I've danced around the idea of using an LDAP server for storing user accounts for several years. However, LDAP's not the kind of thing you can sneak up on. You have to stare it right in the eyes and face it down.
Oh, and it helps if you have a tough-looking friend nearby. In my case, that's Ubuntu or Debian Linux.
Because Google was a bit lacking on good instructions on how to configure Samba and Linux logins using LDAP, I thought I'd write them down. This setup's for the LDAP, Samba and Linux logins all on the same machine. To configure other clients, just repeat the client parts elsewhere.
Theory
An LDAP server is a hierarchical database system. The L in LDAP stands for "lightweight", which is an enduring irony.
To make the database do anything useful, it needs schemas, which name the information items that can be stored in the database. LDAP's no different from a regular relational database in this regard.
Getting LDAP to work on Linux with the OpenLDAP tools is largely a matter of figuring out the right schemas, filling the database, and pointing things at it.
Happily, there are tools and instructions that makes this pretty straightforward under Debian and Ubuntu.
Some random jargon: you don't connect to an LDAP server, you bind to it.
Finally, why would you do this? When administering a network of more than trivial size, it soon becomes a pain to create and maintain user accounts. An LDAP server can be used to provide a central point of control for Unix and Samba accounts, as well as email and web server authentication.
Install the software you need
$ sudo aptitude install slapd ldap-utils libnss-ldap libpam-ldap \ samba smbldap-tools smbclient \ samba-doc perl-doc
The installation will ask you some configuration questions. If you feel up to answering them on installation, just do it. Otherwise, put in best guesses and we'll fix them up below.
Configure slapd
slapd is the LDAP server. Configure everything it's got by running
sudo dpkg-reconfigure -plow slapd
.
First up, enter your domain name, yourdomain.com. This will lead to a base "distinguished name" (DN) of dc=yourdomain,dc=com. Then enter your organisation's name. After that, you'll be asked for the password for the administrator account--make this a good secure password. You can take the defaults for the rest of the questions.
Next, set up your local LDAP tools to speak to your new server, change the following entries in /etc/ldap/ldap.conf:
BASE dc=yourdomain,dc=com URI ldap://localhost
You now have an LDAP server with just the administrator account in. Take
a look with ldapsearch -x cn=admin
. This account is the
equivalent of root access to your LDAP server.
Next up, to get the required smarts into your LDAP server for Samba, follow steps 1-5 under "LDAP server configuration" from /usr/share/doc/smbldap-tools/README.Debian.gz.
While you're editing the schema imports in /etc/ldap/slapd.conf, add in:
include /etc/ldap/schema/misc.schema
This will let you use your LDAP server for configuring email accounts, which comes in handy later on in the process.
Whenever you want to see the effects of a change on slapd, just run
sudo /etc/init.d/slapd restart
to restart the daemon.
Configure smbldap-tools
These tools are replacements for programs like adduser that talk to the LDAP server instead.
Follow the steps to configure these under the "SMBLDAP TOOLS" configuration section in /usr/share/doc/smbldap-tools/README.Debian.gz. If you don't want to mess around with certificates, turn TLS support off for now. I also turned off password aging in /etc/smbldap-tools/smbldap.conf for now.
Don't forget to set up your email domain address in mailDomain in the smbldap.conf file. This is automatically appended to mail names you set up with smbldap-useradd.
Configure access to your server in smbldap_bind.conf, replacing sekrit with the password you entered while configuring slapd:
slaveDN="cn=admin,dc=yourdomain,dc=com" slavePw="sekrit" masterDN="cn=admin,dc=yourdomain,dc=com" masterPw="sekrit"
Now smbldap-tools know how to talk to your LDAP server, it's time to put the basic users and groups that Samba expects into the LDAP server. Run:
$ sudo smbldap-populate
Check it's all gone in:
$ ldapsearch -x | less
The user accounts that should exist will be Adminstrator and nobody. You can search for them explicitly, e.g.:
$ ldapsearch -x uid=Administrator
Now, let's change the Administrator password to that which you want for the Samba domain:
$ sudo smbldap-passwd Administrator
Configure Samba
Follow the steps for Samba configuration from /usr/share/doc/smbldap-tools/README.Debian.gz and restart your Samba server.
Now, it's time to add a normal user into the LDAP database, and see if we can talk to Samba using their account:
$ sudo smbldap-useradd -a -m -M fred.bloggs -c "Fred Bloggs" fred
An explanation of the options
The final argument is the target login name. Now, change their password:
$ sudo smbldap-passwd fred
Check it's all fine by using sudo smbldap-usershow fred
.
Now try logging into your server from a Windows machine or
other other SMB client.
