Re: Servidor Debian com Ldap
Não e bem isto que estou querendo.
Quero que meu Outlook2003/Thunderbird usem o LDAP como catalogo de
endereços ficando tudo centralizado e acabando com o problema de
catálogos desatualizados.
Mesmo assim grato pela ajuda.
Em 25/02/06, caio ferreira <idic@terra.com.br> escreveu:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ridson Xavier de Moura escreveu:
> Boa tarde.
>
> Como posso instalar o OpenLDAP no meu servidor Debian sendo que não existem
> pacotes pro apt baixar. Existe algum repositório onde possa pega-los?
>
- --
.''`. Caio Abreu Ferreira
: :' : GNU/Linux Debian
`. `'` fingerprint 0B5 0357 B80C E53C 5EF6 9D58 2D1B 0602 45E5 183A
`- Key ID 0x45E5183A
Linux Couter 327834
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEAFS6LRsGAkXlGDoRApokAJ9oSQOLy62IUHJ6dJSDL32CnmGXcgCghFi8
+1CXOUqUyg22QybpSSV592I=
=PEad
-----END PGP SIGNATURE-----
Instalacao do Samba com suporte a LDAP
---------------------------------------
Caio Abreu Ferreira<cosmo_at_osite_dot_com_dot_br>
Versao 0.1 - 04 de Outubro de 2004
Indice
1-Licenca
2-Introducao teorica
2.1-O que LDAP
2.2-O que eh diretorio
3-Dados Tecnicos
4-Pratico
4.1-Instalacao
4.1.1-Instalacao
do LDAP
4.1.2-Instalacao
do PhpLdapAdmin
4.1.3-Instalacao
do Samba
4.2-Configuracao do LDAP
4.3-Migracao
dos usuarios do linux para o LDAP
4.4-Configuracao do PhpLdapAdmin
4.5-Configuracao do Samba
5- Arquivos de configuracao
6- Referencias
7- Agradecimento
1 - Licenca
-----------
Copyleft (C) 2004
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation
License, Version
1.1 or any later version published by the
Free Software Foundation; A copy of the license is included
in the section entitled "GNU Free Documentation License".
2 - Introducao Teorica
----------------------
2.1 - O que LDAP
----------------
O LDAP eh um protocolo (executado sobre TCP/IP), que eh utilizado
para acessar um servico de Diretorio. O LDAP é baseado no modelo
cliente-servidor, sendo que o servidor LDAP contem as informacoes e
os clientes LDAP conectam-se com o servidor para obter dados contidos
no diretorio. As informacoes contidas no servidor podem ser replicadas
para servidores secundarios, para que se por algum motivo o servidor
primario deixe de funcionar, os servdores secundarios assumam a sua
funcao de servidor de diretorio.
O LDAP foi desenvolvido inicialmente na Universidade de Michigan e
segue as especificacoes de diretorio X.500.
2.2 - O que eh diretorio
------------------------
Um diretório é qualquer banco de dados que comtem em sua maioria informacoes
descritivas. As informacoes contidas nessa base de dados sao normalmente mais
mais lidas do que escrita. Um exemplo de diretorio eh o DNS(Domain Name System),
onde as informacoes contidas no servidor de DNS sao em sua maioria consultadas,
lidas pelos "clientes".
