you examine the slapd.access manual page, you can see how to restrict certain accesses to only TLS transports and so on.

Email clients

Your email clients can use the LDAP server as an addressbook. Just point them at the LDAP server and ensure they bind using the DN uid=fred,ou=Users,dc=yourdomain,dc=com (replacing fred accordingly) and get them to use their login password. Configure the "search base" as dc=yourdomain,dc=com.

Conclusion

Take these notes as advisory. Particularly where security is concerned I really haven't done extensive testing.

In future, I'll add notes on extending the setup to receiving mail with Postfix and accessing it via Courier IMAP. Feel free to mail me any corrections.

blog comments powered by Disqus


You are reading the weblog of Edd Dumbill, writer, programmer, entrepreneur and free software advocate.
Copyright © 2000-2012 Edd Dumbill