If you opted to make the home directory, you can now see it:
$ ls -al /home/fred/ drwx------ 2 1007 513 4096 2005-09-23 15:06 . drwxr-xr-x 4 root root 4096 2005-09-23 15:06 .. -rw-r--r-- 1 1007 513 414 2005-01-13 21:43 .bash_profile -rw-r--r-- 1 1007 513 2044 2005-01-13 21:43 .bashrc
Notice that the group and user IDs are numeric: this is because we've not yet told Linux how to speak to the LDAP server. So, let's get on with that!
Configuring NSS to work with LDAP
NSS is the subsytem that tells Linux where to get information about users, groups, passwords and so on. If you bypassed configuring it when we installed it earlier, let's configure it now:
$ sudo dpkg-reconfigure libnss-ldap
Use 127.0.0.1 as the IP address of your LDAP server, and enter your base DN as discussed above, dc=yourdomain,dc=com. Take the defaults for the rest of the questions.
Now we just need to add LDAP into the search mechanisms. Edit /etc/nsswitch.conf and change these lines:
passwd: files ldap group: files ldap shadow: files ldap
This makes local config files (/etc/passwd, etc) override LDAP. If you want it the other way, switch the order around.
Now you should be able to repeat the directory listing from above and get the UIDs and GIDs shown with their names:
$ ls -al /home/fred total 16 drwx------ 2 fred Domain Users 4096 2005-09-23 15:06 . drwxr-xr-x 19 root root 4096 2005-09-25 15:06 .. -rw-r--r-- 1 fred Domain Users 414 2005-01-13 21:43 .bash_profile -rw-r--r-- 1 fred Domain Users 2044 2005-01-13 21:43 .bashrc
Try this:
$ id fred uid=1016(fred) gid=513(Domain Users) groups=513(Domain Users)
You'll see that the default group for each user is the Samba users group. A bit ugly, but livable with. You can tweak the smbldap-tools configuration to change how group allocation works.
Changing groups
To the system, file-based groups and LDAP groups are merged. See them
all by running getent group
.
You'll want to add users into other groups. If the group exists on your system alone, use the conventional Linux way with adduser. If the group exists in LDAP, use the LDAP way:
$ sudo smbldap-usermod -G mygroup fred
To see which groups LDAP knows about:
$ ldapsearch -x objectClass=posixGroup | grep cn
So, we might do:
$ sudo smbldap-usermod -G "Domain Admins" fred
Verify with:
$ smbldap-groupshow "Domain Admins"
Setting up Linux logins
First up, configure /etc/pam_ldap.conf:
host 127.0.0.1 base dc=yourdomain,dc=com rootbinddn cn=admin,dc=yourdomain,dc=com
(The admin password will be in /etc/ldap.secret).
Now to configure PAM, which is a system for controlling authentication and authorisation on Linux. I based my edits on the information from this page, though with a few changes.
Caution: now's a good time to keep a few open shells around running as root, in case you really mess things up. Take a backup of the files you are about to edit.
Edit the following files from /etc/pam.d:
common-account: account sufficient pam_ldap.so account required pam_unix.so common-auth: auth sufficient pam_ldap.so nullok_secure auth required pam_unix.so use_first_pass common-password: password sufficient pam_ldap.so password required pam_unix.so try_first_pass nullok obscure min=4 max=8 md5 common-session: session sufficient pam_ldap.so session required pam_unix.so
Now try logging in as one of the LDAP users. All should be fine.
Debugging tips
Set the debug level of slapd to 256 in /etc/ldap/slapd.conf to see the searches being performed by Samba and PAM: it'll help you diagnose what's going wrong. slapd logs to /var/log/syslog by default.
Play around a bit getting to know ldapsearch, it'll help.
LDAP security
Right now, with the default configuration, anyone can read the contents of your LDAP server. You may want to lock this down. I've used the following stanza in my slapd configuration:
access to * by dn="cn=admin,dc=yourdomain,dc=com" write by peername.regex="^IP=127\.0\..+" read by peername.regex="^IP=192\.168\..+" read by users read by * none
What this (hopefully) does is to limit read access to users on approved networks, as well as users who bind to the LDAP server using their login accounts. (In ldapsearch do this with the -D and -W options).
If you're going to make your LDAP server public, ensure it's running TLS. If you examine the slapd.access manual page, you can see how to restrict certain accesses to only TLS transports and so on.
Email clients
Your email clients can use the LDAP server as an addressbook. Just point them
at the LDAP server and ensure they bind using the DN
uid=fred,ou=Users,dc=yourdomain,dc=com (replacing fred
accordingly) and get
them to use their login password. Configure the "search base"
as dc=yourdomain,dc=com.
Conclusion
Take these notes as advisory. Particularly where security is concerned I really haven't done extensive testing.
In future, I'll add notes on extending the setup to receiving mail with Postfix and accessing it via Courier IMAP. Feel free to mail me any corrections.