3 - Dados Tecnicos
------------------
Distribuicao -
gnu/linux debian Sarge
Dominio
- openware.com.br
IP do servidor ldap e samba - 192.168.1.3
dc=openware,dc=com,dc=br
|
`---
ou=People : armazenar as contas do usuarios
para Unix e Windows
|
`---
ou=Hosts
: armazenar as estacoes da rede
|
`---
ou=Group :
armazenar os grupos, tanto do linux quanto do windows
4-Pratico
-----------
4.1-Instalacao
----------------
4.1.1-Instalacao do LDAP
--------------------------
# Instalacao do ldap e das ferramentas para migracao
# dos dados, como usuarios, grupos e hosts do linux
# para o LDAP
$ aptitude install slapd ldap-utils migrationtools -y
4.1.2-Instalacao do PhpLdapAdmin
----------------------------------
$ aptitude install php4 php4-ldap php4-mhash php4-pear -y
$ aptitude install apache -y
$ aptitude install phpldapadmin libnet-ldap-perl -y
4.1.3-Instalacao do Samba
---------------------------
$
aptitude install samba samba-doc winbind libnss-ldap libmhash2 sysutils
libcrypt-smbhash-perl -y
4.2-Configuracao do LDAP
--------------------------
$ vi /etc/ldap/ldap.conf
host 192.168.1.3
base dc=openware,dc=com,dc=br
rootbinddn
cn=admin,dc=openware,dc=com,dc=br
# Aplicando o algoritmo hash para tornar
# mais seguro o arquivo de configuracao.
# Eh possivel utilizar os algoritmos de criptografia
# CRYPT, MD5, SMD5, SSHA, e SHA
$ slappasswd -h {SSHA} -s <SENHA>
{SSHA}JSqnZ+f4RN9UBdtjNBJti9NXdN5zkrst
$ vi /etc/ldap/slapd.conf
#
Read slapd.conf(5) for possible values
loglevel 256
#
The base of your directory in database #1
suffix "dc=openware,dc=com,dc=br"
rootdn "cn=admin,dc=openware,dc=com,dc=br"
rootpw {SSHA}JSqnZ+f4RN9UBdtjNBJti9NXdN5zkrst
# Criacao do arquivo de log do slapd
$ vi /etc/syslog.conf
local4.* /var/log/ldap.log
# Reinicializar o servico de log
$ /etc/init.d/sysklogd restart
# Reinicializar o LDAP
$ /etc/init.d/slapd restart
4.3-Migracao dos usuarios, grupos e hosts do linux para o LDAP
-----------------------------------------------------------------
$ vi /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "openware.com.br";
# Default base
$DEFAULT_BASE = "dc=openware,dc=com,dc=br";
$ cd /usr/share/migrationtools/
# Migrar a base do ldap
$ ./migrate_base.pl | ldapadd -xD cn=admin,dc=openware,dc=com,dc=br -c -h
192.168.1.3 -w SENHA
# Migrar os grupos para a base de dados do ldap
$ ./migrate_group.pl /etc/group | ldapadd -xD cn=admin,dc=openware,dc=com,dc=br -c -h
192.168.1.3 -w SENHA
# Migrar os usuario para a base de dados do ldap
$ ./migrate_passwd.pl /etc/passwd | ldapadd -xD cn=admin,dc=openware,dc=com,dc=br -c -h 192.168.1.3
-w SENHA
# Migrar os hosts para a base de dados do ldap
# Exemplo do arquivo /etc/hosts
#
192.168.1.3
akira.openware.com.br
akira
$ ./migrate_hosts.pl /etc/hosts | ldapadd -xD cn=admin,dc=openware,dc=com,dc=br -c -h 192.168.1.3 -w SENHA
4.4-Configuracao do PhpLdapAdmin
----------------------------------
$ vi /usr/share/phpldapadmin/config.php
$servers[$i]['name']
= 'Openware LDAP Server';
$servers[$i]['host']
= '192.168.1.3';
4.5-Configuracao do Samba
---------------------------
$ cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
$ gunzip /etc/ldap/schema/samba.schema.gz
$ vi /etc/ldap/slapd.conf
include
/etc/ldap/schema/samba.schema
index
cn pres,sub,eq
index
sn pres,sub,eq
index
uid
pres,sub,eq
index
displayName
pres,sub,eq
index
uidNumber
eq
index
gidNumber
eq
index
memberUID
eq
index
sambaSID eq
index
sambaPrimaryGroupSID eq
index
sambaDomainName eq
index
default
sub
access
to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
$ /etc/init.d/slapd restart
$ cd /usr/share/doc/samba-doc/examples/LDAP/smbldap-tools/mkntpwd
$ gunzip *.gz
$ make
$ cp mkntpwd /usr/local/sbin/
$ net getlocalsid
SID for domain AKIRA is: S-1-5-21-422933630-3355374061-2294550427
$ vi /usr/share/phpldapadmin/templates/template_config.php
// path 2 the mkntpwd utility (Customize)
$mkntpwdCommand = "/usr/local/sbin/mkntpwd";
$default_samba3_domains[] =
array( 'name' => 'Openware Samba domain Name',
'sid' => 'S-1-5-21-422933630-3355374061-2294550427' );
$ cd /root/download
# smbldap-tools eh um pacote que contem uma serie de scripts utilizados
# para o gerenciamento dos usuarios, grupos e hosts. Os scripts podem
# adicionar, apagar e modificar as informacoes dos usuarios, grupos e
# hosts.
$ wget http://www.idealx.org/prj/samba/dist/smbldap-tools-0.8.5.tgz
$ cd /usr/local/src
$ tar xzvf /root/download/smbldap-tools-0.8.5.tgz
$ mkdir /etc/smbldap-tools/
$ cd /usr/local/src/smbldap-tools-0.8.5/
$ cp *.conf /etc/smbldap-tools/
$ cp smbldap* /usr/local/sbin/
$ chmod 644 /etc/smbldap-tools/smbldap.conf
$ chmod 600 /etc/smbldap-tools/smbldap_bind.conf
$ cd /etc/smbldap-tools/
$ vi
smbldap.conf
ID="S-1-5-21-1304105363-4135810921-3996400691"
slaveLDAP="192.168.1.3"
masterLDAP="
192.168.1.3"
ldapTLS="0"
suffix="dc=openware,dc=com,dc=br"
usersdn="ou=People,${suffix}"
computersdn="ou=People,${suffix}"
groupsdn="ou=Group,${suffix}"
userSmbHome="\\akira\home\%U"
userProfile="\\akira\profiles\%U"
userScript="%U.bat"
mailDomain="openware.com.br"
$ vi smbldap_bind.conf
slaveDN="cn=admin,dc=openware,dc=com,dc=br"
slavePw="SENHA"
masterDN="cn=admin,dc=openware,dc=com,dc=br"
masterPw="SENHA"
$ cd /usr/local/sbin/
# Script para de uma forma facil setar os diretorios e base
$ ./smbldap-populate
# Remove o usuario root que foi incluido na hora da migracao
# e inserir um novo root, root.ldif :
# Antes de adicionar o root, mudar o SID dele.
dn: uid=root,ou=People,dc=openware,dc=com,dc=br
cn: root
displayName: root root
gecos: root root
gidNumber: 512
homeDirectory: /root
loginShell: /bin/bash
sambaPrimaryGroupSID:
S-1-5-21-2052853064-698352506-93186233-512
sambaSID:
S-1-5-21-2052853064-698352506-93186233-512
shadowLastChange:
uid: root
uidNumber: 512
sambaPwdCanChange:
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
structuralObjectClass: account
entryUUID:
creatorsName:
cn=admin,dc=openware,dc=com,dc=br
createTimestamp:
sambaLMPassword:
sambaAcctFlags: [U]
sambaNTPassword:
sambaPwdLastSet:
sambaPwdMustChange:
userPassword::
entryCSN:
modifiersName:
cn=admin,dc=openware,dc=com,dc=br
modifyTimestamp:
$ slapadd -v -l root.ldif
# Acrescentando a classe e os objetos referentes ao samba
# no usuario.
$ ./smbldap-usermod -m -a USUARIO
# adicionados/alterados sambaLMPassword e sambaNTPassword
# executar para todos os usuarios.
$ ./smbldap-passwd USUARIO
$ vi /etc/nsswitch.conf
#passwd:
compat
#group: compat
#shadow:
compat
passwd:
files ldap
group: files
ldap
shadow:
files ldap
$ vi /etc/samba/smb.conf
[global]
workgroup = openware
netbios name = akira
passdb backend = ldapsam:ldap://akira
username map = /etc/samba/smbusers
root = admin administrador
printcap name = cups
add user script = /usr/local/sbin/smbldap-useradd -m '%u'
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/sbin/ \
smbldap-groupmod.pl -m '%g' '%u'
delete user from group script = /usr/local/sbin/ \
smbldap-groupmod.pl -x '%g' '%u'
set primary group script = /usr/local/sbin/ \
smbldap-usermod.pl -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
logon script = %U.bat
logon drive = H:
logon path = \\%N\profiles
logon home = \\%N\profiles
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
ldap suffix = dc=openware,dc=com,dc=br
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=People
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=openware,dc=com,dc=br
ldap ssl = no
ldap passwd sync = Yes
ldap filter = (uid=%u)
idmap uid = 15000-20000
idmap gid = 15000-20000
security = user
encrypt passwords = yes
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
[homes]
comment = Home Directories
path = /home/%U
browseable = no
writable = yes
create mask = 0700
directory mask = 0700
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = yes
share modes = no
browseable = no
[profiles]
path = /home/profiles/%U
create mask = 0700
directory mask = 0700
browseable = no
writable = yes
read _only_ = no
$ /etc/init.d/samba restart
$ vi /etc/samba/smbusers
root:
administrator admin administrador
$ mkdir /home/netlogon
$ mkdir /home/profiles
$ cd /home/netlogon
$ vi caio.bat
NET TIME \\akira /SET /YES
NET USE H: \\akira\caio
# Converter o formato do arquivo de Unix para DOS
$ unix2dos caio.bat
# Senha do administrador do ldap (cn=admin,dc=openware,dc=com,dc=br)
$ smbpasswd -w SENHA_LDAP
Setting stored password for "cn=admin,dc=openware,dc=com,dc=br" in secrets.tdb
5 - Arquivos de configuracao
----------------------------
##############################################
ldap.conf ##############################################
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
host 192.168.1.3
base dc=openware,dc=com,dc=br
rootbinddn cn=admin,dc=openware,dc=com,dc=br
############################################## sldap.conf ##############################################
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 256
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=openware,dc=com,dc=br"
rootdn "cn=admin,dc=openware,dc=com,dc=br"
rootpw {SSHA}IjljAwzYPdRmHWIPM6SRNRPYXsOjQ24w
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Indexing options for database #1
index objectClass eq
index
cn pres,sub,eq
index
sn pres,sub,eq
index
uid
pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# Samba
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attribute=userPassword
by dn="cn=admin,dc=openware,dc=com,dc=br" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=openware,dc=com,dc=br" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=openware,dc=com,dc=br" write
# by dnattr=owner write
############################################## smbldap.conf ##############################################
# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id:
smbldap.conf,v 1.14 2004/06/25 20:57:51 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID
# to obtain this number do: net getlocalsid
SID="S-1-5-21-3442722244-1504448362-2927373868"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Ex: slaveLDAP=127.0.0.1
slaveLDAP="
192.168.1.3"
slavePort="389"
# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="192.168.1.3
"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=openware,dc=com,dc=br"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=People,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=People,${suffix}"
# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Group,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="99"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the
smb.conf 'logon home'
# directive and/or disable roaming profiles
userSmbHome="\\akira\home\%U"
# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
userProfile="\\akira\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically
username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
mailDomain="idealx.com"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
############################################## smbldap_bind.conf ##############################################
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=admin,dc=openware,dc=com,dc=br"
slavePw="SENHA"
masterDN="cn=admin,dc=openware,dc=com,dc=br"
masterPw="SENHA"
6 - Referencias
--------------
Lista de discucao ldap-l
http://server.solis.coop.br/mailman/listinfo/ldap-l
Smbldap-tools User Manual
http://www.idealx.org/prj/samba/smbldap-tools.fr.html
ldap liceu
http://www.ldap.liceu.com.br/index.html
Introduction to LDAP - Brad Marshall
http://quark.humbug.org.au/publications/ldap/ldap_tut.html
7 - Agradecimento
---------------
Klemen Berti <klemen(arroba)terra.com.br>
Reply to: