1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1 |
<?xml version="1.0" encoding="UTF-8"?>
|
2 |
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
3 |
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
|
|
4 |
<!ENTITY % globalent SYSTEM "../../libs/global.ent">
|
|
5 |
%globalent; |
|
6 |
<!ENTITY % xinclude SYSTEM "../../libs/xinclude.mod">
|
|
7 |
%xinclude; |
|
8 |
<!ENTITY language "&EnglishAmerican;">
|
|
9 |
]> |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
10 |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
11 |
<chapter id="network-authentication" status="review"> |
12 |
<title>Network Authentication</title> |
|
13 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
14 |
<para>
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
15 |
This section applies LDAP to network authentication and authorization. |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
16 |
</para>
|
17 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
18 |
<sect1 id="openldap-server" status="review"> |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
19 |
<title>OpenLDAP Server</title> |
20 |
||
21 |
<para>
|
|
251.1.1
by ted.m.cox at gmail
Bug fixes |
22 |
The Lightweight Directory Access Protocol, or LDAP, is a protocol for |
23 |
querying and modifying a X.500-based directory service running over TCP/IP. |
|
24 |
The current LDAP version is LDAPv3, as defined in <ulink
|
|
25 |
url="http://tools.ietf.org/html/rfc4510">RFC4510</ulink>, and the |
|
26 |
implementation in Ubuntu is OpenLDAP." |
|
27 |
</para>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
28 |
|
29 |
<para>
|
|
241.1.1
by Peter Matulis
Review of OpenLDAP Server - Minor corrections; by Peter Matulis |
30 |
So the LDAP protocol accesses LDAP directories. Here are some key concepts and terms: |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
31 |
</para>
|
32 |
||
33 |
<itemizedlist>
|
|
34 |
||
35 |
<listitem>
|
|
36 |
<para>
|
|
37 |
A LDAP directory is a tree of data <emphasis>entries</emphasis> that is hierarchical in nature and is called |
|
38 |
the Directory Information Tree (DIT). |
|
39 |
</para>
|
|
40 |
</listitem>
|
|
41 |
||
42 |
<listitem>
|
|
43 |
<para>
|
|
44 |
An entry consists of a set of <emphasis>attributes</emphasis>. |
|
45 |
</para>
|
|
46 |
</listitem>
|
|
47 |
||
48 |
<listitem>
|
|
49 |
<para>
|
|
50 |
An attribute has a <emphasis>type</emphasis> (a name/description) and one or more <emphasis>values</emphasis>. |
|
51 |
</para>
|
|
52 |
</listitem>
|
|
53 |
||
54 |
<listitem>
|
|
55 |
<para>
|
|
56 |
Every attribute must be defined in at least one <emphasis>objectClass</emphasis>. |
|
57 |
</para>
|
|
58 |
</listitem>
|
|
59 |
||
60 |
<listitem>
|
|
61 |
<para>
|
|
62 |
Attributes and objectclasses are defined in <emphasis>schemas</emphasis> (an objectclass is actually |
|
63 |
considered as a special kind of attribute). |
|
64 |
</para>
|
|
65 |
</listitem>
|
|
66 |
||
67 |
<listitem>
|
|
68 |
<para>
|
|
241.1.1
by Peter Matulis
Review of OpenLDAP Server - Minor corrections; by Peter Matulis |
69 |
Each entry has a unique identifier: its <emphasis>Distinguished Name</emphasis> (DN or dn). This, in turn, consists |
70 |
of a <emphasis>Relative Distinguished Name</emphasis> (RDN) followed by the parent entry's DN. |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
71 |
</para>
|
72 |
</listitem>
|
|
73 |
||
74 |
<listitem>
|
|
75 |
<para>
|
|
76 |
The entry's DN is not an attribute. It is not considered part of the entry itself. |
|
77 |
</para>
|
|
78 |
</listitem>
|
|
79 |
||
80 |
</itemizedlist>
|
|
81 |
||
82 |
<note>
|
|
83 |
<para>
|
|
84 |
The terms <emphasis>object</emphasis>, <emphasis>container</emphasis>, and <emphasis>node</emphasis> have certain |
|
85 |
connotations but they all essentially mean the same thing as <emphasis>entry</emphasis>, the technically correct term. |
|
86 |
</para>
|
|
87 |
</note>
|
|
88 |
||
89 |
<para>
|
|
241.1.1
by Peter Matulis
Review of OpenLDAP Server - Minor corrections; by Peter Matulis |
90 |
For example, below we have a single entry consisting of 11 attributes where the following is true: |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
91 |
</para>
|
92 |
||
241.1.1
by Peter Matulis
Review of OpenLDAP Server - Minor corrections; by Peter Matulis |
93 |
<itemizedlist mark='bullet'> |
94 |
||
95 |
<listitem>
|
|
96 |
<para>
|
|
97 |
DN is "cn=John Doe,dc=example,dc=com" |
|
98 |
</para>
|
|
99 |
</listitem>
|
|
100 |
||
101 |
<listitem>
|
|
102 |
<para>
|
|
103 |
RDN is "cn=John Doe" |
|
104 |
</para>
|
|
105 |
</listitem>
|
|
106 |
||
107 |
<listitem>
|
|
108 |
<para>
|
|
109 |
parent DN is "dc=example,dc=com" |
|
110 |
</para>
|
|
111 |
</listitem>
|
|
112 |
||
113 |
</itemizedlist>
|
|
114 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
115 |
<programlisting>
|
116 |
dn: cn=John Doe,dc=example,dc=com |
|
117 |
cn: John Doe |
|
118 |
givenName: John |
|
119 |
sn: Doe |
|
120 |
telephoneNumber: +1 888 555 6789 |
|
121 |
telephoneNumber: +1 888 555 1232 |
|
122 |
mail: john@example.com |
|
123 |
manager: cn=Larry Smith,dc=example,dc=com |
|
124 |
objectClass: inetOrgPerson |
|
125 |
objectClass: organizationalPerson |
|
126 |
objectClass: person |
|
127 |
objectClass: top |
|
128 |
</programlisting>
|
|
129 |
||
130 |
<para>
|
|
131 |
The above entry is in <emphasis>LDIF</emphasis> format (LDAP Data Interchange Format). Any information that you feed |
|
132 |
into your DIT must also be in such a format. It is defined in <ulink url="http://tools.ietf.org/html/rfc2849">RFC2849</ulink>. |
|
133 |
</para>
|
|
134 |
||
135 |
<para>
|
|
136 |
Although this guide will describe how to use it for central authentication, LDAP is good for anything that involves a large number |
|
137 |
of access requests to a mostly-read, attribute-based (name:value) backend. Examples include an address book, a list of email addresses, |
|
138 |
and a mail server's configuration. |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
139 |
</para>
|
140 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
141 |
<sect2 id="openldap-server-installation" status="review"> |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
142 |
<title>Installation</title> |
143 |
||
144 |
<para>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
145 |
Install the OpenLDAP server daemon and the traditional LDAP management utilities. These are found in packages <application>slapd</application> |
146 |
and <application>ldap-utils</application> respectively. |
|
147 |
</para>
|
|
148 |
||
149 |
<para>
|
|
150 |
The installation of slapd will create a working configuration. In particular, it will create a database instance that you |
|
151 |
can use to store your data. However, the suffix (or base DN) of this instance will be determined from the domain name of the localhost. |
|
152 |
If you want something different, edit <filename>/etc/hosts</filename> and replace the domain name with one that will give you the |
|
153 |
suffix you desire. For instance, if you want a suffix of <emphasis>dc=example,dc=com</emphasis> then your file would have a line |
|
154 |
similar to this: |
|
155 |
</para>
|
|
156 |
||
157 |
<programlisting>
|
|
158 |
127.0.1.1 hostname.example.com hostname |
|
159 |
</programlisting>
|
|
160 |
||
161 |
<para>
|
|
162 |
You can revert the change after package installation. |
|
163 |
</para>
|
|
164 |
||
165 |
<note>
|
|
166 |
<para>
|
|
167 |
This guide will use a database suffix of <emphasis>dc=example,dc=com</emphasis>. |
|
168 |
</para>
|
|
169 |
</note>
|
|
170 |
||
171 |
<para>
|
|
172 |
Proceed with the install: |
|
173 |
</para>
|
|
174 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
175 |
<screen>
|
176 |
<command>sudo apt-get install slapd ldap-utils</command> |
|
177 |
</screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
178 |
|
179 |
<para>
|
|
180 |
Since Ubuntu 8.10 slapd is designed to be configured within slapd itself by dedicating a separate DIT for that purpose. This allows one |
|
181 |
to dynamically configure slapd without the need to restart the service. This configuration database consists of a collection of text-based |
|
182 |
LDIF files located under <filename>/etc/ldap/slapd.d</filename>. This way of working is known by several names: the slapd-config method, |
|
183 |
the RTC method (Real Time Configuration), or the cn=config method. You can still use the traditional flat-file method (slapd.conf) but it's |
|
184 |
not recommended; the functionality will be eventually phased out. |
|
185 |
</para>
|
|
186 |
||
187 |
<note>
|
|
188 |
<para>
|
|
189 |
Ubuntu now uses the <emphasis>slapd-config</emphasis> method for slapd configuration and this |
|
190 |
guide reflects that. |
|
191 |
</para>
|
|
192 |
</note>
|
|
193 |
||
194 |
<para>
|
|
195 |
During the install you were prompted to define administrative credentials. These are LDAP-based credentials for the <emphasis>rootDN</emphasis> |
|
196 |
of your database instance. By default, this user's DN is <emphasis>cn=admin,dc=example,dc=com</emphasis>. Also by default, there is no |
|
197 |
administrative account created for the slapd-config database and you will therefore need to authenticate externally to LDAP in order to access it. |
|
198 |
We will see how to do this later on. |
|
199 |
</para>
|
|
200 |
||
201 |
<para>
|
|
202 |
Some classical schemas (cosine, nis, inetorgperson) come built-in with slapd nowadays. There is also an included "core" schema, a pre-requisite |
|
203 |
for any schema to work. |
|
204 |
</para>
|
|
205 |
||
206 |
</sect2>
|
|
207 |
||
208 |
<sect2 id="openldap-server-postinstall" status="review"> |
|
209 |
<title>Post-install Inspection</title> |
|
210 |
||
211 |
<para>
|
|
212 |
The installation process set up 2 DITs. One for slapd-config and one for your own data (dc=example,dc=com). Let's take a look. |
|
213 |
</para>
|
|
214 |
||
215 |
<itemizedlist>
|
|
216 |
||
217 |
<listitem>
|
|
218 |
<para>
|
|
219 |
This is what the slapd-config database/DIT looks like. Recall that this database is |
|
220 |
LDIF-based and lives under <filename>/etc/ldap/slapd.d</filename>: |
|
221 |
</para>
|
|
222 |
||
223 |
<screen>
|
|
224 |
<computeroutput>
|
|
225 |
/etc/ldap/slapd.d/ |
|
119.1.1
by Doug Smythies
LP: #1129649; LP: #1103870; maybe LP: #922251; UTF-8 fixes; Some others; by Doug Smythies |
226 |
/etc/ldap/slapd.d/cn=config |
227 |
/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif |
|
228 |
/etc/ldap/slapd.d/cn=config/cn=schema |
|
229 |
/etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif |
|
230 |
/etc/ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif |
|
231 |
/etc/ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif |
|
232 |
/etc/ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif |
|
233 |
/etc/ldap/slapd.d/cn=config/cn=schema.ldif |
|
234 |
/etc/ldap/slapd.d/cn=config/olcBackend={0}hdb.ldif |
|
235 |
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif |
|
236 |
/etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif |
|
237 |
/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif |
|
238 |
/etc/ldap/slapd.d/cn=config.ldif |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
239 |
</computeroutput>
|
240 |
</screen>
|
|
241 |
||
242 |
<note>
|
|
243 |
<para>
|
|
244 |
Do not edit the slapd-config database directly. Make changes via the LDAP protocol (utilities). |
|
245 |
</para>
|
|
246 |
</note>
|
|
247 |
||
248 |
</listitem>
|
|
249 |
||
250 |
<listitem>
|
|
251 |
<para>
|
|
252 |
This is what the slapd-config DIT looks like via the LDAP protocol: |
|
253 |
</para>
|
|
254 |
||
239
by Doug Smythies
a bug note; LP: #1419580 |
255 |
<caution>
|
256 |
<para>
|
|
257 |
On Ubuntu server 14.10, and possibly higher, the following command may not work due to a <ulink url="https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1392018">bug</ulink> |
|
258 |
</para>
|
|
259 |
</caution>
|
|
260 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
261 |
<screen>
|
262 |
<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn</command> |
|
263 |
<computeroutput>
|
|
264 |
dn: cn=config |
|
265 |
||
266 |
dn: cn=module{0},cn=config |
|
267 |
||
268 |
dn: cn=schema,cn=config |
|
269 |
||
270 |
dn: cn={0}core,cn=schema,cn=config |
|
271 |
||
272 |
dn: cn={1}cosine,cn=schema,cn=config |
|
273 |
||
274 |
dn: cn={2}nis,cn=schema,cn=config |
|
275 |
||
276 |
dn: cn={3}inetorgperson,cn=schema,cn=config |
|
277 |
||
278 |
dn: olcBackend={0}hdb,cn=config |
|
279 |
||
280 |
dn: olcDatabase={-1}frontend,cn=config |
|
281 |
||
282 |
dn: olcDatabase={0}config,cn=config |
|
283 |
||
284 |
dn: olcDatabase={1}hdb,cn=config |
|
285 |
</computeroutput>
|
|
286 |
</screen>
|
|
287 |
||
288 |
<para>
|
|
289 |
Explanation of entries: |
|
290 |
</para>
|
|
291 |
||
292 |
<itemizedlist>
|
|
293 |
||
294 |
<listitem>
|
|
295 |
<para>
|
|
296 |
<emphasis>cn=config</emphasis>: global settings |
|
297 |
</para>
|
|
298 |
</listitem>
|
|
299 |
||
300 |
<listitem>
|
|
301 |
<para>
|
|
302 |
<emphasis>cn=module{0},cn=config</emphasis>: a dynamically loaded module |
|
303 |
</para>
|
|
304 |
</listitem>
|
|
305 |
||
306 |
<listitem>
|
|
307 |
<para>
|
|
308 |
<emphasis>cn=schema,cn=config</emphasis>: contains hard-coded system-level schema |
|
309 |
</para>
|
|
310 |
</listitem>
|
|
311 |
||
312 |
<listitem>
|
|
313 |
<para>
|
|
314 |
<emphasis>cn={0}core,cn=schema,cn=config</emphasis>: the hard-coded core schema |
|
315 |
</para>
|
|
316 |
</listitem>
|
|
317 |
||
318 |
<listitem>
|
|
319 |
<para>
|
|
320 |
<emphasis>cn={1}cosine,cn=schema,cn=config</emphasis>: the cosine schema |
|
321 |
</para>
|
|
322 |
</listitem>
|
|
323 |
||
324 |
<listitem>
|
|
325 |
<para>
|
|
326 |
<emphasis>cn={2}nis,cn=schema,cn=config</emphasis>: the nis schema |
|
327 |
</para>
|
|
328 |
</listitem>
|
|
329 |
||
330 |
<listitem>
|
|
331 |
<para>
|
|
332 |
<emphasis>cn={3}inetorgperson,cn=schema,cn=config</emphasis>: the inetorgperson schema |
|
333 |
</para>
|
|
334 |
</listitem>
|
|
335 |
||
336 |
<listitem>
|
|
337 |
<para>
|
|
338 |
<emphasis>olcBackend={0}hdb,cn=config</emphasis>: the 'hdb' backend storage type |
|
339 |
</para>
|
|
340 |
</listitem>
|
|
341 |
||
342 |
<listitem>
|
|
343 |
<para>
|
|
344 |
<emphasis>olcDatabase={-1}frontend,cn=config</emphasis>: frontend database, default settings for other databases |
|
345 |
</para>
|
|
346 |
</listitem>
|
|
347 |
||
348 |
<listitem>
|
|
349 |
<para>
|
|
350 |
<emphasis>olcDatabase={0}config,cn=config</emphasis>: slapd configuration database (cn=config) |
|
351 |
</para>
|
|
352 |
</listitem>
|
|
353 |
||
354 |
<listitem>
|
|
355 |
<para>
|
|
356 |
<emphasis>olcDatabase={1}hdb,cn=config</emphasis>: your database instance (dc=examle,dc=com) |
|
357 |
</para>
|
|
358 |
</listitem>
|
|
359 |
||
360 |
</itemizedlist>
|
|
361 |
||
362 |
</listitem>
|
|
363 |
||
364 |
<listitem>
|
|
365 |
||
366 |
<para>
|
|
367 |
This is what the dc=example,dc=com DIT looks like: |
|
368 |
</para>
|
|
369 |
||
370 |
<screen>
|
|
371 |
<command>ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn</command> |
|
372 |
<computeroutput>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
373 |
dn: dc=example,dc=com |
374 |
||
375 |
dn: cn=admin,dc=example,dc=com |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
376 |
</computeroutput>
|
377 |
</screen>
|
|
378 |
||
379 |
<para>
|
|
380 |
Explanation of entries: |
|
381 |
</para>
|
|
382 |
||
383 |
<itemizedlist>
|
|
384 |
||
385 |
<listitem>
|
|
386 |
<para>
|
|
387 |
<emphasis>dc=example,dc=com</emphasis>: base of the DIT |
|
388 |
</para>
|
|
389 |
</listitem>
|
|
390 |
||
391 |
<listitem>
|
|
392 |
<para>
|
|
393 |
<emphasis>cn=admin,dc=example,dc=com</emphasis>: administrator (rootDN) for this DIT (set up during package install) |
|
394 |
</para>
|
|
395 |
</listitem>
|
|
396 |
||
397 |
</itemizedlist>
|
|
398 |
||
399 |
</listitem>
|
|
400 |
||
401 |
</itemizedlist>
|
|
402 |
||
403 |
</sect2>
|
|
404 |
||
405 |
<sect2 id="openldap-server-populate" status="review"> |
|
406 |
<title>Modifying/Populating your Database</title> |
|
407 |
||
408 |
<para>
|
|
409 |
Let's introduce some content to our database. We will add the following: |
|
410 |
</para>
|
|
411 |
||
412 |
<itemizedlist>
|
|
413 |
||
414 |
<listitem>
|
|
415 |
<para>
|
|
416 |
a node called <emphasis>People</emphasis> (to store users) |
|
417 |
</para>
|
|
418 |
</listitem>
|
|
419 |
||
420 |
<listitem>
|
|
421 |
<para>
|
|
422 |
a node called <emphasis>Groups</emphasis> (to store groups) |
|
423 |
</para>
|
|
424 |
</listitem>
|
|
425 |
||
426 |
<listitem>
|
|
427 |
<para>
|
|
428 |
a group called <emphasis>miners</emphasis> |
|
429 |
</para>
|
|
430 |
</listitem>
|
|
431 |
||
432 |
<listitem>
|
|
433 |
<para>
|
|
434 |
a user called <emphasis>john</emphasis> |
|
435 |
</para>
|
|
436 |
</listitem>
|
|
437 |
||
438 |
</itemizedlist>
|
|
439 |
||
440 |
<para>
|
|
441 |
Create the following LDIF file and call it <filename>add_content.ldif</filename>: |
|
442 |
</para>
|
|
443 |
||
444 |
<programlisting>
|
|
445 |
dn: ou=People,dc=example,dc=com |
|
446 |
objectClass: organizationalUnit |
|
447 |
ou: People |
|
448 |
||
449 |
dn: ou=Groups,dc=example,dc=com |
|
450 |
objectClass: organizationalUnit |
|
451 |
ou: Groups |
|
452 |
||
453 |
dn: cn=miners,ou=Groups,dc=example,dc=com |
|
454 |
objectClass: posixGroup |
|
455 |
cn: miners |
|
456 |
gidNumber: 5000 |
|
457 |
||
458 |
dn: uid=john,ou=People,dc=example,dc=com |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
459 |
objectClass: inetOrgPerson |
460 |
objectClass: posixAccount |
|
461 |
objectClass: shadowAccount |
|
462 |
uid: john |
|
463 |
sn: Doe |
|
464 |
givenName: John |
|
465 |
cn: John Doe |
|
466 |
displayName: John Doe |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
467 |
uidNumber: 10000 |
468 |
gidNumber: 5000 |
|
469 |
userPassword: johnldap |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
470 |
gecos: John Doe |
471 |
loginShell: /bin/bash |
|
472 |
homeDirectory: /home/john |
|
473 |
</programlisting>
|
|
474 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
475 |
<note>
|
476 |
<para>
|
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
477 |
It's important that uid and gid values in your directory do not collide with local values. Use high number ranges, such as starting at 5000. |
478 |
By setting the uid and gid values in ldap high, you also allow |
|
479 |
for easier control of what can be done with a local user vs a |
|
480 |
ldap one. More on that later. |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
481 |
</para>
|
482 |
</note>
|
|
483 |
||
484 |
<para>
|
|
485 |
Add the content: |
|
486 |
</para>
|
|
487 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
488 |
<screen>
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
489 |
<command>ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif</command> |
490 |
<computeroutput>
|
|
491 |
Enter LDAP Password: <application>********</application> |
|
492 |
adding new entry "ou=People,dc=example,dc=com" |
|
493 |
||
494 |
adding new entry "ou=Groups,dc=example,dc=com" |
|
495 |
||
496 |
adding new entry "cn=miners,ou=Groups,dc=example,dc=com" |
|
497 |
||
498 |
adding new entry "uid=john,ou=People,dc=example,dc=com" |
|
499 |
</computeroutput>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
500 |
</screen>
|
501 |
||
502 |
<para>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
503 |
We can check that the information has been correctly added with the <application>ldapsearch</application> utility: |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
504 |
</para>
|
505 |
||
506 |
<screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
507 |
<command>ldapsearch -x -LLL -b dc=example,dc=com 'uid=john' cn gidNumber</command> |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
508 |
<computeroutput>
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
509 |
dn: uid=john,ou=People,dc=example,dc=com |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
510 |
cn: John Doe |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
511 |
gidNumber: 5000 |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
512 |
</computeroutput>
|
513 |
</screen>
|
|
514 |
||
515 |
<para>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
516 |
Explanation of switches: |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
517 |
</para>
|
518 |
||
519 |
<itemizedlist>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
520 |
|
521 |
<listitem>
|
|
522 |
<para>
|
|
523 |
<emphasis>-x:</emphasis> "simple" binding; will not use the default SASL method |
|
524 |
</para>
|
|
525 |
</listitem>
|
|
526 |
||
527 |
<listitem>
|
|
528 |
<para>
|
|
529 |
<emphasis>-LLL:</emphasis> disable printing extraneous information |
|
530 |
</para>
|
|
531 |
</listitem>
|
|
532 |
||
533 |
<listitem>
|
|
534 |
<para>
|
|
535 |
<emphasis>uid=john:</emphasis> a "filter" to find the john user |
|
536 |
</para>
|
|
537 |
</listitem>
|
|
538 |
||
539 |
<listitem>
|
|
540 |
<para>
|
|
541 |
<emphasis>cn gidNumber:</emphasis> requests certain attributes to be displayed (the default is to show all attributes) |
|
542 |
</para>
|
|
543 |
</listitem>
|
|
544 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
545 |
</itemizedlist>
|
546 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
547 |
</sect2>
|
548 |
||
549 |
<sect2 id="openldap-configuration" status="review"> |
|
550 |
<title>Modifying the slapd Configuration Database</title> |
|
551 |
||
552 |
<para>
|
|
553 |
The slapd-config DIT can also be queried and modified. Here are a few examples. |
|
554 |
</para>
|
|
555 |
||
556 |
<itemizedlist>
|
|
557 |
||
558 |
<listitem>
|
|
559 |
<para>
|
|
560 |
Use <application>ldapmodify</application> to add an "Index" (DbIndex attribute) to your <application>{1}hdb,cn=config</application> |
|
561 |
database (dc=example,dc=com). Create a file, call it <filename>uid_index.ldif</filename>, with the following contents: |
|
562 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
563 |
|
564 |
<programlisting>
|
|
565 |
dn: olcDatabase={1}hdb,cn=config |
|
566 |
add: olcDbIndex |
|
567 |
olcDbIndex: uid eq,pres,sub |
|
568 |
</programlisting>
|
|
569 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
570 |
<para>
|
571 |
Then issue the command: |
|
572 |
</para>
|
|
573 |
||
574 |
<screen>
|
|
575 |
<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif</command> |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
576 |
<computeroutput>
|
577 |
modifying entry "olcDatabase={1}hdb,cn=config" |
|
578 |
</computeroutput>
|
|
579 |
</screen>
|
|
580 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
581 |
<para>
|
582 |
You can confirm the change in this way: |
|
583 |
</para>
|
|
584 |
||
585 |
<screen>
|
|
67.1.1
by Doug Smythies
serverguide-pdf-part-03; PDF truncation issues part 3 of 3 |
586 |
<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \
|
587 |
cn=config '(olcDatabase={1}hdb)' olcDbIndex</command>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
588 |
<computeroutput>
|
589 |
dn: olcDatabase={1}hdb,cn=config |
|
590 |
olcDbIndex: objectClass eq |
|
591 |
olcDbIndex: uid eq,pres,sub |
|
592 |
</computeroutput>
|
|
593 |
</screen>
|
|
594 |
||
595 |
</listitem>
|
|
596 |
||
597 |
<listitem>
|
|
598 |
<para>
|
|
599 |
Let's add a schema. It will first need to be converted to LDIF format. You can find unconverted |
|
600 |
schemas in addition to converted ones in the <filename role="directory">/etc/ldap/schema</filename> directory. |
|
601 |
</para>
|
|
602 |
||
603 |
<note>
|
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
604 |
<itemizedlist>
|
605 |
<listitem>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
606 |
<para>
|
607 |
It is not trivial to remove a schema from the slapd-config database. Practice adding schemas on a test system. |
|
608 |
</para>
|
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
609 |
</listitem>
|
610 |
||
611 |
<listitem>
|
|
612 |
<para>
|
|
613 |
Before adding any schema, you should check which schemas are |
|
614 |
already installed (shown is a default, out-of-the-box output): |
|
615 |
</para>
|
|
616 |
||
617 |
<screen>
|
|
67.1.1
by Doug Smythies
serverguide-pdf-part-03; PDF truncation issues part 3 of 3 |
618 |
<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \
|
619 |
cn=schema,cn=config dn</command>
|
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
620 |
<computeroutput>
|
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
621 |
dn: cn=schema,cn=config |
622 |
||
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
623 |
dn: cn={0}core,cn=schema,cn=config |
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
624 |
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
625 |
dn: cn={1}cosine,cn=schema,cn=config |
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
626 |
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
627 |
dn: cn={2}nis,cn=schema,cn=config |
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
628 |
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
629 |
dn: cn={3}inetorgperson,cn=schema,cn=config |
630 |
</computeroutput>
|
|
631 |
</screen>
|
|
632 |
</listitem>
|
|
633 |
||
634 |
</itemizedlist>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
635 |
</note>
|
636 |
||
637 |
<para>
|
|
638 |
In the following example we'll add the CORBA schema. |
|
639 |
</para>
|
|
640 |
||
641 |
<procedure>
|
|
642 |
||
643 |
<step>
|
|
644 |
<para>
|
|
645 |
Create the conversion configuration file <filename>schema_convert.conf</filename> containing the |
|
646 |
following lines: |
|
647 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
648 |
|
649 |
<programlisting>
|
|
650 |
include /etc/ldap/schema/core.schema |
|
651 |
include /etc/ldap/schema/collective.schema |
|
652 |
include /etc/ldap/schema/corba.schema |
|
653 |
include /etc/ldap/schema/cosine.schema |
|
654 |
include /etc/ldap/schema/duaconf.schema |
|
655 |
include /etc/ldap/schema/dyngroup.schema |
|
656 |
include /etc/ldap/schema/inetorgperson.schema |
|
657 |
include /etc/ldap/schema/java.schema |
|
658 |
include /etc/ldap/schema/misc.schema |
|
659 |
include /etc/ldap/schema/nis.schema |
|
660 |
include /etc/ldap/schema/openldap.schema |
|
661 |
include /etc/ldap/schema/ppolicy.schema |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
662 |
include /etc/ldap/schema/ldapns.schema |
663 |
include /etc/ldap/schema/pmi.schema |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
664 |
</programlisting>
|
665 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
666 |
</step>
|
667 |
||
668 |
<step>
|
|
669 |
<para>
|
|
670 |
Create the output directory <filename>ldif_output</filename>. |
|
671 |
</para>
|
|
672 |
</step>
|
|
673 |
||
674 |
<step>
|
|
675 |
<para>
|
|
676 |
Determine the index of the schema: |
|
677 |
</para>
|
|
678 |
||
679 |
<screen>
|
|
680 |
<command>slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema</command> |
|
681 |
<computeroutput>
|
|
682 |
cn={1}corba,cn=schema,cn=config |
|
683 |
</computeroutput>
|
|
684 |
</screen>
|
|
685 |
||
686 |
<note>
|
|
687 |
<para>
|
|
134
by Doug Smythies
typos and link issues |
688 |
When slapd ingests objects with the same parent DN it will create an <emphasis>index</emphasis> for that object. |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
689 |
An index is contained within braces: <application>{X}</application>. |
690 |
</para>
|
|
691 |
</note>
|
|
692 |
||
693 |
</step>
|
|
694 |
||
695 |
<step>
|
|
696 |
<para>
|
|
697 |
Use <application>slapcat</application> to perform the conversion: |
|
698 |
</para>
|
|
699 |
||
700 |
<screen>
|
|
67.1.1
by Doug Smythies
serverguide-pdf-part-03; PDF truncation issues part 3 of 3 |
701 |
<command>slapcat -f schema_convert.conf -F ldif_output -n0 -H \
|
702 |
ldap:///cn={1}corba,cn=schema,cn=config -l cn=corba.ldif</command>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
703 |
</screen>
|
704 |
||
705 |
<para>
|
|
706 |
The converted schema is now in <filename>cn=corba.ldif</filename> |
|
707 |
</para>
|
|
708 |
</step>
|
|
709 |
||
710 |
<step>
|
|
711 |
<para>
|
|
712 |
Edit <filename>cn=corba.ldif</filename> to arrive at the following attributes: |
|
713 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
714 |
|
715 |
<programlisting>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
716 |
dn: cn=corba,cn=schema,cn=config |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
717 |
... |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
718 |
cn: corba |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
719 |
</programlisting>
|
720 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
721 |
<para>
|
722 |
Also remove the following lines from the bottom: |
|
723 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
724 |
|
725 |
<programlisting>
|
|
726 |
structuralObjectClass: olcSchemaConfig |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
727 |
entryUUID: 52109a02-66ab-1030-8be2-bbf166230478 |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
728 |
creatorsName: cn=config |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
729 |
createTimestamp: 20110829165435Z |
730 |
entryCSN: 20110829165435.935248Z#000000#000#000000 |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
731 |
modifiersName: cn=config |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
732 |
modifyTimestamp: 20110829165435Z |
733 |
</programlisting>
|
|
734 |
||
735 |
<para>
|
|
736 |
Your attribute values will vary. |
|
737 |
</para>
|
|
738 |
</step>
|
|
739 |
||
740 |
<step>
|
|
741 |
<para>
|
|
742 |
Finally, use <application>ldapadd</application> to add the new schema to the slapd-config DIT: |
|
743 |
</para>
|
|
744 |
||
745 |
<screen>
|
|
746 |
<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=corba.ldif</command> |
|
747 |
<computeroutput>
|
|
748 |
adding new entry "cn=corba,cn=schema,cn=config" |
|
749 |
</computeroutput>
|
|
750 |
</screen>
|
|
751 |
||
752 |
</step>
|
|
753 |
||
754 |
<step>
|
|
755 |
<para>
|
|
756 |
Confirm currently loaded schemas: |
|
757 |
</para>
|
|
758 |
||
759 |
<screen>
|
|
760 |
<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn</command> |
|
761 |
<computeroutput>
|
|
762 |
dn: cn=schema,cn=config |
|
763 |
||
764 |
dn: cn={0}core,cn=schema,cn=config |
|
765 |
||
766 |
dn: cn={1}cosine,cn=schema,cn=config |
|
767 |
||
768 |
dn: cn={2}nis,cn=schema,cn=config |
|
769 |
||
770 |
dn: cn={3}inetorgperson,cn=schema,cn=config |
|
771 |
||
772 |
dn: cn={4}corba,cn=schema,cn=config |
|
773 |
</computeroutput>
|
|
774 |
</screen>
|
|
775 |
||
776 |
</step>
|
|
777 |
||
778 |
</procedure>
|
|
779 |
||
780 |
</listitem>
|
|
781 |
||
782 |
</itemizedlist>
|
|
783 |
||
784 |
<note>
|
|
785 |
<para>
|
|
786 |
For external applications and clients to authenticate using LDAP they will each need to be specifically |
|
787 |
configured to do so. Refer to the appropriate client-side documentation for details. |
|
788 |
</para>
|
|
789 |
</note>
|
|
790 |
||
791 |
</sect2>
|
|
792 |
||
793 |
<sect2 id="openldap-server-logging" status="review"> |
|
794 |
<title>Logging</title> |
|
795 |
||
796 |
<para>
|
|
797 |
Activity logging for slapd is indispensible when implementing an OpenLDAP-based solution yet it must be manually enabled after |
|
798 |
software installation. Otherwise, only rudimentary messages will appear in the logs. Logging, like any other slapd configuration, |
|
799 |
is enabled via the slapd-config database. |
|
800 |
</para>
|
|
801 |
||
802 |
<para>
|
|
803 |
OpenLDAP comes with multiple logging subsystems (levels) with each one containing the lower one (additive). A good level to |
|
5.4.3
by Peter Matulis
Edits made based on merge proposal; subchapter 6.1 |
804 |
try is <emphasis>stats</emphasis>. The <ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapd-config.5.html">slapd-config</ulink> |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
805 |
man page has more to say on the different subsystems. |
806 |
</para>
|
|
807 |
||
808 |
<para>
|
|
809 |
Create the file <filename>logging.ldif</filename> with the following contents: |
|
810 |
</para>
|
|
811 |
||
812 |
<programlisting>
|
|
813 |
dn: cn=config |
|
814 |
changetype: modify |
|
226.1.1
by Peter Matulis
LP_1100472; slapd logging config |
815 |
replace: olcLogLevel |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
816 |
olcLogLevel: stats |
817 |
</programlisting>
|
|
818 |
||
819 |
<para>
|
|
820 |
Implement the change: |
|
821 |
</para>
|
|
822 |
||
823 |
<screen>
|
|
824 |
<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif</command> |
|
825 |
</screen>
|
|
826 |
||
827 |
<para>
|
|
828 |
This will produce a significant amount of logging and you will want to throttle back to a less verbose level once your system |
|
829 |
is in production. While in this verbose mode your host's syslog engine (rsyslog) may have a hard time keeping up and may drop |
|
830 |
messages: |
|
831 |
</para>
|
|
832 |
||
833 |
<programlisting>
|
|
834 |
rsyslogd-2177: imuxsock lost 228 messages from pid 2547 due to rate-limiting |
|
835 |
</programlisting>
|
|
836 |
||
837 |
<para>
|
|
838 |
You may consider a change to rsyslog's configuration. In <filename>/etc/rsyslog.conf</filename>, put: |
|
839 |
</para>
|
|
840 |
||
841 |
<programlisting>
|
|
67.1.1
by Doug Smythies
serverguide-pdf-part-03; PDF truncation issues part 3 of 3 |
842 |
# Disable rate limiting |
843 |
# (default is 200 messages in 5 seconds; below we make the 5 become 0) |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
844 |
$SystemLogRateLimitInterval 0 |
845 |
</programlisting>
|
|
846 |
||
847 |
<para>
|
|
848 |
And then restart the rsyslog daemon: |
|
849 |
</para>
|
|
850 |
||
851 |
<screen>
|
|
852 |
<command>sudo service rsyslog restart</command> |
|
853 |
</screen>
|
|
854 |
||
855 |
</sect2>
|
|
856 |
||
857 |
<sect2 id="openldap-server-replication" status="review"> |
|
858 |
<title>Replication</title> |
|
859 |
||
860 |
<para>
|
|
861 |
The LDAP service becomes increasingly important as more networked systems begin to depend on it. In such an environment, |
|
862 |
it is standard practice to build redundancy (high availability) into LDAP to prevent havoc should the LDAP server become |
|
863 |
unresponsive. This is done through <emphasis>LDAP replication</emphasis>. |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
864 |
</para>
|
865 |
||
866 |
<para>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
867 |
Replication is achieved via the <emphasis>Syncrepl</emphasis> engine. This allows changes to be synchronized using a |
868 |
<emphasis>Consumer</emphasis> - <emphasis>Provider</emphasis> model. The specific kind of replication we will implement |
|
869 |
in this guide is a combination of the following modes: <emphasis>refreshAndPersist</emphasis> and <emphasis>delta-syncrepl</emphasis>. |
|
870 |
This has the Provider push changed entries to the Consumer as soon as they're made but, in addition, only actual changes will |
|
871 |
be sent, not entire entries. |
|
872 |
</para>
|
|
873 |
||
874 |
<sect3 id="openldap-provider-configuration" status="review"> |
|
875 |
<title>Provider Configuration</title> |
|
876 |
||
877 |
<para>
|
|
878 |
Begin by configuring the <emphasis>Provider</emphasis>. |
|
879 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
880 |
|
881 |
<procedure>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
882 |
|
883 |
<step>
|
|
884 |
<para>
|
|
885 |
Create an LDIF file with the following contents and name it <filename>provider_sync.ldif</filename>: |
|
886 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
887 |
|
888 |
<programlisting>
|
|
889 |
# Add indexes to the frontend db. |
|
890 |
dn: olcDatabase={1}hdb,cn=config |
|
891 |
changetype: modify |
|
892 |
add: olcDbIndex |
|
893 |
olcDbIndex: entryCSN eq |
|
894 |
- |
|
895 |
add: olcDbIndex |
|
896 |
olcDbIndex: entryUUID eq |
|
897 |
||
898 |
#Load the syncprov and accesslog modules. |
|
899 |
dn: cn=module{0},cn=config |
|
900 |
changetype: modify |
|
901 |
add: olcModuleLoad |
|
902 |
olcModuleLoad: syncprov |
|
903 |
- |
|
904 |
add: olcModuleLoad |
|
905 |
olcModuleLoad: accesslog |
|
906 |
||
907 |
# Accesslog database definitions |
|
908 |
dn: olcDatabase={2}hdb,cn=config |
|
909 |
objectClass: olcDatabaseConfig |
|
910 |
objectClass: olcHdbConfig |
|
911 |
olcDatabase: {2}hdb |
|
912 |
olcDbDirectory: /var/lib/ldap/accesslog |
|
913 |
olcSuffix: cn=accesslog |
|
914 |
olcRootDN: cn=admin,dc=example,dc=com |
|
915 |
olcDbIndex: default eq |
|
916 |
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart |
|
917 |
||
918 |
# Accesslog db syncprov. |
|
919 |
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config |
|
920 |
changetype: add |
|
921 |
objectClass: olcOverlayConfig |
|
922 |
objectClass: olcSyncProvConfig |
|
923 |
olcOverlay: syncprov |
|
924 |
olcSpNoPresent: TRUE |
|
925 |
olcSpReloadHint: TRUE |
|
926 |
||
927 |
# syncrepl Provider for primary db |
|
928 |
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config |
|
929 |
changetype: add |
|
930 |
objectClass: olcOverlayConfig |
|
931 |
objectClass: olcSyncProvConfig |
|
932 |
olcOverlay: syncprov |
|
933 |
olcSpNoPresent: TRUE |
|
934 |
||
935 |
# accesslog overlay definitions for primary db |
|
936 |
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config |
|
937 |
objectClass: olcOverlayConfig |
|
938 |
objectClass: olcAccessLogConfig |
|
939 |
olcOverlay: accesslog |
|
940 |
olcAccessLogDB: cn=accesslog |
|
941 |
olcAccessLogOps: writes |
|
942 |
olcAccessLogSuccess: TRUE |
|
943 |
# scan the accesslog DB every day, and purge entries older than 7 days |
|
944 |
olcAccessLogPurge: 07+00:00 01+00:00 |
|
945 |
</programlisting>
|
|
946 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
947 |
<para>
|
948 |
Change the rootDN in the LDIF file to match the one you have for your directory. |
|
949 |
</para>
|
|
950 |
||
951 |
</step>
|
|
952 |
||
953 |
<step>
|
|
954 |
<para>
|
|
224.1.1
by Peter Matulis
LP_745120; the chosen accesslog directory already accessible with default apparmor config |
955 |
The <application>apparmor</application> profile for slapd will not need to be adjusted for the |
956 |
accesslog database location since <filename>/etc/apparmor.d/local/usr.sbin.slapd</filename> contains: |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
957 |
</para>
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
958 |
|
959 |
<programlisting>
|
|
224.1.1
by Peter Matulis
LP_745120; the chosen accesslog directory already accessible with default apparmor config |
960 |
/var/lib/ldap/ r, |
961 |
/var/lib/ldap/** rwk, |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
962 |
</programlisting>
|
963 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
964 |
<para>
|
965 |
Create a directory, set up a databse config file, and reload the apparmor profile: |
|
966 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
967 |
|
968 |
<screen>
|
|
969 |
<command>sudo -u openldap mkdir /var/lib/ldap/accesslog</command> |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
970 |
<command>sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog</command> |
971 |
<command>sudo service apparmor reload</command> |
|
972 |
</screen>
|
|
973 |
||
974 |
</step>
|
|
975 |
||
976 |
<step>
|
|
977 |
<para>
|
|
978 |
Add the new content and, due to the apparmor change, restart the daemon: |
|
979 |
</para>
|
|
980 |
||
981 |
<screen>
|
|
982 |
<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif</command> |
|
983 |
<command>sudo service slapd restart</command> |
|
984 |
</screen>
|
|
985 |
||
986 |
</step>
|
|
987 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
988 |
</procedure>
|
989 |
||
990 |
<para>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
991 |
The Provider is now configured. |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
992 |
</para>
|
993 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
994 |
</sect3>
|
995 |
||
996 |
<sect3 id="openldap-consumer-configuration" status="review"> |
|
997 |
<title>Consumer Configuration</title> |
|
998 |
||
999 |
<para>
|
|
1000 |
And now configure the <emphasis>Consumer</emphasis>. |
|
1001 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1002 |
|
1003 |
<procedure>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1004 |
|
1005 |
<step>
|
|
1006 |
<para>
|
|
1007 |
Install the software by going through <xref linkend="openldap-server-installation"/>. Make sure the slapd-config |
|
1008 |
databse is identical to the Provider's. In particular, make sure schemas and the databse suffix are the same. |
|
1009 |
</para>
|
|
1010 |
</step>
|
|
1011 |
||
1012 |
<step>
|
|
1013 |
<para>
|
|
1014 |
Create an LDIF file with the following contents and name it <filename>consumer_sync.ldif</filename>: |
|
1015 |
</para>
|
|
1016 |
||
1017 |
<programlisting>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1018 |
dn: cn=module{0},cn=config |
1019 |
changetype: modify |
|
1020 |
add: olcModuleLoad |
|
1021 |
olcModuleLoad: syncprov |
|
1022 |
||
1023 |
dn: olcDatabase={1}hdb,cn=config |
|
1024 |
changetype: modify |
|
1025 |
add: olcDbIndex |
|
1026 |
olcDbIndex: entryUUID eq |
|
1027 |
- |
|
1028 |
add: olcSyncRepl |
|
1029 |
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=admin,dc=example,dc=com" |
|
1030 |
credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog" |
|
1031 |
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
|
|
1032 |
type=refreshAndPersist retry="60 +" syncdata=accesslog |
|
1033 |
- |
|
1034 |
add: olcUpdateRef |
|
1035 |
olcUpdateRef: ldap://ldap01.example.com |
|
1036 |
</programlisting>
|
|
1037 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1038 |
<para>
|
1039 |
Ensure the following attributes have the correct values: |
|
1040 |
</para>
|
|
1041 |
||
1042 |
<itemizedlist>
|
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
1043 |
<listitem><para><emphasis>provider</emphasis> (Provider server's hostname -- ldap01.example.com in this example -- or IP address)</para></listitem> |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1044 |
<listitem><para><emphasis>binddn</emphasis> (the admin DN you're using)</para></listitem> |
1045 |
<listitem><para><emphasis>credentials</emphasis> (the admin DN password you're using)</para></listitem> |
|
1046 |
<listitem><para><emphasis>searchbase</emphasis> (the database suffix you're using)</para></listitem> |
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
1047 |
<listitem><para><emphasis>olcUpdateRef</emphasis> (Provider server's hostname or IP address)</para></listitem> |
1048 |
<listitem><para><emphasis>rid</emphasis> (Replica ID, an unique |
|
1049 |
3-digit that identifies the replica. Each consumer should have at |
|
1050 |
least one rid)</para></listitem>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1051 |
</itemizedlist>
|
1052 |
||
1053 |
</step>
|
|
1054 |
||
1055 |
<step>
|
|
1056 |
||
1057 |
<para>
|
|
1058 |
Add the new content: |
|
1059 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1060 |
|
1061 |
<screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1062 |
<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif</command> |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1063 |
</screen>
|
1064 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1065 |
</step>
|
1066 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1067 |
</procedure>
|
1068 |
||
1069 |
<para>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1070 |
You're done. The two databases (suffix: dc=example,dc=com) should now be synchronizing. |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1071 |
</para>
|
1072 |
||
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
1073 |
</sect3>
|
1074 |
||
1075 |
<sect3 id="openldap-testing" status="review"> |
|
1076 |
<title>Testing</title> |
|
1077 |
||
1078 |
<para>
|
|
1079 |
Once replication starts, you can monitor it by running |
|
1080 |
</para>
|
|
1081 |
||
1082 |
<screen>
|
|
112
by Doug Smythies
command fix per LP: #1064766; by Doug Smythies |
1083 |
<command>ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base -b dc=example,dc=com contextCSN</command> |
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
1084 |
<computeroutput>
|
1085 |
dn: dc=example,dc=com |
|
1086 |
contextCSN: 20120201193408.178454Z#000000#000#000000 |
|
1087 |
</computeroutput>
|
|
1088 |
</screen>
|
|
1089 |
||
1090 |
<para>
|
|
1091 |
on both the provider and the consumer. |
|
1092 |
Once the output |
|
1093 |
(<computeroutput>20120201193408.178454Z#000000#000#000000</computeroutput> |
|
1094 |
in the above example) for both machines match, you have replication. |
|
1095 |
Every time a change is done in the provider, this value will |
|
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
1096 |
change and so should the one in the consumer(s). |
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
1097 |
</para>
|
1098 |
||
1099 |
<para>
|
|
1100 |
If your connection is slow and/or your ldap database large, it might |
|
1101 |
take a while for the consumer's <emphasis>contextCSN</emphasis> |
|
1102 |
match the provider's. But, you will know it is progressing since the |
|
1103 |
consumer's <emphasis>contextCSN</emphasis> will be steadly |
|
1104 |
increasing. |
|
1105 |
</para>
|
|
1106 |
||
1107 |
<para>
|
|
1108 |
If the consumer's <emphasis>contextCSN</emphasis> is missing or does not |
|
1109 |
match the provider, you should stop and figure out the issue before continuing. |
|
1110 |
Try checking the slapd (syslog) and the auth log files in the provider |
|
1111 |
to see if the consumer's authentication requests were successful or |
|
1112 |
its requests to retrieve data (they look like a lot of ldapsearch |
|
1113 |
statements) return no errors. |
|
1114 |
</para>
|
|
1115 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1116 |
<para>
|
1117 |
To test if it worked simply query, on the Consumer, the DNs in the database: |
|
1118 |
</para>
|
|
1119 |
||
1120 |
<screen>
|
|
1121 |
<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com dn</command> |
|
1122 |
</screen>
|
|
1123 |
||
1124 |
<para>
|
|
1125 |
You should see the user 'john' and the group 'miners' as well as the nodes 'People' and 'Groups'. |
|
1126 |
</para>
|
|
1127 |
||
1128 |
</sect3>
|
|
1129 |
||
1130 |
</sect2>
|
|
1131 |
||
1132 |
<sect2 id="openldap-server-acl" status="review"> |
|
1133 |
<title>Access Control</title> |
|
1134 |
||
1135 |
<para>
|
|
1136 |
The management of what type of access (read, write, etc) users should be granted to resources is known as |
|
1137 |
<emphasis>access control</emphasis>. The configuration directives involved are called <emphasis>access control lists</emphasis> or ACL. |
|
1138 |
</para>
|
|
1139 |
||
1140 |
<para>
|
|
1141 |
When we installed the slapd package various ACL were set up automatically. We will look at a few important consequences of those |
|
1142 |
defaults and, in so doing, we'll get an idea of how ACLs work and how they're configured. |
|
1143 |
</para>
|
|
1144 |
||
1145 |
<para>
|
|
1146 |
To get the effective ACL for an LDAP query we need to look at the ACL entries of the database being queried as well as those of the |
|
1147 |
special frontend database instance. The ACLs belonging to the latter act as defaults in case those of the former do not match. The |
|
1148 |
frontend database is the second to be consulted and the ACL to be applied is the first to match ("first match wins") among these 2 |
|
1149 |
ACL sources. The following commands will give, respectively, the ACLs of the hdb database ("dc=example,dc=com") and those of the |
|
1150 |
frontend database: |
|
1151 |
</para>
|
|
1152 |
||
1153 |
<screen>
|
|
67.1.1
by Doug Smythies
serverguide-pdf-part-03; PDF truncation issues part 3 of 3 |
1154 |
<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \
|
1155 |
cn=config '(olcDatabase={1}hdb)' olcAccess</command>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1156 |
<computeroutput>
|
1157 |
dn: olcDatabase={1}hdb,cn=config |
|
67.1.1
by Doug Smythies
serverguide-pdf-part-03; PDF truncation issues part 3 of 3 |
1158 |
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous |
1159 |
auth by dn="cn=admin,dc=example,dc=com" write by * none |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1160 |
olcAccess: {1}to dn.base="" by * read |
1161 |
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by * |
|
1162 |
read |
|
1163 |
</computeroutput>
|
|
1164 |
</screen>
|
|
1165 |
||
1166 |
<note>
|
|
1167 |
<para>
|
|
241.1.1
by Peter Matulis
Review of OpenLDAP Server - Minor corrections; by Peter Matulis |
1168 |
The rootDN always has full rights to its database. Including it in an ACL does provide an explicit configuration but it also causes |
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
1169 |
slapd to incur a performance penalty. |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1170 |
</para>
|
1171 |
</note>
|
|
1172 |
||
1173 |
<screen>
|
|
67.1.1
by Doug Smythies
serverguide-pdf-part-03; PDF truncation issues part 3 of 3 |
1174 |
<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \
|
1175 |
cn=config '(olcDatabase={-1}frontend)' olcAccess</command>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1176 |
<computeroutput>
|
1177 |
dn: olcDatabase={-1}frontend,cn=config |
|
67.1.1
by Doug Smythies
serverguide-pdf-part-03; PDF truncation issues part 3 of 3 |
1178 |
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred, |
1179 |
cn=external,cn=auth manage by * break |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1180 |
olcAccess: {1}to dn.exact="" by * read |
1181 |
olcAccess: {2}to dn.base="cn=Subschema" by * read |
|
1182 |
</computeroutput>
|
|
1183 |
</screen>
|
|
1184 |
||
1185 |
<para>
|
|
1186 |
The very first ACL is crucial: |
|
1187 |
</para>
|
|
1188 |
||
1189 |
<programlisting>
|
|
67.1.1
by Doug Smythies
serverguide-pdf-part-03; PDF truncation issues part 3 of 3 |
1190 |
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous |
1191 |
auth by dn="cn=admin,dc=example,dc=com" write by * none |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1192 |
</programlisting>
|
1193 |
||
1194 |
<para>
|
|
1195 |
This can be represented differently for easier digestion: |
|
1196 |
</para>
|
|
1197 |
||
1198 |
<programlisting>
|
|
1199 |
to attrs=userPassword |
|
1200 |
by self write |
|
1201 |
by anonymous auth |
|
1202 |
by dn="cn=admin,dc=example,dc=com" write |
|
1203 |
by * none |
|
1204 |
||
1205 |
to attrs=shadowLastChange |
|
1206 |
by self write |
|
1207 |
by anonymous auth |
|
1208 |
by dn="cn=admin,dc=example,dc=com" write |
|
1209 |
by * none |
|
1210 |
</programlisting>
|
|
1211 |
||
1212 |
<para>
|
|
1213 |
This compound ACL (there are 2) enforces the following: |
|
1214 |
</para>
|
|
1215 |
||
1216 |
<itemizedlist>
|
|
1217 |
||
1218 |
<listitem>
|
|
1219 |
<para>
|
|
1220 |
Anonymous 'auth' access is provided to the <emphasis>userPassword</emphasis> attribute for the initial connection to |
|
1221 |
occur. Perhaps counter-intuitively, 'by anonymous auth' is needed even when anonymous access to the DIT is |
|
1222 |
unwanted. Once the remote end is connected, howerver, authentication can occur (see next point). |
|
1223 |
</para>
|
|
1224 |
</listitem>
|
|
1225 |
||
1226 |
<listitem>
|
|
1227 |
<para>
|
|
1228 |
Authentication can happen because all users have 'read' (due to 'by self write') access to the <emphasis>userPassword</emphasis> attribute. |
|
1229 |
</para>
|
|
1230 |
</listitem>
|
|
1231 |
||
1232 |
<listitem>
|
|
1233 |
<para>
|
|
1234 |
The <emphasis>userPassword</emphasis> attribute is otherwise unaccessible by all other users, with the exception of the rootDN, who |
|
1235 |
has complete access to it. |
|
1236 |
</para>
|
|
1237 |
</listitem>
|
|
1238 |
||
1239 |
<listitem>
|
|
1240 |
<para>
|
|
1241 |
In order for users to change their own password, using <command>passwd</command> or other utilities, the |
|
1242 |
<emphasis>shadowLastChange</emphasis> attribute needs to be accessible once a user has authenticated. |
|
1243 |
</para>
|
|
1244 |
</listitem>
|
|
1245 |
||
1246 |
</itemizedlist>
|
|
1247 |
||
1248 |
<para>
|
|
5.4.2
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1249 |
This DIT can be searched anonymously because of 'by * read' in this ACL: |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1250 |
</para>
|
1251 |
||
1252 |
<programlisting>
|
|
1253 |
to * |
|
1254 |
by self write |
|
1255 |
by dn="cn=admin,dc=example,dc=com" write |
|
1256 |
by * read |
|
1257 |
</programlisting>
|
|
1258 |
||
1259 |
<para>
|
|
5.4.2
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1260 |
If this is unwanted then you need to change the ACLs. To force authentication during a bind request you can alternatively (or |
1261 |
in combination with the modified ACL) use the 'olcRequire: authc' directive. |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1262 |
</para>
|
1263 |
||
1264 |
<para>
|
|
1265 |
As previously mentioned, there is no administrative account created for the slapd-config database. There is, however, a SASL |
|
1266 |
identity that is granted full access to it. It represents the localhost's superuser (root/sudo). Here it is: |
|
1267 |
</para>
|
|
1268 |
||
1269 |
<programlisting>
|
|
1270 |
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
|
1271 |
</programlisting>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1272 |
|
1273 |
<para>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1274 |
The following command will display the ACLs of the slapd-config database: |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1275 |
</para>
|
1276 |
||
1277 |
<screen>
|
|
67.1.1
by Doug Smythies
serverguide-pdf-part-03; PDF truncation issues part 3 of 3 |
1278 |
<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \
|
1279 |
cn=config '(olcDatabase={0}config)' olcAccess</command>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1280 |
<computeroutput>
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1281 |
dn: olcDatabase={0}config,cn=config |
67.1.1
by Doug Smythies
serverguide-pdf-part-03; PDF truncation issues part 3 of 3 |
1282 |
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred, |
1283 |
cn=external,cn=auth manage by * break |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1284 |
</computeroutput>
|
1285 |
</screen>
|
|
1286 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1287 |
<para>
|
1288 |
Since this is a SASL identity we need to use a SASL <emphasis>mechanism</emphasis> when invoking the LDAP utility in question and |
|
124.1.1
by Benjamin Kerensa
Remove extra and from network-auth.xml |
1289 |
we have seen it plenty of times in this guide. It is the EXTERNAL mechanism. See the previous command for an example. Note that: |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1290 |
</para>
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1291 |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1292 |
<procedure>
|
1293 |
||
1294 |
<step>
|
|
1295 |
<para>
|
|
1296 |
You must use <emphasis>sudo</emphasis> to become the root identity in order for the ACL to match. |
|
1297 |
</para>
|
|
1298 |
</step>
|
|
1299 |
||
1300 |
<step>
|
|
1301 |
<para>
|
|
1302 |
The EXTERNAL mechanism works via <emphasis>IPC</emphasis> (UNIX domain sockets). This means you must use the <emphasis>ldapi</emphasis> |
|
1303 |
URI format. |
|
1304 |
</para>
|
|
1305 |
</step>
|
|
1306 |
||
1307 |
</procedure>
|
|
1308 |
||
1309 |
<para>
|
|
1310 |
A succinct way to get all the ACLs is like this: |
|
1311 |
</para>
|
|
1312 |
||
1313 |
<screen>
|
|
67.1.1
by Doug Smythies
serverguide-pdf-part-03; PDF truncation issues part 3 of 3 |
1314 |
<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \
|
1315 |
cn=config '(olcAccess=*)' olcAccess olcSuffix</command>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1316 |
</screen>
|
1317 |
||
1318 |
<para>
|
|
1319 |
There is much to say on the topic of access control. See the man page for |
|
5.4.3
by Peter Matulis
Edits made based on merge proposal; subchapter 6.1 |
1320 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html">slapd.access</ulink>. |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1321 |
</para>
|
1322 |
||
1323 |
</sect2>
|
|
1324 |
||
1325 |
<sect2 id="openldap-tls" status="review"> |
|
1326 |
<title>TLS</title> |
|
1327 |
||
1328 |
<para>
|
|
1329 |
When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport |
|
1330 |
Layer Security (TLS). |
|
1331 |
</para>
|
|
1332 |
||
1333 |
<para>
|
|
1334 |
Here, we will be our own <emphasis>Certificate Authority</emphasis> and then create and sign our LDAP server certificate as that CA. |
|
1335 |
Since <application>slapd</application> is compiled using the <application>gnutls</application> library, we will use the |
|
1336 |
<application>certtool</application> utility to complete these tasks. |
|
1337 |
</para>
|
|
1338 |
||
1339 |
<procedure>
|
|
1340 |
||
1341 |
<step>
|
|
1342 |
<para>
|
|
33
by Connor Imes
Fix package install explanation to list the correct package ssl-cert rather than gnutls-bin twice |
1343 |
Install the <application>gnutls-bin</application> and <application>ssl-cert</application> packages: |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1344 |
</para>
|
1345 |
||
1346 |
<screen>
|
|
1347 |
<command>sudo apt-get install gnutls-bin ssl-cert</command> |
|
1348 |
</screen>
|
|
1349 |
||
1350 |
</step>
|
|
1351 |
||
1352 |
<step>
|
|
1353 |
<para>
|
|
1354 |
Create a private key for the Certificate Authority: |
|
1355 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1356 |
|
1357 |
<screen>
|
|
1358 |
<command>sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"</command> |
|
1359 |
</screen>
|
|
1360 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1361 |
</step>
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1362 |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1363 |
<step>
|
1364 |
<para>
|
|
1365 |
Create the template/file <filename>/etc/ssl/ca.info</filename> to define the CA: |
|
1366 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1367 |
|
1368 |
<programlisting>
|
|
1369 |
cn = Example Company |
|
1370 |
ca |
|
1371 |
cert_signing_key |
|
1372 |
</programlisting>
|
|
1373 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1374 |
</step>
|
1375 |
||
1376 |
<step>
|
|
1377 |
<para>
|
|
1378 |
Create the self-signed CA certificate: |
|
1379 |
</para>
|
|
1380 |
||
1381 |
<screen>
|
|
1382 |
<command>sudo certtool --generate-self-signed \
|
|
1383 |
--load-privkey /etc/ssl/private/cakey.pem \ |
|
1384 |
--template /etc/ssl/ca.info \ |
|
1385 |
--outfile /etc/ssl/certs/cacert.pem</command>
|
|
1386 |
</screen>
|
|
1387 |
||
1388 |
</step>
|
|
1389 |
||
1390 |
<step>
|
|
1391 |
<para>
|
|
1392 |
Make a private key for the server: |
|
1393 |
</para>
|
|
1394 |
||
1395 |
<screen>
|
|
1396 |
<command>sudo certtool --generate-privkey \
|
|
1397 |
--bits 1024 \ |
|
1398 |
--outfile /etc/ssl/private/ldap01_slapd_key.pem</command>
|
|
1399 |
</screen>
|
|
1400 |
||
1401 |
<note>
|
|
1402 |
<para>
|
|
1403 |
Replace <emphasis>ldap01</emphasis> in the filename with your server's hostname. Naming the certificate and |
|
1404 |
key for the host and service that will be using them will help keep things clear. |
|
1405 |
</para>
|
|
1406 |
</note>
|
|
1407 |
||
1408 |
</step>
|
|
1409 |
||
1410 |
<step>
|
|
1411 |
<para>
|
|
1412 |
Create the <filename>/etc/ssl/ldap01.info</filename> info file containing: |
|
1413 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1414 |
|
1415 |
<programlisting>
|
|
1416 |
organization = Example Company |
|
1417 |
cn = ldap01.example.com |
|
1418 |
tls_www_server |
|
1419 |
encryption_key |
|
1420 |
signing_key |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1421 |
expiration_days = 3650 |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1422 |
</programlisting>
|
1423 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1424 |
<para>
|
1425 |
The above certificate is good for 10 years. Adjust accordingly. |
|
1426 |
</para>
|
|
1427 |
</step>
|
|
1428 |
||
1429 |
<step>
|
|
1430 |
<para>
|
|
1431 |
Create the server's certificate: |
|
1432 |
</para>
|
|
1433 |
||
1434 |
<screen>
|
|
1435 |
<command>sudo certtool --generate-certificate \
|
|
1436 |
--load-privkey /etc/ssl/private/ldap01_slapd_key.pem \ |
|
1437 |
--load-ca-certificate /etc/ssl/certs/cacert.pem \ |
|
1438 |
--load-ca-privkey /etc/ssl/private/cakey.pem \ |
|
1439 |
--template /etc/ssl/ldap01.info \ |
|
1440 |
--outfile /etc/ssl/certs/ldap01_slapd_cert.pem</command>
|
|
1441 |
</screen>
|
|
1442 |
||
1443 |
</step>
|
|
1444 |
||
1445 |
</procedure>
|
|
1446 |
||
1447 |
<para>
|
|
33.5.3
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections |
1448 |
Create the file <filename>certinfo.ldif</filename> with the following contents (adjust accordingly, our example assumes we created certs using https://www.cacert.org): |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1449 |
</para>
|
1450 |
||
1451 |
<programlisting>
|
|
1452 |
dn: cn=config |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1453 |
add: olcTLSCACertificateFile |
1454 |
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem |
|
1455 |
- |
|
1456 |
add: olcTLSCertificateFile |
|
1457 |
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem |
|
1458 |
- |
|
1459 |
add: olcTLSCertificateKeyFile |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1460 |
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem |
1461 |
</programlisting>
|
|
1462 |
||
1463 |
<para>
|
|
1464 |
Use the <application>ldapmodify</application> command to tell slapd about our TLS work via the slapd-config database: |
|
1465 |
</para>
|
|
1466 |
||
1467 |
<screen>
|
|
1468 |
<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif</command> |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1469 |
</screen>
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1470 |
|
1471 |
<para>
|
|
1472 |
Contratry to popular belief, you do not need <emphasis>ldaps://</emphasis> in <filename>/etc/default/slapd</filename> |
|
1473 |
in order to use encryption. You should have just: |
|
1474 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1475 |
|
1476 |
<programlisting>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1477 |
SLAPD_SERVICES="ldap:/// ldapi:///" |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1478 |
</programlisting>
|
1479 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1480 |
<note>
|
1481 |
<para>
|
|
1482 |
LDAP over TLS/SSL (ldaps://) is deprecated in favour of <emphasis>StartTLS</emphasis>. The latter refers to an |
|
1483 |
existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a |
|
1484 |
distinct encrypted-from-the-start protocol that operates over TCP port 636. |
|
1485 |
</para>
|
|
1486 |
</note>
|
|
1487 |
||
1488 |
||
1489 |
<para>
|
|
1490 |
Tighten up ownership and permissions: |
|
1491 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1492 |
|
1493 |
<screen>
|
|
1494 |
<command>sudo adduser openldap ssl-cert</command> |
|
1495 |
<command>sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem</command> |
|
1496 |
<command>sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem</command> |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1497 |
<command>sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem</command> |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1498 |
</screen>
|
1499 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1500 |
<para>
|
1501 |
Restart OpenLDAP: |
|
1502 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1503 |
|
1504 |
<screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1505 |
<command>sudo service slapd restart</command> |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1506 |
</screen>
|
1507 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1508 |
<para>
|
1509 |
Check your host's logs (/var/log/syslog) to see if the server has started properly. |
|
1510 |
</para>
|
|
1511 |
||
1512 |
</sect2>
|
|
1513 |
||
1514 |
<sect2 id="openldap-tls-replication" status="review"> |
|
1515 |
<title>Replication and TLS</title> |
|
1516 |
||
1517 |
<para>
|
|
1518 |
If you have set up replication between servers, it is common practice to encrypt (StartTLS) the replication traffic to prevent |
|
1519 |
evesdropping. This is distinct from using encryption with authentication as we did above. In this section we will build on that |
|
1520 |
TLS-authentication work. |
|
1521 |
</para>
|
|
1522 |
||
1523 |
<para>
|
|
1524 |
The assumption here is that you have set up replication between Provider and Consumer according to <xref linkend="openldap-server-replication"/> |
|
1525 |
and have configured TLS for authentication on the Provider by following <xref linkend="openldap-tls"/>. |
|
1526 |
</para>
|
|
1527 |
||
1528 |
<para>
|
|
1529 |
As previously stated, the objective (for us) with replication is high availablity for the LDAP service. Since we have TLS for |
|
1530 |
authentication on the Provider we will require the same on the Consumer. In addition to this, however, we want to encrypt |
|
1531 |
replication traffic. What remains to be done is to create a key and certificate for the Consumer and then configure accordingly. |
|
1532 |
We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the |
|
1533 |
necessary material over to the Consumer. |
|
1534 |
</para>
|
|
1535 |
||
1536 |
<procedure>
|
|
1537 |
||
1538 |
<step>
|
|
1539 |
<para>
|
|
1540 |
On the Provider, |
|
1541 |
</para>
|
|
1542 |
||
1543 |
<para>
|
|
1544 |
Create a holding directory (which will be used for the eventual transfer) and then the Consumer's private key: |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1545 |
</para>
|
1546 |
||
1547 |
<screen>
|
|
1548 |
<command>mkdir ldap02-ssl</command> |
|
1549 |
<command>cd ldap02-ssl</command> |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1550 |
<command>sudo certtool --generate-privkey \
|
1551 |
--bits 1024 \ |
|
1552 |
--outfile ldap02_slapd_key.pem</command>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1553 |
</screen>
|
1554 |
||
1555 |
<para>
|
|
241.1.1
by Peter Matulis
Review of OpenLDAP Server - Minor corrections; by Peter Matulis |
1556 |
Create an info file, <filename>ldap02.info</filename>, for the Consumer server, adjusting its values accordingly: |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1557 |
</para>
|
1558 |
||
1559 |
<programlisting>
|
|
1560 |
organization = Example Company |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1561 |
cn = ldap02.example.com |
1562 |
tls_www_server |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1563 |
encryption_key |
1564 |
signing_key |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1565 |
expiration_days = 3650 |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1566 |
</programlisting>
|
1567 |
||
1568 |
<para>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1569 |
Create the Consumer's certificate: |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1570 |
</para>
|
1571 |
||
1572 |
<screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1573 |
<command>sudo certtool --generate-certificate \
|
1574 |
--load-privkey ldap02_slapd_key.pem \ |
|
1575 |
--load-ca-certificate /etc/ssl/certs/cacert.pem \ |
|
1576 |
--load-ca-privkey /etc/ssl/private/cakey.pem \ |
|
1577 |
--template ldap02.info \ |
|
1578 |
--outfile ldap02_slapd_cert.pem</command>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1579 |
</screen>
|
1580 |
||
1581 |
<para>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1582 |
Get a copy of the CA certificate: |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1583 |
</para>
|
1584 |
||
1585 |
<screen>
|
|
1586 |
<command>cp /etc/ssl/certs/cacert.pem .</command> |
|
1587 |
</screen>
|
|
1588 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1589 |
<para>
|
1590 |
We're done. Now transfer the <filename>ldap02-ssl</filename> directory to the Consumer. Here we use scp (adjust accordingly): |
|
1591 |
</para>
|
|
1592 |
||
1593 |
<screen>
|
|
1594 |
<command>cd ..</command> |
|
1595 |
<command>scp -r ldap02-ssl user@consumer:</command> |
|
1596 |
</screen>
|
|
1597 |
||
1598 |
</step>
|
|
1599 |
||
1600 |
<step>
|
|
1601 |
<para>
|
|
1602 |
On the Consumer, |
|
1603 |
</para>
|
|
1604 |
||
1605 |
<para>
|
|
1606 |
Configure TLS authentication: |
|
1607 |
</para>
|
|
1608 |
||
1609 |
<screen>
|
|
1610 |
<command>sudo apt-get install ssl-cert</command> |
|
1611 |
<command>sudo adduser openldap ssl-cert</command> |
|
1612 |
<command>sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs</command> |
|
1613 |
<command>sudo cp ldap02_slapd_key.pem /etc/ssl/private</command> |
|
1614 |
<command>sudo chgrp ssl-cert /etc/ssl/private/ldap02_slapd_key.pem</command> |
|
1615 |
<command>sudo chmod g+r /etc/ssl/private/ldap02_slapd_key.pem</command> |
|
1616 |
<command>sudo chmod o-r /etc/ssl/private/ldap02_slapd_key.pem</command> |
|
1617 |
</screen>
|
|
1618 |
||
1619 |
<para>
|
|
1620 |
Create the file <filename>/etc/ssl/certinfo.ldif</filename> with the following contents (adjust accordingly): |
|
1621 |
</para>
|
|
1622 |
||
1623 |
<programlisting>
|
|
1624 |
dn: cn=config |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1625 |
add: olcTLSCACertificateFile |
1626 |
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem |
|
1627 |
- |
|
1628 |
add: olcTLSCertificateFile |
|
1629 |
olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem |
|
1630 |
- |
|
1631 |
add: olcTLSCertificateKeyFile |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1632 |
olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem |
1633 |
</programlisting>
|
|
1634 |
||
1635 |
<para>
|
|
1636 |
Configure the slapd-config database: |
|
1637 |
</para>
|
|
1638 |
||
1639 |
<screen>
|
|
1640 |
<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif</command> |
|
1641 |
</screen>
|
|
1642 |
||
1643 |
<para>
|
|
1644 |
Configure <filename>/etc/default/slapd</filename> as on the Provider (SLAPD_SERVICES). |
|
1645 |
</para>
|
|
1646 |
</step>
|
|
1647 |
||
1648 |
<step>
|
|
1649 |
<para>
|
|
1650 |
On the Consumer, |
|
1651 |
</para>
|
|
1652 |
||
1653 |
<para>
|
|
1654 |
Configure TLS for Consumer-side replication. Modify the existing <emphasis>olcSyncrepl</emphasis> attribute by tacking |
|
1655 |
on some TLS options. In so doing, we will see, for the first time, how to change an attribute's value(s). |
|
1656 |
</para>
|
|
1657 |
||
1658 |
<para>
|
|
1659 |
Create the file <filename>consumer_sync_tls.ldif</filename> with the following contents: |
|
1660 |
</para>
|
|
1661 |
||
1662 |
<programlisting>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1663 |
dn: olcDatabase={1}hdb,cn=config |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1664 |
replace: olcSyncRepl |
1665 |
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple |
|
1666 |
binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" |
|
1667 |
logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
|
|
1668 |
schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog |
|
153
by Doug Smythies
typoes and porgramlisting fixes; LP: #1197137 LP: #1197143 LP: #1200816 |
1669 |
starttls=critical tls_reqcert=demand |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1670 |
</programlisting>
|
1671 |
||
1672 |
<para>
|
|
1673 |
The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the |
|
1674 |
Provider's identity. Also note the LDIF syntax for changing the values of an attribute ('replace'). |
|
1675 |
</para>
|
|
1676 |
||
1677 |
<para>
|
|
1678 |
Implement these changes: |
|
1679 |
</para>
|
|
1680 |
||
1681 |
<screen>
|
|
1682 |
<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif</command> |
|
1683 |
</screen>
|
|
1684 |
||
1685 |
<para>
|
|
1686 |
And restart slapd: |
|
1687 |
</para>
|
|
1688 |
||
1689 |
<screen>
|
|
1690 |
<command>sudo service slapd restart</command> |
|
1691 |
</screen>
|
|
1692 |
||
1693 |
</step>
|
|
1694 |
||
1695 |
<step>
|
|
1696 |
<para>
|
|
1697 |
On the Provider, |
|
1698 |
</para>
|
|
1699 |
||
1700 |
<para>
|
|
1701 |
Check to see that a TLS session has been established. In <filename>/var/log/syslog</filename>, providing you have |
|
1702 |
'conns'-level logging set up, you should see messages similar to: |
|
1703 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1704 |
|
1705 |
<programlisting>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1706 |
slapd[3620]: conn=1047 fd=20 ACCEPT from IP=10.153.107.229:57922 (IP=0.0.0.0:389) |
1707 |
slapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037 |
|
1708 |
slapd[3620]: conn=1047 op=0 STARTTLS |
|
1709 |
slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text= |
|
1710 |
slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128 |
|
1711 |
slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" method=128 |
|
1712 |
slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 |
|
1713 |
slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1714 |
</programlisting>
|
1715 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1716 |
</step>
|
1717 |
||
1718 |
</procedure>
|
|
1719 |
||
1720 |
</sect2>
|
|
1721 |
||
1722 |
<sect2 id="openldap-auth-config" status="review"> |
|
1723 |
<title>LDAP Authentication</title> |
|
1724 |
||
1725 |
<para>
|
|
1726 |
Once you have a working LDAP server, you will need to install libraries on the client that will know how and when to contact it. |
|
125
by Doug Smythies
MP: #157459 and LP: #1165007; LP: #1165165; LP# 1165184; modify httpd.conf description; POT file |
1727 |
On Ubuntu, this has been traditionally accomplished by installing the <application>libnss-ldap</application> package. This package |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1728 |
will bring in other tools that will assist you in the configuration step. Install this package now: |
1729 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1730 |
|
1731 |
<screen>
|
|
1732 |
<command>sudo apt-get install libnss-ldap</command> |
|
1733 |
</screen>
|
|
1734 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1735 |
<para>
|
5.4.2
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1736 |
You will be prompted for details of your LDAP server. If you make a mistake you can try again using: |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1737 |
</para>
|
1738 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1739 |
<screen>
|
1740 |
<command>sudo dpkg-reconfigure ldap-auth-config</command> |
|
1741 |
</screen>
|
|
1742 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1743 |
<para>
|
1744 |
The results of the dialog can be seen in <filename>/etc/ldap.conf</filename>. If your server requires options not covered in the menu |
|
1745 |
edit this file accordingly. |
|
1746 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1747 |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1748 |
<para>
|
1749 |
Now configure the LDAP profile for NSS: |
|
1750 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1751 |
|
1752 |
<screen>
|
|
1753 |
<command>sudo auth-client-config -t nss -p lac_ldap</command> |
|
1754 |
</screen>
|
|
1755 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1756 |
<para>
|
1757 |
Configure the system to use LDAP for authentication: |
|
1758 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1759 |
|
1760 |
<screen>
|
|
1761 |
<command>sudo pam-auth-update</command> |
|
1762 |
</screen>
|
|
1763 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1764 |
<para>
|
1765 |
From the menu, choose LDAP and any other authentication mechanisms you need. |
|
1766 |
</para>
|
|
1767 |
||
1768 |
<para>
|
|
1769 |
You should now be able to log in using LDAP-based credentials. |
|
1770 |
</para>
|
|
1771 |
||
1772 |
<para>
|
|
1773 |
LDAP clients will need to refer to multiple servers if replication is in use. In <filename>/etc/ldap.conf</filename> you would |
|
1774 |
have something like: |
|
1775 |
</para>
|
|
1776 |
||
1777 |
<programlisting>
|
|
1778 |
uri ldap://ldap01.example.com ldap://ldap02.example.com |
|
1779 |
</programlisting>
|
|
1780 |
||
1781 |
<para>
|
|
1782 |
The request will time out and the Consumer (ldap02) will attempt to be reached if the Provider (ldap01) becomes unresponsive. |
|
1783 |
</para>
|
|
1784 |
||
1785 |
<para>
|
|
1786 |
If you are going to use LDAP to store Samba users you will need to configure the Samba server to authenticate using LDAP. See |
|
1787 |
<xref linkend="samba-ldap"/> for details. |
|
1788 |
</para>
|
|
5.4.2
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1789 |
|
1790 |
<note>
|
|
1791 |
<para>
|
|
1792 |
An alternative to the <application>libnss-ldap</application> package is the <application>libnss-ldapd</application> |
|
1793 |
package. This, however, will bring in the <application>nscd</application> package which is problably not wanted. Simply |
|
1794 |
remove it afterwards. |
|
1795 |
</para>
|
|
1796 |
</note>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1797 |
|
1798 |
</sect2>
|
|
1799 |
||
1800 |
<sect2 id="ldap-usergroup-management" status="review"> |
|
1801 |
<title>User and Group Management</title> |
|
1802 |
||
1803 |
<para>
|
|
1804 |
The <application>ldap-utils</application> package comes with enough utilities to manage the directory but the long string of |
|
1805 |
options needed can make them a burden to use. The <application>ldapscripts</application> package contains wrapper scripts to these |
|
1806 |
utilities that some people find easier to use. |
|
1807 |
</para>
|
|
1808 |
||
1809 |
<para>
|
|
1810 |
Install the package: |
|
1811 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1812 |
|
1813 |
<screen>
|
|
1814 |
<command>sudo apt-get install ldapscripts</command> |
|
1815 |
</screen>
|
|
1816 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1817 |
<para>
|
1818 |
Then edit the file <filename>/etc/ldapscripts/ldapscripts.conf</filename> to arrive at something similar to the following: |
|
1819 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1820 |
|
1821 |
<programlisting>
|
|
1822 |
SERVER=localhost |
|
1823 |
BINDDN='cn=admin,dc=example,dc=com' |
|
1824 |
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" |
|
1825 |
SUFFIX='dc=example,dc=com' |
|
1826 |
GSUFFIX='ou=Groups' |
|
1827 |
USUFFIX='ou=People' |
|
1828 |
MSUFFIX='ou=Computers' |
|
1829 |
GIDSTART=10000 |
|
1830 |
UIDSTART=10000 |
|
1831 |
MIDSTART=10000 |
|
1832 |
</programlisting>
|
|
1833 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1834 |
<para>
|
1835 |
Now, create the <filename>ldapscripts.passwd</filename> file to allow rootDN access to the directory: |
|
1836 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1837 |
|
1838 |
<screen>
|
|
1839 |
<command>sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"</command> |
|
1840 |
<command>sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd</command> |
|
1841 |
</screen>
|
|
1842 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1843 |
<note>
|
1844 |
<para>
|
|
1845 |
Replace <quote>secret</quote> with the actual password for your database's rootDN user. |
|
1846 |
</para>
|
|
1847 |
</note>
|
|
1848 |
||
1849 |
<para>
|
|
1850 |
The scripts are now ready to help manage your directory. Here are some examples of how to use them: |
|
1851 |
</para>
|
|
1852 |
||
1853 |
<itemizedlist>
|
|
1854 |
||
1855 |
<listitem>
|
|
1856 |
<para>
|
|
1857 |
Create a new user: |
|
1858 |
</para>
|
|
1859 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1860 |
<screen>
|
1861 |
<command>sudo ldapadduser george example</command> |
|
1862 |
</screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1863 |
|
1864 |
<para>
|
|
1865 |
This will create a user with uid <emphasis role="italic">george</emphasis> and set the user's primary group (gid) to |
|
1866 |
<emphasis role="italic">example</emphasis> |
|
1867 |
</para>
|
|
1868 |
</listitem>
|
|
1869 |
||
1870 |
<listitem>
|
|
1871 |
<para>
|
|
1872 |
Change a user's password: |
|
1873 |
</para>
|
|
1874 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1875 |
<screen>
|
1876 |
<command>sudo ldapsetpasswd george</command> |
|
1877 |
<computeroutput>Changing password for user uid=george,ou=People,dc=example,dc=com</computeroutput> |
|
1878 |
<userinput>New Password: </userinput> |
|
1879 |
<userinput>New Password (verify): </userinput> |
|
1880 |
</screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1881 |
|
1882 |
</listitem>
|
|
1883 |
||
1884 |
<listitem>
|
|
1885 |
<para>
|
|
1886 |
Delete a user: |
|
1887 |
</para>
|
|
1888 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1889 |
<screen>
|
1890 |
<command>sudo ldapdeleteuser george</command> |
|
1891 |
</screen>
|
|
1892 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1893 |
</listitem>
|
1894 |
||
1895 |
<listitem>
|
|
1896 |
<para>
|
|
1897 |
Add a group: |
|
1898 |
</para>
|
|
1899 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1900 |
<screen>
|
1901 |
<command>sudo ldapaddgroup qa</command> |
|
1902 |
</screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1903 |
|
1904 |
</listitem>
|
|
1905 |
||
1906 |
<listitem>
|
|
1907 |
<para>
|
|
1908 |
Delete a group: |
|
1909 |
</para>
|
|
1910 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1911 |
<screen>
|
1912 |
<command>sudo ldapdeletegroup qa</command> |
|
1913 |
</screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1914 |
|
1915 |
</listitem>
|
|
1916 |
||
1917 |
<listitem>
|
|
1918 |
<para>
|
|
1919 |
Add a user to a group: |
|
1920 |
</para>
|
|
1921 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1922 |
<screen>
|
1923 |
<command>sudo ldapaddusertogroup george qa</command> |
|
1924 |
</screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1925 |
|
1926 |
<para>
|
|
1927 |
You should now see a <emphasis>memberUid</emphasis> attribute for the <emphasis role="italic">qa</emphasis> group with |
|
1928 |
a value of <emphasis role="italic">george</emphasis>. |
|
1929 |
</para>
|
|
1930 |
</listitem>
|
|
1931 |
||
1932 |
<listitem>
|
|
1933 |
<para>
|
|
1934 |
Remove a user from a group: |
|
1935 |
</para>
|
|
1936 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1937 |
<screen>
|
1938 |
<command>sudo ldapdeleteuserfromgroup george qa</command> |
|
1939 |
</screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1940 |
|
1941 |
<para>
|
|
1942 |
The <emphasis>memberUid</emphasis> attribute should now be removed from the <emphasis role="italic">qa</emphasis> |
|
1943 |
group. |
|
1944 |
</para>
|
|
1945 |
</listitem>
|
|
1946 |
||
1947 |
<listitem>
|
|
1948 |
<para>
|
|
1949 |
The <application>ldapmodifyuser</application> script allows you to add, remove, or replace a user's attributes. |
|
1950 |
The script uses the same syntax as the <application>ldapmodify</application> utility. For example: |
|
1951 |
</para>
|
|
1952 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1953 |
<screen>
|
1954 |
<command>sudo ldapmodifyuser george</command> |
|
1955 |
<computeroutput># About to modify the following entry :
|
|
1956 |
dn: uid=george,ou=People,dc=example,dc=com |
|
1957 |
objectClass: account |
|
1958 |
objectClass: posixAccount |
|
1959 |
cn: george |
|
1960 |
uid: george |
|
1961 |
uidNumber: 1001 |
|
1962 |
gidNumber: 1001 |
|
1963 |
homeDirectory: /home/george |
|
1964 |
loginShell: /bin/bash |
|
1965 |
gecos: george |
|
1966 |
description: User account |
|
1967 |
userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk= |
|
1968 |
||
1969 |
# Enter your modifications here, end with CTRL-D. |
|
1970 |
dn: uid=george,ou=People,dc=example,dc=com</computeroutput>
|
|
1971 |
<userinput>replace: gecos
|
|
1972 |
gecos: George Carlin</userinput>
|
|
1973 |
</screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1974 |
|
1975 |
<para>
|
|
1976 |
The user's <emphasis>gecos</emphasis> should now be <quote>George Carlin</quote>. |
|
1977 |
</para>
|
|
1978 |
</listitem>
|
|
1979 |
||
1980 |
<listitem>
|
|
1981 |
<para>
|
|
1982 |
A nice feature of <application>ldapscripts</application> is the template system. Templates allow you to customize the |
|
125
by Doug Smythies
MP: #157459 and LP: #1165007; LP: #1165165; LP# 1165184; modify httpd.conf description; POT file |
1983 |
attributes of user, group, and machine objects. For example, to enable the <emphasis>user</emphasis> template edit |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1984 |
<filename>/etc/ldapscripts/ldapscripts.conf</filename> changing: |
1985 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1986 |
|
1987 |
<programlisting>
|
|
1988 |
UTEMPLATE="/etc/ldapscripts/ldapadduser.template" |
|
1989 |
</programlisting>
|
|
1990 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1991 |
<para>
|
221.1.1
by Peter Matulis
LP_1225404; ldapscripts location |
1992 |
There are <emphasis role="italic">sample</emphasis> templates in the <filename>/usr/share/doc/ldapscripts/examples</filename> directory. |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1993 |
Copy or rename the <filename>ldapadduser.template.sample</filename> file to |
1994 |
<filename>/etc/ldapscripts/ldapadduser.template</filename>: |
|
1995 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
1996 |
|
1997 |
<screen>
|
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
1998 |
<command>sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \
|
1999 |
/etc/ldapscripts/ldapadduser.template</command>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2000 |
</screen>
|
2001 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
2002 |
<para>
|
2003 |
Edit the new template to add the desired attributes. The following will create new users with an objectClass of |
|
2004 |
inetOrgPerson: |
|
2005 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2006 |
|
2007 |
<programlisting>
|
|
2008 |
dn: uid=<user>,<usuffix>,<suffix> |
|
2009 |
objectClass: inetOrgPerson |
|
2010 |
objectClass: posixAccount |
|
2011 |
cn: <user> |
|
2012 |
sn: <ask> |
|
2013 |
uid: <user> |
|
2014 |
uidNumber: <uid> |
|
2015 |
gidNumber: <gid> |
|
2016 |
homeDirectory: <home> |
|
2017 |
loginShell: <shell> |
|
2018 |
gecos: <user> |
|
2019 |
description: User account |
|
2020 |
title: Employee |
|
2021 |
</programlisting>
|
|
2022 |
||
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
2023 |
<para>
|
2024 |
Notice the <emphasis><ask></emphasis> option used for the <emphasis>sn</emphasis> attribute. This |
|
241.1.1
by Peter Matulis
Review of OpenLDAP Server - Minor corrections; by Peter Matulis |
2025 |
will make <application>ldapadduser</application> prompt you for its value. |
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
2026 |
</para>
|
2027 |
</listitem>
|
|
2028 |
||
2029 |
</itemizedlist>
|
|
2030 |
||
2031 |
<para>
|
|
2032 |
There are utilities in the package that were not covered here. Here is a complete list: |
|
2033 |
</para>
|
|
2034 |
||
2035 |
<programlisting>
|
|
5.4.3
by Peter Matulis
Edits made based on merge proposal; subchapter 6.1 |
2036 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldaprenamemachine.1.html">ldaprenamemachine</ulink> |
2037 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapadduser.1.html">ldapadduser</ulink> |
|
2038 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapdeleteuserfromgroup.1.html">ldapdeleteuserfromgroup</ulink> |
|
2039 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapfinger.1.html">ldapfinger</ulink> |
|
2040 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapid.1.html">ldapid</ulink> |
|
2041 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapgid.1.html">ldapgid</ulink> |
|
2042 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapmodifyuser.1.html">ldapmodifyuser</ulink> |
|
2043 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldaprenameuser.1.html">ldaprenameuser</ulink> |
|
2044 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/lsldap.1.html">lsldap</ulink> |
|
2045 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapaddusertogroup.1.html">ldapaddusertogroup</ulink> |
|
2046 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapsetpasswd.1.html">ldapsetpasswd</ulink> |
|
2047 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapinit.1.html">ldapinit</ulink> |
|
2048 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapaddgroup.1.html">ldapaddgroup</ulink> |
|
2049 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapdeletegroup.1.html">ldapdeletegroup</ulink> |
|
2050 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapmodifygroup.1.html">ldapmodifygroup</ulink> |
|
2051 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapdeletemachine.1.html">ldapdeletemachine</ulink> |
|
2052 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldaprenamegroup.1.html">ldaprenamegroup</ulink> |
|
2053 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapaddmachine.1.html">ldapaddmachine</ulink> |
|
2054 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapmodifymachine.1.html">ldapmodifymachine</ulink> |
|
2055 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapsetprimarygroup.1.html">ldapsetprimarygroup</ulink> |
|
2056 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man1/ldapdeleteuser.1.html">ldapdeleteuser</ulink> |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
2057 |
</programlisting>
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
2058 |
|
2059 |
</sect2>
|
|
2060 |
||
2061 |
<sect2 id="ldap-backup" status="review"> |
|
2062 |
<title>Backup and Restore</title> |
|
2063 |
||
2064 |
<para>
|
|
2065 |
Now we have ldap running just the way we want, it is time to |
|
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
2066 |
ensure we can save all of our work and restore it as needed. |
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
2067 |
</para>
|
2068 |
||
2069 |
<para>
|
|
2070 |
What we need is a way to backup the ldap database(s), specifically |
|
2071 |
the backend (cn=config) and frontend (dc=example,dc=com). |
|
2072 |
If we are going to backup those databases into, say, |
|
2073 |
<filename>/export/backup</filename>, we could use |
|
2074 |
<application>slapcat</application> |
|
2075 |
as shown in the following script, |
|
2076 |
called <filename>/usr/local/bin/ldapbackup</filename>: |
|
2077 |
</para>
|
|
2078 |
||
2079 |
<programlisting>
|
|
2080 |
#!/bin/bash |
|
2081 |
||
2082 |
BACKUP_PATH=/export/backup |
|
2083 |
SLAPCAT=/usr/sbin/slapcat |
|
2084 |
||
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
2085 |
nice ${SLAPCAT} -n 0 > ${BACKUP_PATH}/config.ldif |
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
2086 |
nice ${SLAPCAT} -n 1 > ${BACKUP_PATH}/example.com.ldif |
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
2087 |
nice ${SLAPCAT} -n 2 > ${BACKUP_PATH}/access.ldif |
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
2088 |
chmod 640 ${BACKUP_PATH}/*.ldif |
2089 |
</programlisting>
|
|
2090 |
||
2091 |
<note>
|
|
2092 |
<para>
|
|
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
2093 |
These files are uncompressed text files containing |
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
2094 |
everything in your ldap databases including the tree |
2095 |
layout, usernames, and every password. So, you might |
|
2096 |
want to consider making <filename>/export/backup</filename> |
|
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
2097 |
an encrypted partition and even having the script encrypt |
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
2098 |
those files as it creates them. Ideally you should do both, |
2099 |
but that depends on your security requirements. |
|
2100 |
</para>
|
|
2101 |
</note>
|
|
2102 |
||
2103 |
<para>
|
|
2104 |
Then, it is just a matter of having a cron script to run this |
|
2105 |
program as often as we feel comfortable with. For many, once a day |
|
2106 |
suffices. For others, more often is required. Here is an example |
|
2107 |
of a cron script called <filename>/etc/cron.d/ldapbackup</filename> |
|
2108 |
that is run every night at 22:45h: |
|
2109 |
</para>
|
|
2110 |
||
2111 |
<programlisting>
|
|
2112 |
MAILTO=backup-emails@domain.com |
|
2113 |
45 22 * * * root /usr/local/bin/ldapbackup |
|
2114 |
</programlisting>
|
|
2115 |
||
2116 |
<para>
|
|
2117 |
Now the files are created, they should be copied to a backup |
|
2118 |
server. |
|
2119 |
</para>
|
|
2120 |
||
2121 |
<para>
|
|
2122 |
Assuming we did a fresh reinstall of ldap, the restore process |
|
2123 |
could be something like this: |
|
2124 |
</para>
|
|
2125 |
||
2126 |
<screen>
|
|
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
2127 |
<command>sudo service slapd stop</command> |
2128 |
<command>sudo mkdir /var/lib/ldap/accesslog</command> |
|
2129 |
<command>sudo slapadd -F /etc/ldap/slapd.d -n 0 -l /export/backup/config.ldif</command> |
|
2130 |
<command>sudo slapadd -F /etc/ldap/slapd.d -n 1 -l /export/backup/domain.com.ldif</command> |
|
2131 |
<command>sudo slapadd -F /etc/ldap/slapd.d -n 2 -l /export/backup/access.ldif</command> |
|
2132 |
<command>sudo chown -R openldap:openldap /etc/ldap/slapd.d/</command> |
|
2133 |
<command>sudo chown -R openldap:openldap /var/lib/ldap/</command> |
|
2134 |
<command>sudo service slapd start</command> |
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
2135 |
</screen>
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
2136 |
|
2137 |
</sect2>
|
|
2138 |
||
2139 |
<sect2 id="openldap-server-resources" status="review"> |
|
2140 |
<title>Resources</title> |
|
2141 |
||
2142 |
<itemizedlist>
|
|
2143 |
||
2144 |
<listitem>
|
|
2145 |
<para>
|
|
2146 |
The primary resource is the upstream documentation: <ulink url="http://www.openldap.org/">www.openldap.org</ulink> |
|
2147 |
</para>
|
|
2148 |
</listitem>
|
|
2149 |
||
2150 |
<listitem>
|
|
2151 |
<para>
|
|
2152 |
There are many man pages that come with the slapd package. Here are some important ones, especially considering the material |
|
2153 |
presented in this guide: |
|
2154 |
</para>
|
|
2155 |
||
2156 |
<programlisting>
|
|
5.4.3
by Peter Matulis
Edits made based on merge proposal; subchapter 6.1 |
2157 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/slapd.8.html">slapd</ulink> |
2158 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapd-config.5.html">slapd-config</ulink> |
|
2159 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html">slapd.access</ulink> |
|
2160 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man5/slapo-syncprov.5.html">slapo-syncprov</ulink> |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
2161 |
</programlisting>
|
2162 |
||
2163 |
</listitem>
|
|
2164 |
||
2165 |
<listitem>
|
|
2166 |
<para>
|
|
2167 |
Other man pages: |
|
2168 |
</para>
|
|
2169 |
||
2170 |
<programlisting>
|
|
5.4.3
by Peter Matulis
Edits made based on merge proposal; subchapter 6.1 |
2171 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/auth-client-config.8.html">auth-client-config</ulink> |
2172 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/pam-auth-update.8.html">pam-auth-update</ulink> |
|
5.4.1
by Peter Matulis
Reviewing and editing subchapter 6.1 |
2173 |
</programlisting>
|
2174 |
||
2175 |
</listitem>
|
|
2176 |
||
2177 |
<listitem>
|
|
2178 |
<para>
|
|
2179 |
Zytrax's <ulink url="http://www.zytrax.com/books/ldap/">LDAP for Rocket Scientists</ulink>; a less pedantic but comprehensive treatment of LDAP |
|
2180 |
</para>
|
|
2181 |
</listitem>
|
|
2182 |
||
2183 |
<listitem>
|
|
2184 |
<para>
|
|
2185 |
A Ubuntu community <ulink url="https://help.ubuntu.com/community/OpenLDAPServer">OpenLDAP wiki</ulink> page has a collection of notes |
|
2186 |
</para>
|
|
2187 |
</listitem>
|
|
2188 |
||
2189 |
<listitem>
|
|
2190 |
<para>
|
|
2191 |
O'Reilly's <ulink url="http://www.oreilly.com/catalog/ldapsa/">LDAP System Administration</ulink> (textbook; 2003) |
|
2192 |
</para>
|
|
2193 |
</listitem>
|
|
2194 |
||
2195 |
<listitem>
|
|
2196 |
<para>
|
|
2197 |
Packt's <ulink url="http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book">Mastering OpenLDAP</ulink> (textbook; 2007) |
|
2198 |
</para>
|
|
2199 |
</listitem>
|
|
2200 |
||
2201 |
</itemizedlist>
|
|
2202 |
</sect2>
|
|
2203 |
||
2204 |
</sect1>
|
|
2205 |
||
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2206 |
<sect1 id="samba-ldap" status="review"> |
2207 |
<title>Samba and LDAP</title> |
|
2208 |
||
2209 |
<para>
|
|
5.3.2
by Peter Matulis
Reviewing subchapter 6.2 |
2210 |
This section covers the integration of Samba with LDAP. The Samba server's role will be that of a "standalone" server and the LDAP |
2211 |
directory will provide the authentication layer in addition to containing the user, group, and machine account information that Samba |
|
241.1.1
by Peter Matulis
Review of OpenLDAP Server - Minor corrections; by Peter Matulis |
2212 |
requires in order to function (in any of its 3 possible roles). The pre-requisite is an OpenLDAP server configured with a directory |
5.3.2
by Peter Matulis
Reviewing subchapter 6.2 |
2213 |
that can accept authentication requests. See <xref linkend="openldap-server"/> for details on fulfilling this requirement. Once this |
2214 |
section is completed, you will need to decide what specifically you want Samba to do for you and then configure it accordingly. |
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2215 |
</para>
|
2216 |
||
2217 |
<sect2 id="samba-ldap-installation" status="review"> |
|
2218 |
<title>Software Installation</title> |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2219 |
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2220 |
<para>
|
2221 |
There are three packages needed when integrating Samba with LDAP: <application>samba</application>, <application>samba-doc</application>, |
|
2222 |
and <application>smbldap-tools</application> packages. |
|
2223 |
</para>
|
|
2224 |
||
2225 |
<para>
|
|
2226 |
Strictly speaking, the <application>smbldap-tools</application> package isn't needed, but unless you have some other way to manage the various |
|
125.2.1
by Benjamin Donald-Wilson
Small typo fix (LP: #1165405) |
2227 |
Samba entities (users, groups, computers) in an LDAP context then you should install it. |
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2228 |
</para>
|
2229 |
||
2230 |
<para>
|
|
2231 |
Install these packages now: |
|
2232 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2233 |
|
2234 |
<screen>
|
|
2235 |
<command>sudo apt-get install samba samba-doc smbldap-tools</command> |
|
2236 |
</screen>
|
|
2237 |
||
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2238 |
</sect2>
|
2239 |
||
2240 |
<sect2 id="samba-ldap-openldap-configuration" status="review"> |
|
2241 |
<title>LDAP Configuration</title> |
|
2242 |
||
2243 |
<para>
|
|
2244 |
We will now configure the LDAP server so that it can accomodate Samba data. We will perform three tasks in this section: |
|
2245 |
</para>
|
|
2246 |
||
2247 |
<procedure>
|
|
2248 |
||
2249 |
<step>
|
|
2250 |
<para>Import a schema</para> |
|
2251 |
</step>
|
|
2252 |
||
2253 |
<step>
|
|
2254 |
<para>Index some entries</para> |
|
2255 |
</step>
|
|
2256 |
||
2257 |
<step>
|
|
2258 |
<para>Add objects</para> |
|
2259 |
</step>
|
|
2260 |
||
2261 |
</procedure>
|
|
2262 |
||
2263 |
<sect3 id="samba-ldap-openldap-configuration-samba-schema" status="review"> |
|
2264 |
<title>Samba schema</title> |
|
2265 |
||
2266 |
<para>
|
|
2267 |
In order for OpenLDAP to be used as a backend for Samba, logically, the DIT will need to use attributes that can properly describe |
|
2268 |
Samba data. Such attributes can be obtained by introducing a Samba LDAP schema. Let's do this now. |
|
2269 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2270 |
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2271 |
<note>
|
2272 |
<para>
|
|
2273 |
For more information on schemas and their installation see <xref linkend="openldap-configuration"/>. |
|
2274 |
</para>
|
|
2275 |
</note>
|
|
2276 |
||
2277 |
<procedure>
|
|
2278 |
||
2279 |
<step>
|
|
2280 |
<para>
|
|
2281 |
The schema is found in the now-installed <application>samba-doc</application> package. It needs to be unzipped and copied to |
|
2282 |
the <filename>/etc/ldap/schema</filename> directory: |
|
2283 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2284 |
|
2285 |
<screen>
|
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2286 |
<command>sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema</command> |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2287 |
<command>sudo gzip -d /etc/ldap/schema/samba.schema.gz</command> |
2288 |
</screen>
|
|
2289 |
||
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2290 |
</step>
|
2291 |
||
2292 |
<step>
|
|
2293 |
<para>
|
|
2294 |
Have the configuration file <filename>schema_convert.conf</filename> that contains the following lines: |
|
2295 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2296 |
|
2297 |
<programlisting>
|
|
2298 |
include /etc/ldap/schema/core.schema |
|
2299 |
include /etc/ldap/schema/collective.schema |
|
2300 |
include /etc/ldap/schema/corba.schema |
|
2301 |
include /etc/ldap/schema/cosine.schema |
|
2302 |
include /etc/ldap/schema/duaconf.schema |
|
2303 |
include /etc/ldap/schema/dyngroup.schema |
|
2304 |
include /etc/ldap/schema/inetorgperson.schema |
|
2305 |
include /etc/ldap/schema/java.schema |
|
2306 |
include /etc/ldap/schema/misc.schema |
|
2307 |
include /etc/ldap/schema/nis.schema |
|
2308 |
include /etc/ldap/schema/openldap.schema |
|
2309 |
include /etc/ldap/schema/ppolicy.schema |
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2310 |
include /etc/ldap/schema/ldapns.schema |
2311 |
include /etc/ldap/schema/pmi.schema |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2312 |
include /etc/ldap/schema/samba.schema |
2313 |
</programlisting>
|
|
2314 |
||
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2315 |
</step>
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2316 |
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2317 |
<step>
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2318 |
<para>
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2319 |
Have the directory <filename>ldif_output</filename> hold output. |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2320 |
</para>
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2321 |
</step>
|
2322 |
||
2323 |
<step>
|
|
2324 |
<para>
|
|
2325 |
Determine the index of the schema: |
|
2326 |
</para>
|
|
2327 |
||
2328 |
<screen>
|
|
2329 |
<command>slapcat -f schema_convert.conf -F ldif_output -n 0 | grep samba,cn=schema</command> |
|
2330 |
<computeroutput>
|
|
2331 |
dn: cn={14}samba,cn=schema,cn=config |
|
2332 |
</computeroutput>
|
|
2333 |
</screen>
|
|
2334 |
||
2335 |
</step>
|
|
2336 |
||
2337 |
<step>
|
|
2338 |
<para>
|
|
2339 |
Convert the schema to LDIF format: |
|
2340 |
</para>
|
|
2341 |
||
2342 |
<screen>
|
|
51.1.1
by Doug Smythies
serverguide-pdf-truncation-part-02; Fix some more PDF truncation issues |
2343 |
<command>slapcat -f schema_convert.conf -F ldif_output -n0 -H \
|
2344 |
ldap:///cn={14}samba,cn=schema,cn=config -l cn=samba.ldif</command>
|
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2345 |
</screen>
|
2346 |
||
2347 |
</step>
|
|
2348 |
||
2349 |
<step>
|
|
2350 |
<para>
|
|
2351 |
Edit the generated <filename>cn=samba.ldif</filename> file by removing index information to arrive at: |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2352 |
</para>
|
2353 |
||
2354 |
<programlisting>
|
|
2355 |
dn: cn=samba,cn=schema,cn=config |
|
2356 |
... |
|
2357 |
cn: samba |
|
2358 |
</programlisting>
|
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2359 |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2360 |
<para>
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2361 |
Remove the bottom lines: |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2362 |
</para>
|
2363 |
||
2364 |
<programlisting>
|
|
2365 |
structuralObjectClass: olcSchemaConfig |
|
2366 |
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95 |
|
2367 |
creatorsName: cn=config |
|
2368 |
createTimestamp: 20080827045234Z |
|
2369 |
entryCSN: 20080827045234.341425Z#000000#000#000000 |
|
2370 |
modifiersName: cn=config |
|
2371 |
modifyTimestamp: 20080827045234Z |
|
2372 |
</programlisting>
|
|
2373 |
||
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2374 |
<para>
|
2375 |
Your attribute values will vary. |
|
2376 |
</para>
|
|
2377 |
</step>
|
|
2378 |
||
2379 |
<step>
|
|
2380 |
<para>
|
|
2381 |
Add the new schema: |
|
2382 |
</para>
|
|
2383 |
||
2384 |
<screen>
|
|
2385 |
<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=samba.ldif</command> |
|
2386 |
</screen>
|
|
2387 |
||
2388 |
<para>
|
|
2389 |
To query and view this new schema: |
|
2390 |
</para>
|
|
2391 |
||
2392 |
<screen>
|
|
2393 |
<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'</command> |
|
2394 |
</screen>
|
|
2395 |
||
2396 |
</step>
|
|
2397 |
||
2398 |
</procedure>
|
|
2399 |
||
2400 |
</sect3>
|
|
2401 |
||
2402 |
<sect3 id="samba-ldap-openldap-configuration-samba-indices" status="review"> |
|
2403 |
<title>Samba indices</title> |
|
2404 |
||
2405 |
<para>
|
|
2406 |
Now that slapd knows about the Samba attributes, we can set up some indices based on them. Indexing entries is a way to improve |
|
2407 |
performance when a client performs a filtered search on the DIT. |
|
2408 |
</para>
|
|
2409 |
||
2410 |
<para>
|
|
2411 |
Create the file <filename>samba_indices.ldif</filename> with the following contents: |
|
2412 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2413 |
|
2414 |
<programlisting>
|
|
2415 |
dn: olcDatabase={1}hdb,cn=config |
|
2416 |
changetype: modify |
|
2417 |
add: olcDbIndex |
|
2418 |
olcDbIndex: uidNumber eq |
|
2419 |
olcDbIndex: gidNumber eq |
|
2420 |
olcDbIndex: loginShell eq |
|
2421 |
olcDbIndex: uid eq,pres,sub |
|
2422 |
olcDbIndex: memberUid eq,pres,sub |
|
2423 |
olcDbIndex: uniqueMember eq,pres |
|
2424 |
olcDbIndex: sambaSID eq |
|
2425 |
olcDbIndex: sambaPrimaryGroupSID eq |
|
2426 |
olcDbIndex: sambaGroupType eq |
|
2427 |
olcDbIndex: sambaSIDList eq |
|
2428 |
olcDbIndex: sambaDomainName eq |
|
2429 |
olcDbIndex: default sub |
|
2430 |
</programlisting>
|
|
2431 |
||
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2432 |
<para>
|
2433 |
Using the <application>ldapmodify</application> utility load the new indices: |
|
2434 |
</para>
|
|
2435 |
||
2436 |
<screen>
|
|
2437 |
<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif</command> |
|
2438 |
</screen>
|
|
2439 |
||
2440 |
<para>
|
|
2441 |
If all went well you should see the new indices using <application>ldapsearch</application>: |
|
2442 |
</para>
|
|
2443 |
||
2444 |
<screen>
|
|
51.1.1
by Doug Smythies
serverguide-pdf-truncation-part-02; Fix some more PDF truncation issues |
2445 |
<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H \
|
2446 |
ldapi:/// -b cn=config olcDatabase={1}hdb olcDbIndex</command>
|
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2447 |
</screen>
|
2448 |
||
2449 |
</sect3>
|
|
2450 |
||
2451 |
<sect3 id="samba-ldap-openldap-configuration-populating" status="review"> |
|
2452 |
<title>Adding Samba LDAP objects</title> |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2453 |
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2454 |
<para>
|
2455 |
Next, configure the <application>smbldap-tools</application> package to match your environment. The package |
|
86
by Peter Matulis
Edits based on LP: #997172; smbldap-tools now has smbldap-config.pl + latter is not installed + reference to bug on that; by Peter Matulis |
2456 |
is supposed to come with a configuration helper script (smbldap-config.pl, formerly configure.pl) that will ask questions |
2457 |
about the needed options but there is a <ulink url="https://bugs.launchpad.net/serverguide/+bug/997172">bug</ulink> |
|
2458 |
whereby it is not installed (but found in the source code; 'apt-get source smbldap-tools'). |
|
2459 |
</para>
|
|
2460 |
||
2461 |
<para>
|
|
135
by Doug Smythies
Incorrect suggestion that mysql 5.1 can be used instead. Plus simple typo; LP: #1016069 |
2462 |
To manually configure the package, you need to create and edit the files <filename>/etc/smbldap-tools/smbldap.conf</filename> and |
86
by Peter Matulis
Edits based on LP: #997172; smbldap-tools now has smbldap-config.pl + latter is not installed + reference to bug on that; by Peter Matulis |
2463 |
<filename>/etc/smbldap-tools/smbldap_bind.conf</filename>. |
2464 |
</para>
|
|
2465 |
||
2466 |
<para>
|
|
2467 |
The <application>smbldap-populate</application> script will then add the LDAP objects required for Samba. It is a good idea to first |
|
2468 |
make a backup of your DIT using <application>slapcat</application>: |
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2469 |
</para>
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2470 |
|
2471 |
<screen>
|
|
2472 |
<command>sudo slapcat -l backup.ldif</command> |
|
2473 |
</screen>
|
|
2474 |
||
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2475 |
<para>
|
2476 |
Once you have a backup proceed to populate your directory: |
|
2477 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2478 |
|
2479 |
<screen>
|
|
2480 |
<command>sudo smbldap-populate</command> |
|
2481 |
</screen>
|
|
2482 |
||
30
by Connor Imes
A lot of rewrite of the LDAP section, by Peter Matulis |
2483 |
<para>
|
2484 |
You can create a LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>. |
|
2485 |
This allows you to look over the changes making sure everything is correct. If it is, rerun the script without the '-e' |
|
241.1.1
by Peter Matulis
Review of OpenLDAP Server - Minor corrections; by Peter Matulis |
2486 |
switch. Alternatively, you can take the LDIF file and import its data per usual. |
30
by Connor Imes
A lot of rewrite of the LDAP section, by Peter Matulis |
2487 |
</para>
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2488 |
|
2489 |
<para>
|
|
2490 |
Your LDAP directory now has the necessary information to authenticate Samba users. |
|
2491 |
</para>
|
|
2492 |
||
2493 |
</sect3>
|
|
2494 |
||
2495 |
</sect2>
|
|
2496 |
||
2497 |
<sect2 id="samba-ldap-samba-configuration"> |
|
2498 |
<title>Samba Configuration</title> |
|
2499 |
||
2500 |
<para>
|
|
99.2.1
by Doug Smythies
Launchpad bug 10077494 Chapter name change ; Samba |
2501 |
There are multiple ways to configure Samba. For details on some common configurations see <xref linkend="samba"/>. |
241.1.1
by Peter Matulis
Review of OpenLDAP Server - Minor corrections; by Peter Matulis |
2502 |
To configure Samba to use LDAP, edit its configuration file <filename>/etc/samba/smb.conf</filename> commenting out |
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2503 |
the default <emphasis>passdb backend</emphasis> parameter and adding some ldap-related ones: |
2504 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2505 |
|
2506 |
<programlisting>
|
|
2507 |
# passdb backend = tdbsam |
|
2508 |
||
2509 |
# LDAP Settings |
|
2510 |
passdb backend = ldapsam:ldap://hostname |
|
2511 |
ldap suffix = dc=example,dc=com |
|
2512 |
ldap user suffix = ou=People |
|
2513 |
ldap group suffix = ou=Groups |
|
2514 |
ldap machine suffix = ou=Computers |
|
2515 |
ldap idmap suffix = ou=Idmap |
|
2516 |
ldap admin dn = cn=admin,dc=example,dc=com |
|
2517 |
ldap ssl = start tls |
|
2518 |
ldap passwd sync = yes |
|
2519 |
... |
|
2520 |
add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u" |
|
2521 |
</programlisting>
|
|
2522 |
||
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2523 |
<para>
|
2524 |
Change the values to match your environment. |
|
2525 |
</para>
|
|
2526 |
||
2527 |
<para>
|
|
2528 |
Restart <application>samba</application> to enable the new settings: |
|
2529 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2530 |
|
2531 |
<screen>
|
|
2532 |
<command>sudo restart smbd</command> |
|
2533 |
<command>sudo restart nmbd</command> |
|
2534 |
</screen>
|
|
2535 |
||
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2536 |
<para>
|
2537 |
Now inform Samba about the rootDN user's password (the one set during the installation of the slapd package): |
|
2538 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2539 |
|
2540 |
<screen>
|
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2541 |
<command>sudo smbpasswd -w password</command> |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2542 |
</screen>
|
2543 |
||
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2544 |
<para>
|
2545 |
If you have existing LDAP users that you want to include in your new LDAP-backed Samba they will, of course, also need to be given |
|
2546 |
some of the extra attributes. The <application>smbpasswd</application> utility can do this as well (your host will need to be |
|
2547 |
able to see (enumerate) those users via NSS; install and configure either <application>libnss-ldapd</application> or |
|
2548 |
<application>libnss-ldap</application>): |
|
2549 |
</para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2550 |
|
2551 |
<screen>
|
|
2552 |
<command>sudo smbpasswd -a username</command> |
|
2553 |
</screen>
|
|
2554 |
||
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2555 |
<para>
|
2556 |
You will prompted to enter a password. It will be considered as the new password for that user. Making it the same as before is reasonable. |
|
2557 |
</para>
|
|
2558 |
||
2559 |
<para>
|
|
2560 |
To manage user, group, and machine accounts use the utilities provided by the <application>smbldap-tools</application> package. |
|
2561 |
Here are some examples: |
|
2562 |
</para>
|
|
2563 |
||
2564 |
<itemizedlist>
|
|
2565 |
||
2566 |
<listitem>
|
|
2567 |
<para>
|
|
2568 |
To add a new user: |
|
2569 |
</para>
|
|
2570 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2571 |
<screen>
|
2572 |
<command>sudo smbldap-useradd -a -P username</command> |
|
2573 |
</screen>
|
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2574 |
|
2575 |
<para>
|
|
2576 |
The <emphasis>-a</emphasis> option adds the Samba attributes, and the <emphasis>-P</emphasis> option calls the |
|
2577 |
<application>smbldap-passwd</application> utility after the user is created allowing you to enter a password for the user. |
|
2578 |
</para>
|
|
2579 |
</listitem>
|
|
2580 |
||
2581 |
<listitem>
|
|
2582 |
<para>
|
|
2583 |
To remove a user: |
|
2584 |
</para>
|
|
2585 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2586 |
<screen>
|
2587 |
<command>sudo smbldap-userdel username</command> |
|
2588 |
</screen>
|
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2589 |
|
2590 |
<para>
|
|
2591 |
In the above command, use the <emphasis>-r</emphasis> option to remove the user's home directory. |
|
2592 |
</para>
|
|
2593 |
</listitem>
|
|
2594 |
||
2595 |
<listitem>
|
|
2596 |
<para>
|
|
2597 |
To add a group: |
|
2598 |
</para>
|
|
2599 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2600 |
<screen>
|
2601 |
<command>sudo smbldap-groupadd -a groupname</command> |
|
2602 |
</screen>
|
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2603 |
|
2604 |
<para>
|
|
2605 |
As for <application>smbldap-useradd</application>, the <emphasis>-a</emphasis> adds the Samba attributes. |
|
2606 |
</para>
|
|
2607 |
</listitem>
|
|
2608 |
||
2609 |
<listitem>
|
|
2610 |
<para>
|
|
2611 |
To make an existing user a member of a group: |
|
2612 |
</para>
|
|
2613 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2614 |
<screen>
|
2615 |
<command>sudo smbldap-groupmod -m username groupname</command> |
|
2616 |
</screen>
|
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2617 |
|
2618 |
<para>
|
|
2619 |
The <emphasis>-m</emphasis> option can add more than one user at a time by listing them in comma-separated format. |
|
2620 |
</para>
|
|
2621 |
</listitem>
|
|
2622 |
||
2623 |
<listitem>
|
|
2624 |
<para>
|
|
2625 |
To remove a user from a group: |
|
2626 |
</para>
|
|
2627 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2628 |
<screen>
|
2629 |
<command>sudo smbldap-groupmod -x username groupname</command> |
|
2630 |
</screen>
|
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2631 |
|
2632 |
</listitem>
|
|
2633 |
||
2634 |
<listitem>
|
|
2635 |
<para>
|
|
2636 |
To add a Samba machine account: |
|
2637 |
</para>
|
|
2638 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2639 |
<screen>
|
2640 |
<command>sudo smbldap-useradd -t 0 -w username</command> |
|
2641 |
</screen>
|
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2642 |
|
2643 |
<para>
|
|
2644 |
Replace <emphasis>username</emphasis> with the name of the workstation. The <emphasis>-t 0</emphasis> option creates the machine account |
|
2645 |
without a delay, while the <emphasis>-w</emphasis> option specifies the user as a machine account. Also, note the |
|
2646 |
<emphasis>add machine script</emphasis> parameter in <filename>/etc/samba/smb.conf</filename> was changed to use <application>smbldap-useradd</application>. |
|
2647 |
</para>
|
|
2648 |
</listitem>
|
|
2649 |
||
2650 |
</itemizedlist>
|
|
2651 |
||
2652 |
<para>
|
|
2653 |
There are utilities in the <application>smbldap-tools</application> package that were not covered here. Here is a complete list: |
|
2654 |
</para>
|
|
2655 |
||
2656 |
<programlisting>
|
|
5.3.3
by Peter Matulis
Edits made based on merge proposal; subchapter 6.2 |
2657 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupadd.8.html">smbldap-groupadd</ulink> |
2658 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupdel.8.html">smbldap-groupdel</ulink> |
|
2659 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupmod.8.html">smbldap-groupmod</ulink> |
|
2660 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupshow.8.html">smbldap-groupshow</ulink> |
|
2661 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/smbldap-passwd.8.html">smbldap-passwd</ulink> |
|
2662 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/smbldap-populate.8.html">smbldap-populate</ulink> |
|
2663 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/smbldap-useradd.8.html">smbldap-useradd</ulink> |
|
2664 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/smbldap-userdel.8.html">smbldap-userdel</ulink> |
|
2665 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/smbldap-userinfo.8.html">smbldap-userinfo</ulink> |
|
2666 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/smbldap-userlist.8.html">smbldap-userlist</ulink> |
|
2667 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/smbldap-usermod.8.html">smbldap-usermod</ulink> |
|
2668 |
<ulink url="http://manpages.ubuntu.com/manpages/en/man8/smbldap-usershow.8.html">smbldap-usershow</ulink> |
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2669 |
</programlisting>
|
2670 |
||
2671 |
</sect2>
|
|
2672 |
||
2673 |
<sect2 id="samba-ldap-resources" status="review"> |
|
2674 |
<title>Resources</title> |
|
2675 |
||
2676 |
<itemizedlist>
|
|
2677 |
||
2678 |
<listitem>
|
|
2679 |
<para>
|
|
99.2.1
by Doug Smythies
Launchpad bug 10077494 Chapter name change ; Samba |
2680 |
For more information on installing and configuring Samba see <xref linkend="samba"/> of this Ubuntu Server Guide. |
5.3.2
by Peter Matulis
Reviewing subchapter 6.2 |
2681 |
</para>
|
2682 |
</listitem>
|
|
2683 |
||
2684 |
<listitem>
|
|
2685 |
<para>
|
|
5.3.1
by Peter Matulis
Reviewing subchapter 6.2 |
2686 |
There are multiple places where LDAP and Samba is documented in the upstream |
2687 |
<ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/">Samba HOWTO Collection</ulink>. |
|
2688 |
</para>
|
|
2689 |
</listitem>
|
|
2690 |
||
2691 |
<listitem>
|
|
2692 |
<para>
|
|
2693 |
Regarding the above, see specifically the <ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html">passdb section</ulink>. |
|
2694 |
</para>
|
|
2695 |
</listitem>
|
|
2696 |
||
2697 |
<listitem>
|
|
2698 |
<para>
|
|
2699 |
Although dated (2007), the <ulink url="http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/">Linux Samba-OpenLDAP HOWTO</ulink> contains valuable notes. |
|
2700 |
</para>
|
|
2701 |
</listitem>
|
|
2702 |
||
2703 |
<listitem>
|
|
2704 |
<para>
|
|
2705 |
The main page of the <ulink url="https://help.ubuntu.com/community/Samba#samba-ldap">Samba Ubuntu community documentation</ulink> has a plethora of links to |
|
2706 |
articles that may prove useful. |
|
2707 |
</para>
|
|
2708 |
</listitem>
|
|
2709 |
||
2710 |
</itemizedlist>
|
|
2711 |
||
2712 |
</sect2>
|
|
2713 |
||
2714 |
</sect1>
|
|
2715 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2716 |
<sect1 id="kerberos" status="review"> |
2717 |
<title>Kerberos</title> |
|
2718 |
||
2719 |
<para>
|
|
2720 |
<application>Kerberos</application> is a network authentication system based on the principal of a trusted third party. |
|
2721 |
The other two parties being the user and the service the user wishes to authenticate to. Not all services and applications |
|
2722 |
can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO). |
|
2723 |
</para>
|
|
2724 |
||
2725 |
<para>
|
|
2726 |
This section covers installation and configuration of a Kerberos server, and some example client configurations. |
|
2727 |
</para>
|
|
2728 |
||
2729 |
<sect2 id="kerberos-overview" status="review"> |
|
2730 |
<title>Overview</title> |
|
2731 |
||
2732 |
<para>
|
|
2733 |
If you are new to Kerberos there are a few terms that are good to understand before setting up a Kerberos server. Most of the terms |
|
2734 |
will relate to things you may be familiar with in other environments: |
|
2735 |
</para>
|
|
2736 |
||
2737 |
<itemizedlist>
|
|
2738 |
<listitem>
|
|
2739 |
<para>
|
|
2740 |
<emphasis>Principal:</emphasis> any users, computers, and services provided by servers need to be defined as Kerberos Principals. |
|
2741 |
</para>
|
|
2742 |
</listitem>
|
|
2743 |
<listitem>
|
|
2744 |
<para>
|
|
2745 |
<emphasis>Instances:</emphasis> are used for service principals and special administrative principals. |
|
2746 |
</para>
|
|
2747 |
</listitem>
|
|
2748 |
<listitem>
|
|
2749 |
<para>
|
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
2750 |
<emphasis>Realms:</emphasis> the unique realm of control provided by the Kerberos installation. |
33.5.3
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections |
2751 |
Think of it as the domain or group your hosts and users belong to. |
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
2752 |
Convention dictates the realm should be in uppercase. |
2753 |
By default, ubuntu will use the DNS domain converted to |
|
2754 |
uppercase (EXAMPLE.COM) as the realm. |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2755 |
</para>
|
2756 |
</listitem>
|
|
2757 |
<listitem>
|
|
2758 |
<para>
|
|
2759 |
<emphasis>Key Distribution Center:</emphasis> (KDC) consist of three parts, a database of all principals, the authentication server, |
|
2760 |
and the ticket granting server. For each realm there must be at least one KDC. |
|
2761 |
</para>
|
|
2762 |
</listitem>
|
|
2763 |
<listitem>
|
|
2764 |
<para>
|
|
2765 |
<emphasis>Ticket Granting Ticket:</emphasis> issued by the Authentication Server (AS), the Ticket Granting Ticket (TGT) is encrypted in |
|
2766 |
the user's password which is known only to the user and the KDC. |
|
2767 |
</para>
|
|
2768 |
</listitem>
|
|
2769 |
<listitem>
|
|
2770 |
<para>
|
|
2771 |
<emphasis>Ticket Granting Server:</emphasis> (TGS) issues service tickets to clients upon request. |
|
2772 |
</para>
|
|
2773 |
</listitem>
|
|
2774 |
<listitem>
|
|
2775 |
<para>
|
|
2776 |
<emphasis>Tickets:</emphasis> confirm the identity of the two principals. One principal being a user and the other a service requested by |
|
2777 |
the user. Tickets establish an encryption key used for secure communication during the authenticated session. |
|
2778 |
</para>
|
|
2779 |
</listitem>
|
|
2780 |
<listitem>
|
|
2781 |
<para>
|
|
2782 |
<emphasis>Keytab Files:</emphasis> are files extracted from the KDC principal database and contain the encryption key for a service or |
|
2783 |
host. |
|
2784 |
</para>
|
|
2785 |
</listitem>
|
|
2786 |
</itemizedlist>
|
|
2787 |
||
2788 |
<para>
|
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
2789 |
To put the pieces together, a Realm has at least one KDC, preferably more for redundancy, which contains a database of Principals. When a |
2790 |
user principal logs into a workstation that is configured for Kerberos authentication, the KDC issues a Ticket Granting Ticket (TGT). If the user |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2791 |
supplied credentials match, the user is authenticated and can then request tickets for Kerberized services from the Ticket Granting Server |
2792 |
(TGS). The service tickets allow the user to authenticate to the service without entering another username and password. |
|
2793 |
</para>
|
|
2794 |
||
2795 |
</sect2>
|
|
2796 |
<sect2 id="kerberos-server" status="review"> |
|
2797 |
<title>Kerberos Server</title> |
|
2798 |
<sect3 id="kerberos-server-installation" status="review"> |
|
2799 |
<title>Installation</title> |
|
2800 |
||
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
2801 |
<para>
|
2802 |
For this discussion, we will create a MIT Kerberos domain with the |
|
2803 |
following features (edit them to fit your needs): |
|
2804 |
</para>
|
|
2805 |
||
2806 |
<itemizedlist>
|
|
2807 |
<listitem>
|
|
2808 |
<para>
|
|
2809 |
<emphasis>Realm:</emphasis> EXAMPLE.COM |
|
2810 |
</para>
|
|
2811 |
</listitem>
|
|
2812 |
<listitem>
|
|
2813 |
<para>
|
|
2814 |
<emphasis>Primary KDC:</emphasis> kdc01.example.com (192.168.0.1) |
|
2815 |
</para>
|
|
2816 |
</listitem>
|
|
2817 |
<listitem>
|
|
2818 |
<para>
|
|
2819 |
<emphasis>Secondary KDC:</emphasis> kdc02.example.com (192.168.0.2) |
|
2820 |
</para>
|
|
2821 |
</listitem>
|
|
2822 |
<listitem>
|
|
2823 |
<para>
|
|
2824 |
<emphasis>User principal:</emphasis> steve |
|
2825 |
</para>
|
|
2826 |
</listitem>
|
|
2827 |
<listitem>
|
|
2828 |
<para>
|
|
2829 |
<emphasis>Admin principal:</emphasis> steve/admin |
|
2830 |
</para>
|
|
2831 |
</listitem>
|
|
2832 |
</itemizedlist>
|
|
2833 |
||
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
2834 |
<note>
|
2835 |
<para>
|
|
2836 |
It is <emphasis>strongly</emphasis> recommended that your |
|
2837 |
network-authenticated users have their uid in a different range |
|
2838 |
(say, starting at 5000) than that of your local users. |
|
2839 |
</para>
|
|
2840 |
</note>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2841 |
<para>
|
2842 |
Before installing the Kerberos server a properly configured DNS server is needed for your domain. Since the Kerberos Realm by |
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
2843 |
convention matches the domain name, this section uses the <emphasis>EXAMPLE.COM</emphasis> domain configured in |
2844 |
<xref linkend="dns-primarymaster-configuration"/> of the DNS documentation. |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2845 |
</para>
|
2846 |
||
2847 |
<para>
|
|
2848 |
Also, Kerberos is a time sensitive protocol. So if the local system time between a client machine and the server differs by |
|
2849 |
more than five minutes (by default), the workstation will not be able to authenticate. To correct the problem all hosts |
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
2850 |
should have their time synchronized using the same |
2851 |
<emphasis>Network Time Protocol (NTP)</emphasis> server. For details |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2852 |
on setting up NTP see <xref linkend="NTP"/>. |
2853 |
</para>
|
|
2854 |
||
2855 |
<para>
|
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
2856 |
The first step in creating a Kerberos Realm is to install the <application>krb5-kdc</application> and |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2857 |
<application>krb5-admin-server</application> packages. From a terminal enter: |
2858 |
</para>
|
|
2859 |
||
2860 |
<screen>
|
|
2861 |
<command>sudo apt-get install krb5-kdc krb5-admin-server</command> |
|
2862 |
</screen>
|
|
2863 |
||
2864 |
<para>
|
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
2865 |
You will be asked at the end of the install to supply the hostname |
2866 |
for the Kerberos and Admin servers, which may or may not be the |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2867 |
same server, for the realm. |
2868 |
</para>
|
|
2869 |
||
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
2870 |
<note>
|
2871 |
<para>
|
|
2872 |
By default the realm is created from the KDC's domain name. |
|
2873 |
</para>
|
|
2874 |
</note>
|
|
2875 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2876 |
<para>
|
2877 |
Next, create the new realm with the <application>kdb5_newrealm</application> utility: |
|
2878 |
</para>
|
|
2879 |
||
2880 |
<screen>
|
|
2881 |
<command>sudo krb5_newrealm</command> |
|
2882 |
</screen>
|
|
2883 |
||
2884 |
</sect3>
|
|
2885 |
<sect3 id="kerberos-server-configuration" status="review"> |
|
2886 |
<title>Configuration</title> |
|
2887 |
||
2888 |
<para>
|
|
2889 |
The questions asked during installation are used to configure the <filename>/etc/krb5.conf</filename> file. If you need to adjust |
|
2890 |
the Key Distribution Center (KDC) settings simply edit the file and restart the <application>krb5-kdc</application> daemon. |
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
2891 |
If you need to reconfigure Kerberos from scratch, perhaps to change the realm name, you can do so by typing |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2892 |
</para>
|
2893 |
||
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
2894 |
<screen>
|
2895 |
<command>sudo dpkg-reconfigure krb5-kdc</command> |
|
2896 |
</screen>
|
|
2897 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2898 |
<procedure>
|
2899 |
<step>
|
|
2900 |
||
2901 |
<para>
|
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
2902 |
Once the KDC is properly running, an admin user -- the |
2903 |
<emphasis>admin principal</emphasis> -- is needed. |
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
2904 |
It is recommended to use a different username from your everyday username. |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2905 |
Using the <application>kadmin.local</application> utility in a terminal prompt enter: |
2906 |
</para>
|
|
2907 |
||
2908 |
<screen>
|
|
2909 |
<command>sudo kadmin.local</command> |
|
2910 |
<computeroutput>Authenticating as principal root/admin@EXAMPLE.COM with password.
|
|
2911 |
kadmin.local:</computeroutput><userinput> addprinc steve/admin</userinput> |
|
2912 |
<computeroutput>WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no policy
|
|
2913 |
Enter password for principal "steve/admin@EXAMPLE.COM": |
|
2914 |
Re-enter password for principal "steve/admin@EXAMPLE.COM": |
|
2915 |
Principal "steve/admin@EXAMPLE.COM" created. |
|
2916 |
kadmin.local:</computeroutput><userinput> quit</userinput> |
|
2917 |
</screen>
|
|
2918 |
||
2919 |
<para>
|
|
2920 |
In the above example <emphasis role="italic">steve</emphasis> is the <emphasis>Principal</emphasis>, |
|
2921 |
<emphasis role="italic">/admin</emphasis> is an <emphasis>Instance</emphasis>, and |
|
2922 |
<emphasis role="italic">@EXAMPLE.COM</emphasis> signifies the realm. The <emphasis role="italic">"every day"</emphasis> |
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
2923 |
Principal, |
2924 |
a.k.a. the <emphasis role="italic">user principal</emphasis>, |
|
2925 |
would be <emphasis>steve@EXAMPLE.COM</emphasis>, and should have only normal user rights. |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2926 |
</para>
|
2927 |
||
2928 |
<note>
|
|
2929 |
<para>
|
|
2930 |
Replace <emphasis>EXAMPLE.COM</emphasis> and <emphasis>steve</emphasis> with your Realm and admin username. |
|
2931 |
</para>
|
|
2932 |
</note>
|
|
2933 |
||
2934 |
</step>
|
|
2935 |
<step>
|
|
2936 |
||
2937 |
<para>
|
|
2938 |
Next, the new admin user needs to have the appropriate Access Control List (ACL) permissions. |
|
2939 |
The permissions are configured in the <filename>/etc/krb5kdc/kadm5.acl</filename> file: |
|
2940 |
</para>
|
|
2941 |
||
2942 |
<programlisting>
|
|
2943 |
steve/admin@EXAMPLE.COM * |
|
2944 |
</programlisting>
|
|
2945 |
||
2946 |
<para>
|
|
2947 |
This entry grants <emphasis>steve/admin</emphasis> the ability to perform any operation on all principals in the realm. |
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
2948 |
You can configure principals with more restrictive privileges, |
2949 |
which is convenient if you need an admin principal that junior |
|
2950 |
staff can use |
|
2951 |
in Kerberos clients. Please see the |
|
2952 |
<emphasis>kadm5.acl</emphasis> man page for details. |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2953 |
</para>
|
2954 |
||
2955 |
</step>
|
|
2956 |
<step>
|
|
2957 |
||
2958 |
<para>
|
|
2959 |
Now restart the <application>krb5-admin-server</application> for the new ACL to take affect: |
|
2960 |
</para>
|
|
2961 |
||
2962 |
<screen>
|
|
82.5.1
by Jonathan Davies
sed replaced all init.d commands with 'service'. |
2963 |
<command>sudo service krb5-admin-server restart</command> |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2964 |
</screen>
|
2965 |
||
2966 |
</step>
|
|
2967 |
<step>
|
|
2968 |
||
2969 |
<para>
|
|
2970 |
The new user principal can be tested using the <application>kinit utility</application>: |
|
2971 |
</para>
|
|
2972 |
||
2973 |
<screen>
|
|
2974 |
<command>kinit steve/admin</command> |
|
2975 |
<computeroutput>steve/admin@EXAMPLE.COM's Password:</computeroutput> |
|
2976 |
</screen>
|
|
2977 |
||
2978 |
<para>
|
|
2979 |
After entering the password, use the <application>klist</application> utility to view information about the |
|
2980 |
Ticket Granting Ticket (TGT): |
|
2981 |
</para>
|
|
2982 |
||
2983 |
<screen>
|
|
2984 |
<command>klist</command> |
|
2985 |
<computeroutput>Credentials cache: FILE:/tmp/krb5cc_1000
|
|
2986 |
Principal: steve/admin@EXAMPLE.COM |
|
2987 |
||
2988 |
Issued Expires Principal |
|
2989 |
Jul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM</computeroutput>
|
|
2990 |
</screen>
|
|
2991 |
||
2992 |
<para>
|
|
33.5.3
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections |
2993 |
Where the cache filename <filename>krb5cc_1000</filename> is |
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
2994 |
composed of the prefix <filename>krb5cc_</filename> and the user |
2995 |
id (uid), which in this case is <filename>1000</filename>. |
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
2996 |
You may need to add an entry into the |
2997 |
<filename>/etc/hosts</filename> for the KDC so the client can |
|
2998 |
find the KDC. For example: |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
2999 |
</para>
|
3000 |
||
3001 |
<programlisting>
|
|
3002 |
192.168.0.1 kdc01.example.com kdc01 |
|
3003 |
</programlisting>
|
|
3004 |
||
3005 |
<para>
|
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3006 |
Replacing <emphasis>192.168.0.1</emphasis> with the IP address of your KDC. |
3007 |
This usually happens when you have a Kerberos realm encompassing |
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
3008 |
different networks separated by routers. |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3009 |
</para>
|
3010 |
||
3011 |
</step>
|
|
3012 |
<step>
|
|
3013 |
||
3014 |
<para>
|
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3015 |
The best way to allow clients to automatically |
3016 |
determine the KDC for the Realm is using DNS SRV records. Add the following to |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3017 |
<filename>/etc/named/db.example.com</filename>: |
3018 |
</para>
|
|
3019 |
||
3020 |
<programlisting>
|
|
3021 |
_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com. |
|
3022 |
_kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com. |
|
3023 |
_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. |
|
3024 |
_kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. |
|
3025 |
_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com. |
|
3026 |
_kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com. |
|
3027 |
</programlisting>
|
|
3028 |
||
3029 |
<note>
|
|
3030 |
<para>
|
|
3031 |
Replace <emphasis>EXAMPLE.COM</emphasis>, <emphasis>kdc01</emphasis>, and <emphasis>kdc02</emphasis> with your |
|
3032 |
domain name, primary KDC, and secondary KDC. |
|
3033 |
</para>
|
|
3034 |
</note>
|
|
3035 |
||
3036 |
<para>
|
|
3037 |
See <xref linkend="dns"/> for detailed instructions on setting up DNS. |
|
3038 |
</para>
|
|
3039 |
||
3040 |
</step>
|
|
3041 |
</procedure>
|
|
3042 |
||
3043 |
<para>
|
|
3044 |
Your new Kerberos Realm is now ready to authenticate clients. |
|
3045 |
</para>
|
|
3046 |
||
3047 |
</sect3>
|
|
3048 |
</sect2>
|
|
3049 |
<sect2 id="kerberos-secondary-kdc" status="review"> |
|
3050 |
<title>Secondary KDC</title> |
|
3051 |
||
3052 |
<para>
|
|
3053 |
Once you have one Key Distribution Center (KDC) on your network, it is good practice to have a Secondary KDC in case the |
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3054 |
primary becomes unavailable. |
3055 |
Also, if you have Kerberos clients that are in different networks |
|
3056 |
(possibly separated by routers using NAT), it is wise to place a |
|
3057 |
secondary KDC in each of those networks. |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3058 |
</para>
|
3059 |
||
3060 |
<procedure>
|
|
3061 |
<step>
|
|
3062 |
||
3063 |
<para>
|
|
3064 |
First, install the packages, and when asked for the Kerberos and Admin server names enter the name of the Primary KDC: |
|
3065 |
</para>
|
|
3066 |
||
3067 |
<screen>
|
|
3068 |
<command>sudo apt-get install krb5-kdc krb5-admin-server</command> |
|
3069 |
</screen>
|
|
3070 |
||
3071 |
</step>
|
|
3072 |
<step>
|
|
3073 |
||
3074 |
<para>
|
|
3075 |
Once you have the packages installed, create the Secondary KDC's host principal. From a terminal prompt, enter: |
|
3076 |
</para>
|
|
3077 |
||
3078 |
<screen>
|
|
3079 |
<command>kadmin -q "addprinc -randkey host/kdc02.example.com"</command> |
|
3080 |
</screen>
|
|
3081 |
||
3082 |
<note>
|
|
3083 |
<para>
|
|
3084 |
After, issuing any <application>kadmin</application> commands you will be prompted for your |
|
3085 |
<emphasis>username/admin@EXAMPLE.COM</emphasis> principal password. |
|
3086 |
</para>
|
|
3087 |
</note>
|
|
3088 |
||
3089 |
</step>
|
|
3090 |
<step>
|
|
3091 |
||
3092 |
<para>
|
|
3093 |
Extract the <emphasis>keytab</emphasis> file: |
|
3094 |
</para>
|
|
3095 |
||
3096 |
<screen>
|
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3097 |
<command>kadmin -q "ktadd -norandkey -k keytab.kdc02 host/kdc02.example.com"</command> |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3098 |
</screen>
|
3099 |
||
3100 |
</step>
|
|
3101 |
<step>
|
|
3102 |
||
3103 |
<para>
|
|
3104 |
There should now be a <filename>keytab.kdc02</filename> in the current directory, move the file to |
|
3105 |
<filename>/etc/krb5.keytab</filename>: |
|
3106 |
</para>
|
|
3107 |
||
3108 |
<screen>
|
|
3109 |
<command>sudo mv keytab.kdc02 /etc/krb5.keytab</command> |
|
3110 |
</screen>
|
|
3111 |
||
3112 |
<note>
|
|
3113 |
<para>
|
|
3114 |
If the path to the <filename>keytab.kdc02</filename> file is different adjust accordingly. |
|
3115 |
</para>
|
|
3116 |
</note>
|
|
3117 |
||
3118 |
<para>
|
|
3119 |
Also, you can list the principals in a Keytab file, which can be useful when troubleshooting, using the |
|
3120 |
<application>klist</application> utility: |
|
3121 |
</para>
|
|
3122 |
||
3123 |
<screen>
|
|
3124 |
<command>sudo klist -k /etc/krb5.keytab</command> |
|
3125 |
</screen>
|
|
3126 |
||
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3127 |
<para>
|
3128 |
The <application>-k</application> option indicates the file is a keytab file. |
|
3129 |
</para>
|
|
3130 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3131 |
</step>
|
3132 |
<step>
|
|
3133 |
||
3134 |
<para>
|
|
3135 |
Next, there needs to be a <filename>kpropd.acl</filename> file on each KDC that lists all KDCs for the Realm. For example, |
|
3136 |
on both primary and secondary KDC, create <filename>/etc/krb5kdc/kpropd.acl</filename>: |
|
3137 |
</para>
|
|
3138 |
||
3139 |
<programlisting>
|
|
3140 |
host/kdc01.example.com@EXAMPLE.COM |
|
3141 |
host/kdc02.example.com@EXAMPLE.COM |
|
3142 |
</programlisting>
|
|
3143 |
||
3144 |
</step>
|
|
3145 |
<step>
|
|
3146 |
||
3147 |
<para>
|
|
3148 |
Create an empty database on the <emphasis>Secondary KDC</emphasis>: |
|
3149 |
</para>
|
|
3150 |
||
3151 |
<screen>
|
|
3152 |
<command>sudo kdb5_util -s create</command> |
|
3153 |
</screen>
|
|
3154 |
||
3155 |
</step>
|
|
3156 |
<step>
|
|
3157 |
||
3158 |
<para>
|
|
3159 |
Now start the <application>kpropd</application> daemon, which listens for connections from the |
|
3160 |
<application>kprop</application> utility. <application>kprop</application> is used to transfer |
|
3161 |
dump files: |
|
3162 |
</para>
|
|
3163 |
||
3164 |
<screen>
|
|
3165 |
<command>sudo kpropd -S</command> |
|
3166 |
</screen>
|
|
3167 |
||
3168 |
</step>
|
|
3169 |
<step>
|
|
3170 |
||
3171 |
<para>
|
|
3172 |
From a terminal on the <emphasis>Primary KDC</emphasis>, create a dump file of the principal database: |
|
3173 |
</para>
|
|
3174 |
||
3175 |
<screen>
|
|
3176 |
<command>sudo kdb5_util dump /var/lib/krb5kdc/dump</command> |
|
3177 |
</screen>
|
|
3178 |
||
3179 |
</step>
|
|
3180 |
<step>
|
|
3181 |
||
3182 |
<para>
|
|
3183 |
Extract the Primary KDC's <emphasis>keytab</emphasis> file and copy it to <filename>/etc/krb5.keytab</filename>: |
|
3184 |
</para>
|
|
3185 |
||
3186 |
<screen>
|
|
3187 |
<command>kadmin -q "ktadd -k keytab.kdc01 host/kdc01.example.com"</command> |
|
3188 |
<command>sudo mv keytab.kdc01 /etc/krb5.keytab</command> |
|
3189 |
</screen>
|
|
3190 |
||
3191 |
<note>
|
|
3192 |
<para>
|
|
3193 |
Make sure there is a <emphasis>host</emphasis> for <emphasis>kdc01.example.com</emphasis> before extracting the Keytab. |
|
3194 |
</para>
|
|
3195 |
</note>
|
|
3196 |
||
3197 |
</step>
|
|
3198 |
<step>
|
|
3199 |
||
3200 |
<para>
|
|
3201 |
Using the <application>kprop</application> utility push the database to the Secondary KDC: |
|
3202 |
</para>
|
|
3203 |
||
3204 |
<screen>
|
|
3205 |
<command>sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com</command> |
|
3206 |
</screen>
|
|
3207 |
||
3208 |
<note>
|
|
3209 |
<para>
|
|
3210 |
There should be a <emphasis>SUCCEEDED</emphasis> message if the propagation worked. If there is an error |
|
3211 |
message check <filename>/var/log/syslog</filename> on the secondary KDC for more information. |
|
3212 |
</para>
|
|
3213 |
</note>
|
|
3214 |
||
3215 |
<para>
|
|
3216 |
You may also want to create a <application>cron</application> job to periodically update the database on the Secondary KDC. For |
|
51.1.1
by Doug Smythies
serverguide-pdf-truncation-part-02; Fix some more PDF truncation issues |
3217 |
example, the following will push the database every hour (note the long line has been split to fit the format of this document): |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3218 |
</para>
|
3219 |
||
3220 |
<programlisting>
|
|
3221 |
# m h dom mon dow command |
|
51.1.1
by Doug Smythies
serverguide-pdf-truncation-part-02; Fix some more PDF truncation issues |
3222 |
0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump &&
|
3223 |
/usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3224 |
</programlisting>
|
3225 |
||
3226 |
</step>
|
|
3227 |
<step>
|
|
3228 |
||
3229 |
<para>
|
|
3230 |
Back on the <emphasis>Secondary KDC</emphasis>, create a <emphasis>stash</emphasis> file to hold the Kerberos |
|
3231 |
master key: |
|
3232 |
</para>
|
|
3233 |
||
3234 |
<screen>
|
|
3235 |
<command>sudo kdb5_util stash</command> |
|
3236 |
</screen>
|
|
3237 |
||
3238 |
</step>
|
|
3239 |
<step>
|
|
3240 |
||
3241 |
<para>
|
|
3242 |
Finally, start the <application>krb5-kdc</application> daemon on the Secondary KDC: |
|
3243 |
</para>
|
|
3244 |
||
3245 |
<screen>
|
|
82.5.1
by Jonathan Davies
sed replaced all init.d commands with 'service'. |
3246 |
<command>sudo service krb5-kdc start</command> |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3247 |
</screen>
|
3248 |
||
3249 |
</step>
|
|
3250 |
</procedure>
|
|
3251 |
||
3252 |
<para>
|
|
3253 |
The <emphasis>Secondary KDC</emphasis> should now be able to issue tickets for the Realm. You can test this by stopping |
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
3254 |
the <application>krb5-kdc</application> daemon on the Primary KDC, then |
3255 |
by using <application>kinit</application> to request a ticket. |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3256 |
If all goes well you should receive a ticket from the Secondary KDC. |
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
3257 |
Otherwise, check <filename>/var/log/syslog</filename> and |
3258 |
<filename>/var/log/auth.log</filename> in the Secondary KDC. |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3259 |
</para>
|
3260 |
||
3261 |
</sect2>
|
|
3262 |
<sect2 id="kerberos-linux-client" status="review"> |
|
3263 |
<title>Kerberos Linux Client</title> |
|
3264 |
||
3265 |
<para>
|
|
3266 |
This section covers configuring a Linux system as a <application>Kerberos</application> client. This will allow access |
|
3267 |
to any kerberized services once a user has successfully logged into the system. |
|
3268 |
</para>
|
|
3269 |
||
3270 |
<sect3 id="kerberos-client-installation" status="review"> |
|
3271 |
<title>Installation</title> |
|
3272 |
||
3273 |
<para>
|
|
3274 |
In order to authenticate to a Kerberos Realm, the <application>krb5-user</application> and <application>libpam-krb5</application> |
|
3275 |
packages are needed, along with a few others that are not strictly necessary but make life easier. To install the packages |
|
3276 |
enter the following in a terminal prompt: |
|
3277 |
</para>
|
|
3278 |
||
3279 |
<screen>
|
|
3280 |
<command>sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config</command> |
|
3281 |
</screen>
|
|
3282 |
||
3283 |
<para>
|
|
3284 |
The <application>auth-client-config</application> package allows simple configuration of PAM for authentication from multiple |
|
3285 |
sources, and the <application>libpam-ccreds</application> will cache authentication credentials allowing you to login in case the |
|
3286 |
Key Distribution Center (KDC) is unavailable. This package is also useful for laptops that may authenticate using Kerberos while |
|
3287 |
on the corporate network, but will need to be accessed off the network as well. |
|
3288 |
</para>
|
|
3289 |
||
3290 |
</sect3>
|
|
3291 |
<sect3 id="kerberos-client-configuration" status="review"> |
|
3292 |
<title>Configuration</title> |
|
3293 |
||
3294 |
<para>
|
|
3295 |
To configure the client in a terminal enter: |
|
3296 |
</para>
|
|
3297 |
||
3298 |
<screen>
|
|
3299 |
<command>sudo dpkg-reconfigure krb5-config</command> |
|
3300 |
</screen>
|
|
3301 |
||
3302 |
<para>
|
|
3303 |
You will then be prompted to enter the name of the Kerberos Realm. Also, if you don't have DNS configured with Kerberos |
|
3304 |
<emphasis>SRV</emphasis> records, the menu will prompt you for the hostname of the Key Distribution Center (KDC) and |
|
3305 |
Realm Administration server. |
|
3306 |
</para>
|
|
3307 |
||
3308 |
<para>
|
|
3309 |
The <application>dpkg-reconfigure</application> adds entries to the <filename>/etc/krb5.conf</filename> file for your Realm. |
|
3310 |
You should have entries similar to the following: |
|
3311 |
</para>
|
|
3312 |
||
3313 |
<programlisting>
|
|
3314 |
[libdefaults] |
|
3315 |
default_realm = EXAMPLE.COM |
|
3316 |
... |
|
3317 |
[realms] |
|
124
by Doug Smythies
update pot file; typo LP: #1038622; user kill example; slight dns section change; by Doug Smythies |
3318 |
EXAMPLE.COM = { |
3319 |
kdc = 192.168.0.1 |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3320 |
admin_server = 192.168.0.1 |
3321 |
} |
|
3322 |
</programlisting>
|
|
3323 |
||
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
3324 |
<note>
|
3325 |
<para>
|
|
3326 |
If you set the uid of each of your network-authenticated users to |
|
3327 |
start at 5000, as suggested in |
|
3328 |
<xref linkend="kerberos-server-installation"/>, you |
|
3329 |
can then tell pam to only try to authenticate using Kerberos |
|
3330 |
users with uid > 5000: |
|
3331 |
</para>
|
|
3332 |
<screen>
|
|
33.5.5
by raubvogel at gmail
taking care of the MERGE-SOURCE issues |
3333 |
<command># Kerberos should only be applied to ldap/kerberos users, not local ones.
|
3334 |
for i in common-auth common-session common-account common-password; do |
|
3335 |
sudo sed -i -r \ |
|
3336 |
-e 's/pam_krb5.so minimum_uid=1000/pam_krb5.so minimum_uid=5000/' \ |
|
3337 |
/etc/pam.d/$i |
|
3338 |
done </command>
|
|
33.5.4
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections. Also added note on making Kerberos only be applied to ldap/kerberos users |
3339 |
</screen>
|
3340 |
<para>
|
|
3341 |
This will avoid being asked for the (non-existent) Kerberos |
|
3342 |
password of a locally authenticated user when changing its |
|
3343 |
password using <command>passwd</command>. |
|
3344 |
</para>
|
|
3345 |
</note>
|
|
3346 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3347 |
<para>
|
3348 |
You can test the configuration by requesting a ticket using the <application>kinit</application> utility. For example: |
|
3349 |
</para>
|
|
3350 |
||
3351 |
<screen>
|
|
3352 |
<command>kinit steve@EXAMPLE.COM</command> |
|
3353 |
<computeroutput>Password for steve@EXAMPLE.COM:</computeroutput> |
|
3354 |
</screen>
|
|
3355 |
||
3356 |
<para>
|
|
3357 |
When a ticket has been granted, the details can be viewed using <application>klist</application>: |
|
3358 |
</para>
|
|
3359 |
||
3360 |
<screen>
|
|
3361 |
<command>klist</command> |
|
3362 |
<computeroutput>Ticket cache: FILE:/tmp/krb5cc_1000
|
|
3363 |
Default principal: steve@EXAMPLE.COM |
|
3364 |
||
3365 |
Valid starting Expires Service principal |
|
3366 |
07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM |
|
3367 |
renew until 07/25/08 05:18:57 |
|
3368 |
||
3369 |
||
3370 |
Kerberos 4 ticket cache: /tmp/tkt1000 |
|
3371 |
klist: You have no tickets cached</computeroutput>
|
|
3372 |
</screen>
|
|
3373 |
||
3374 |
<para>
|
|
3375 |
Next, use the <application>auth-client-config</application> to configure the <application>libpam-krb5</application> module |
|
3376 |
to request a ticket during login: |
|
3377 |
</para>
|
|
3378 |
||
3379 |
<screen>
|
|
3380 |
<command>sudo auth-client-config -a -p kerberos_example</command> |
|
3381 |
</screen>
|
|
3382 |
||
3383 |
<para>
|
|
3384 |
You will should now receive a ticket upon successful login authentication. |
|
3385 |
</para>
|
|
3386 |
||
3387 |
</sect3>
|
|
3388 |
</sect2>
|
|
3389 |
<sect2 id="kerberos-resources" status="review"> |
|
3390 |
<title>Resources</title> |
|
3391 |
||
3392 |
<itemizedlist>
|
|
3393 |
<listitem>
|
|
3394 |
<para>
|
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
3395 |
For more information on MIT's version of Kerberos, see the <ulink url="http://web.mit.edu/Kerberos/">MIT Kerberos</ulink> site. |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3396 |
</para>
|
3397 |
</listitem>
|
|
3398 |
<listitem>
|
|
3399 |
<para>
|
|
3400 |
The <ulink url="https://help.ubuntu.com/community/Kerberos">Ubuntu Wiki Kerberos</ulink> page has more details. |
|
3401 |
</para>
|
|
3402 |
</listitem>
|
|
3403 |
<listitem>
|
|
3404 |
<para>
|
|
3405 |
O'Reilly's <ulink url="http://oreilly.com/catalog/9780596004033/">Kerberos: The Definitive Guide</ulink> is a great reference when |
|
3406 |
setting up Kerberos. |
|
3407 |
</para>
|
|
3408 |
</listitem>
|
|
3409 |
<listitem>
|
|
3410 |
<para>
|
|
33.5.2
by raubvogel at gmail
Reviewing sub-chapter 6.3; small changes |
3411 |
Also, feel free to stop by the <emphasis>#ubuntu-server</emphasis> |
3412 |
and <emphasis>#kerberos</emphasis> |
|
3413 |
IRC channels on <ulink url="http://freenode.net/">Freenode</ulink> |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3414 |
if you have Kerberos questions. |
3415 |
</para>
|
|
3416 |
</listitem>
|
|
3417 |
</itemizedlist>
|
|
3418 |
||
3419 |
</sect2>
|
|
3420 |
</sect1>
|
|
3421 |
<sect1 id="kerberos-ldap" status="review"> |
|
3422 |
<title>Kerberos and LDAP</title> |
|
3423 |
||
3424 |
<para>
|
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3425 |
Most people will not use Kerberos by itself; once an user is authenticated |
3426 |
(Kerberos), we need to figure out what this user can do (authorization). |
|
33.5.3
by raubvogel at gmail
Reviewing sub-chapter 6.1, 6.3, and 6.4; Update based on corrections |
3427 |
And that would be the job of programs such as |
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3428 |
<application>LDAP</application>. |
3429 |
</para>
|
|
3430 |
||
3431 |
<para>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3432 |
Replicating a Kerberos principal database between two servers can be complicated, and adds an additional user |
3433 |
database to your network. Fortunately, MIT Kerberos can be configured to use an <application>LDAP</application> |
|
3434 |
directory as a principal database. This section covers configuring a primary and secondary kerberos server to use |
|
3435 |
<application>OpenLDAP</application> for the principal database. |
|
3436 |
</para>
|
|
3437 |
||
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3438 |
<note>
|
3439 |
<para>
|
|
3440 |
The examples presented here assume |
|
3441 |
<application>MIT Kerberos</application> and |
|
3442 |
<application>OpenLDAP</application>. |
|
3443 |
</para>
|
|
3444 |
</note>
|
|
3445 |
||
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3446 |
<sect2 id="kerberos-ldap-openldap" status="review"> |
3447 |
<title>Configuring OpenLDAP</title> |
|
3448 |
||
3449 |
<para>
|
|
3450 |
First, the necessary <emphasis>schema</emphasis> needs to be loaded on an <application>OpenLDAP</application> server that has |
|
3451 |
network connectivity to the Primary and Secondary KDCs. The rest of this section assumes that you also have LDAP replication |
|
3452 |
configured between at least two servers. For information on setting up OpenLDAP see <xref linkend="openldap-server"/>. |
|
3453 |
</para>
|
|
3454 |
||
3455 |
<para>
|
|
3456 |
It is also required to configure OpenLDAP for TLS and SSL connections, so that traffic between the KDC and LDAP server is encrypted. |
|
3457 |
See <xref linkend="openldap-tls"/> for details. |
|
3458 |
</para>
|
|
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3459 |
|
3460 |
<note>
|
|
3461 |
<para>
|
|
3462 |
<filename>cn=admin,cn=config</filename> is a user we created with |
|
3463 |
rights to edit the ldap database. Many times it is the RootDN. Change its |
|
3464 |
value to reflect your setup. |
|
3465 |
</para>
|
|
3466 |
</note>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3467 |
|
3468 |
<itemizedlist>
|
|
3469 |
<listitem>
|
|
3470 |
<para>
|
|
3471 |
To load the schema into LDAP, on the LDAP server install the <application>krb5-kdc-ldap</application> package. |
|
3472 |
From a terminal enter: |
|
3473 |
</para>
|
|
3474 |
||
3475 |
<screen>
|
|
3476 |
<command>sudo apt-get install krb5-kdc-ldap</command> |
|
3477 |
</screen>
|
|
3478 |
||
3479 |
</listitem>
|
|
3480 |
<listitem>
|
|
3481 |
<para>
|
|
3482 |
Next, extract the <filename>kerberos.schema.gz</filename> file: |
|
3483 |
</para>
|
|
3484 |
||
3485 |
<screen>
|
|
3486 |
<command>sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz</command> |
|
3487 |
<command>sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/</command> |
|
3488 |
</screen>
|
|
3489 |
||
3490 |
</listitem>
|
|
3491 |
<listitem>
|
|
3492 |
||
3493 |
<para>
|
|
3494 |
The <emphasis>kerberos</emphasis> schema needs to be added to the <emphasis>cn=config</emphasis> tree. |
|
3495 |
The procedure to add a new schema to <application>slapd</application> is also detailed in |
|
3496 |
<xref linkend="openldap-configuration"/>. |
|
3497 |
</para>
|
|
3498 |
||
3499 |
<procedure>
|
|
3500 |
<step>
|
|
3501 |
<para>
|
|
3502 |
First, create a configuration file named <filename>schema_convert.conf</filename>, or a similar |
|
3503 |
descriptive name, containing the following lines: |
|
3504 |
</para>
|
|
3505 |
||
3506 |
<programlisting>
|
|
3507 |
include /etc/ldap/schema/core.schema |
|
3508 |
include /etc/ldap/schema/collective.schema |
|
3509 |
include /etc/ldap/schema/corba.schema |
|
3510 |
include /etc/ldap/schema/cosine.schema |
|
3511 |
include /etc/ldap/schema/duaconf.schema |
|
3512 |
include /etc/ldap/schema/dyngroup.schema |
|
3513 |
include /etc/ldap/schema/inetorgperson.schema |
|
3514 |
include /etc/ldap/schema/java.schema |
|
3515 |
include /etc/ldap/schema/misc.schema |
|
3516 |
include /etc/ldap/schema/nis.schema |
|
3517 |
include /etc/ldap/schema/openldap.schema |
|
3518 |
include /etc/ldap/schema/ppolicy.schema |
|
3519 |
include /etc/ldap/schema/kerberos.schema |
|
3520 |
</programlisting>
|
|
3521 |
||
3522 |
||
3523 |
</step>
|
|
3524 |
<step>
|
|
3525 |
||
3526 |
<para>
|
|
3527 |
Create a temporary directory to hold the LDIF files: |
|
3528 |
</para>
|
|
3529 |
<screen>
|
|
3530 |
<command>mkdir /tmp/ldif_output</command> |
|
3531 |
</screen>
|
|
3532 |
||
3533 |
</step>
|
|
3534 |
<step>
|
|
3535 |
||
3536 |
<para>
|
|
3537 |
Now use <application>slapcat</application> to convert the schema files: |
|
3538 |
</para>
|
|
3539 |
||
3540 |
<screen>
|
|
51.1.1
by Doug Smythies
serverguide-pdf-truncation-part-02; Fix some more PDF truncation issues |
3541 |
<command>slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \
|
3542 |
"cn={12}kerberos,cn=schema,cn=config" > /tmp/cn=kerberos.ldif</command>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3543 |
</screen>
|
3544 |
||
3545 |
<para>
|
|
3546 |
Change the above file and path names to match your own if they are different. |
|
3547 |
</para>
|
|
3548 |
||
3549 |
</step>
|
|
3550 |
<step>
|
|
3551 |
||
3552 |
<para>
|
|
3553 |
Edit the generated <filename>/tmp/cn\=kerberos.ldif</filename> file, changing the following attributes: |
|
3554 |
</para>
|
|
3555 |
||
3556 |
<programlisting>
|
|
3557 |
dn: cn=kerberos,cn=schema,cn=config |
|
3558 |
... |
|
3559 |
cn: kerberos |
|
3560 |
</programlisting>
|
|
3561 |
||
3562 |
<para>
|
|
3563 |
And remove the following lines from the end of the file: |
|
3564 |
</para>
|
|
3565 |
||
3566 |
<programlisting>
|
|
3567 |
structuralObjectClass: olcSchemaConfig |
|
3568 |
entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc |
|
3569 |
creatorsName: cn=config |
|
3570 |
createTimestamp: 20090111203515Z |
|
3571 |
entryCSN: 20090111203515.326445Z#000000#000#000000 |
|
3572 |
modifiersName: cn=config |
|
3573 |
modifyTimestamp: 20090111203515Z |
|
3574 |
</programlisting>
|
|
3575 |
||
3576 |
<para>
|
|
3577 |
The attribute values will vary, just be sure the attributes are removed. |
|
3578 |
</para>
|
|
3579 |
||
3580 |
</step>
|
|
3581 |
<step>
|
|
3582 |
||
3583 |
<para>
|
|
3584 |
Load the new schema with <application>ldapadd</application>: |
|
3585 |
</para>
|
|
3586 |
||
3587 |
<screen>
|
|
3588 |
<command>ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=kerberos.ldif</command> |
|
3589 |
</screen>
|
|
3590 |
||
3591 |
</step>
|
|
3592 |
<step>
|
|
3593 |
||
3594 |
<para>
|
|
3595 |
Add an index for the <emphasis>krb5principalname</emphasis> attribute: |
|
3596 |
</para>
|
|
3597 |
||
3598 |
<screen>
|
|
3599 |
<command>ldapmodify -x -D cn=admin,cn=config -W</command> |
|
3600 |
<computeroutput>Enter LDAP Password:
|
|
3601 |
<userinput>dn: olcDatabase={1}hdb,cn=config
|
|
3602 |
add: olcDbIndex |
|
3603 |
olcDbIndex: krbPrincipalName eq,pres,sub</userinput>
|
|
3604 |
||
3605 |
modifying entry "olcDatabase={1}hdb,cn=config"</computeroutput>
|
|
3606 |
</screen>
|
|
3607 |
||
3608 |
</step>
|
|
3609 |
<step>
|
|
3610 |
||
3611 |
<para>
|
|
3612 |
Finally, update the Access Control Lists (ACL): |
|
3613 |
</para>
|
|
3614 |
||
3615 |
<screen>
|
|
3616 |
<command>ldapmodify -x -D cn=admin,cn=config -W</command> |
|
3617 |
<computeroutput>Enter LDAP Password:
|
|
3618 |
<userinput>dn: olcDatabase={1}hdb,cn=config
|
|
3619 |
replace: olcAccess |
|
51.1.1
by Doug Smythies
serverguide-pdf-truncation-part-02; Fix some more PDF truncation issues |
3620 |
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by |
3621 |
dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none |
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3622 |
- |
3623 |
add: olcAccess |
|
3624 |
olcAccess: to dn.base="" by * read |
|
3625 |
- |
|
3626 |
add: olcAccess |
|
3627 |
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read</userinput>
|
|
3628 |
||
3629 |
modifying entry "olcDatabase={1}hdb,cn=config" |
|
3630 |
</computeroutput>
|
|
3631 |
</screen>
|
|
3632 |
||
3633 |
</step>
|
|
3634 |
</procedure>
|
|
3635 |
</listitem>
|
|
3636 |
</itemizedlist>
|
|
3637 |
||
3638 |
<para>
|
|
3639 |
That's it, your LDAP directory is now ready to serve as a Kerberos principal database. |
|
3640 |
</para>
|
|
3641 |
||
3642 |
</sect2>
|
|
3643 |
<sect2 id="kerberos-ldap-primary-kdc" status="review"> |
|
3644 |
<title>Primary KDC Configuration</title> |
|
3645 |
||
3646 |
<para>
|
|
3647 |
With <application>OpenLDAP</application> configured it is time to configure the KDC. |
|
3648 |
</para>
|
|
3649 |
||
3650 |
<itemizedlist>
|
|
3651 |
<listitem>
|
|
3652 |
<para>
|
|
3653 |
First, install the necessary packages, from a terminal enter: |
|
3654 |
</para>
|
|
3655 |
||
3656 |
<screen>
|
|
3657 |
<command>sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap</command> |
|
3658 |
</screen>
|
|
3659 |
||
3660 |
</listitem>
|
|
3661 |
<listitem>
|
|
3662 |
||
3663 |
<para>
|
|
3664 |
Now edit <filename>/etc/krb5.conf</filename> adding the following options to under the appropriate sections: |
|
3665 |
</para>
|
|
3666 |
||
3667 |
<programlisting>
|
|
3668 |
[libdefaults] |
|
3669 |
default_realm = EXAMPLE.COM |
|
3670 |
||
3671 |
... |
|
3672 |
||
3673 |
[realms] |
|
3674 |
EXAMPLE.COM = { |
|
3675 |
kdc = kdc01.example.com |
|
3676 |
kdc = kdc02.example.com |
|
3677 |
admin_server = kdc01.example.com |
|
3678 |
admin_server = kdc02.example.com |
|
3679 |
default_domain = example.com |
|
3680 |
database_module = openldap_ldapconf |
|
3681 |
} |
|
3682 |
||
3683 |
... |
|
3684 |
||
3685 |
[domain_realm] |
|
3686 |
.example.com = EXAMPLE.COM |
|
3687 |
||
3688 |
||
3689 |
... |
|
3690 |
||
3691 |
[dbdefaults] |
|
3692 |
ldap_kerberos_container_dn = dc=example,dc=com |
|
3693 |
||
3694 |
[dbmodules] |
|
3695 |
openldap_ldapconf = { |
|
3696 |
db_library = kldap |
|
3697 |
ldap_kdc_dn = "cn=admin,dc=example,dc=com" |
|
3698 |
||
3699 |
# this object needs to have read rights on |
|
3700 |
# the realm container, principal container and realm sub-trees |
|
3701 |
ldap_kadmind_dn = "cn=admin,dc=example,dc=com" |
|
3702 |
||
3703 |
# this object needs to have read and write rights on |
|
3704 |
# the realm container, principal container and realm sub-trees |
|
3705 |
ldap_service_password_file = /etc/krb5kdc/service.keyfile |
|
3706 |
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com |
|
3707 |
ldap_conns_per_server = 5 |
|
3708 |
} |
|
3709 |
</programlisting>
|
|
3710 |
||
3711 |
<note>
|
|
3712 |
<para>
|
|
3713 |
Change <emphasis>example.com</emphasis>, <emphasis>dc=example,dc=com</emphasis>, <emphasis>cn=admin,dc=example,dc=com</emphasis>, |
|
3714 |
and <emphasis>ldap01.example.com</emphasis> to the appropriate domain, LDAP object, and LDAP server for your network. |
|
3715 |
</para>
|
|
3716 |
</note>
|
|
3717 |
||
3718 |
</listitem>
|
|
3719 |
<listitem>
|
|
3720 |
||
3721 |
<para>
|
|
3722 |
Next, use the <application>kdb5_ldap_util</application> utility to create the realm: |
|
3723 |
</para>
|
|
3724 |
||
3725 |
<screen>
|
|
51.1.1
by Doug Smythies
serverguide-pdf-truncation-part-02; Fix some more PDF truncation issues |
3726 |
<command>sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees \
|
3727 |
dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com</command>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3728 |
</screen>
|
3729 |
||
3730 |
</listitem>
|
|
3731 |
<listitem>
|
|
3732 |
||
3733 |
<para>
|
|
3734 |
Create a stash of the password used to bind to the LDAP server. This password is used by the <emphasis>ldap_kdc_dn</emphasis> and |
|
3735 |
<emphasis>ldap_kadmin_dn</emphasis> options in <filename>/etc/krb5.conf</filename>: |
|
3736 |
</para>
|
|
3737 |
||
3738 |
<screen>
|
|
51.1.1
by Doug Smythies
serverguide-pdf-truncation-part-02; Fix some more PDF truncation issues |
3739 |
<command>sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f \
|
3740 |
/etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com</command>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3741 |
</screen>
|
3742 |
||
3743 |
</listitem>
|
|
3744 |
<listitem>
|
|
3745 |
||
3746 |
<para>
|
|
3747 |
Copy the CA certificate from the LDAP server: |
|
3748 |
</para>
|
|
3749 |
||
3750 |
<screen>
|
|
3751 |
<command>scp ldap01:/etc/ssl/certs/cacert.pem .</command> |
|
3752 |
<command>sudo cp cacert.pem /etc/ssl/certs</command> |
|
3753 |
</screen>
|
|
3754 |
||
3755 |
<para>
|
|
3756 |
And edit <filename>/etc/ldap/ldap.conf</filename> to use the certificate: |
|
3757 |
</para>
|
|
3758 |
||
3759 |
<programlisting>
|
|
3760 |
TLS_CACERT /etc/ssl/certs/cacert.pem |
|
3761 |
</programlisting>
|
|
3762 |
||
3763 |
<note>
|
|
3764 |
<para>
|
|
3765 |
The certificate will also need to be copied to the Secondary KDC, to allow the connection to the LDAP servers using |
|
3766 |
LDAPS. |
|
3767 |
</para>
|
|
3768 |
</note>
|
|
3769 |
||
3770 |
</listitem>
|
|
3771 |
</itemizedlist>
|
|
3772 |
||
3773 |
<para>
|
|
3774 |
You can now add Kerberos principals to the LDAP database, and they will be copied to any other LDAP servers configured for replication. |
|
3775 |
To add a principal using the <application>kadmin.local</application> utility enter: |
|
3776 |
</para>
|
|
3777 |
||
3778 |
<screen>
|
|
3779 |
<command>sudo kadmin.local</command> |
|
3780 |
<computeroutput>Authenticating as principal root/admin@EXAMPLE.COM with password.
|
|
3781 |
kadmin.local: <userinput>addprinc -x dn="uid=steve,ou=people,dc=example,dc=com" steve</userinput> |
|
3782 |
WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy |
|
3783 |
Enter password for principal "steve@EXAMPLE.COM": |
|
3784 |
Re-enter password for principal "steve@EXAMPLE.COM": |
|
3785 |
Principal "steve@EXAMPLE.COM" created.</computeroutput>
|
|
3786 |
</screen>
|
|
3787 |
||
3788 |
<para>
|
|
3789 |
There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and krbExtraData attributes added to the |
|
3790 |
<emphasis>uid=steve,ou=people,dc=example,dc=com</emphasis> user object. Use the <application>kinit</application> and |
|
3791 |
<application>klist</application> utilities to test that the user is indeed issued a ticket. |
|
3792 |
</para>
|
|
3793 |
||
3794 |
<note>
|
|
3795 |
<para>
|
|
3796 |
If the user object is already created the <emphasis>-x dn="..."</emphasis> option is needed to add the Kerberos attributes. |
|
3797 |
Otherwise a new <emphasis>principal</emphasis> object will be created in the realm subtree. |
|
3798 |
</para>
|
|
3799 |
</note>
|
|
3800 |
||
3801 |
</sect2>
|
|
3802 |
<sect2 id="kerberos-ldap-secondary-kdc" status="review"> |
|
3803 |
<title>Secondary KDC Configuration</title> |
|
3804 |
||
3805 |
<para>
|
|
3806 |
Configuring a Secondary KDC using the LDAP backend is similar to configuring one using the normal Kerberos database. |
|
3807 |
</para>
|
|
3808 |
||
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3809 |
<procedure>
|
3810 |
<step>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3811 |
<para>
|
3812 |
First, install the necessary packages. In a terminal enter: |
|
3813 |
</para>
|
|
3814 |
||
3815 |
<screen>
|
|
3816 |
<command>sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap</command> |
|
3817 |
</screen>
|
|
3818 |
||
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3819 |
</step>
|
3820 |
<step>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3821 |
|
3822 |
<para>
|
|
3823 |
Next, edit <filename>/etc/krb5.conf</filename> to use the LDAP backend: |
|
3824 |
</para>
|
|
3825 |
||
3826 |
<programlisting>
|
|
3827 |
[libdefaults] |
|
3828 |
default_realm = EXAMPLE.COM |
|
3829 |
||
3830 |
... |
|
3831 |
||
3832 |
[realms] |
|
3833 |
EXAMPLE.COM = { |
|
3834 |
kdc = kdc01.example.com |
|
3835 |
kdc = kdc02.example.com |
|
3836 |
admin_server = kdc01.example.com |
|
3837 |
admin_server = kdc02.example.com |
|
3838 |
default_domain = example.com |
|
3839 |
database_module = openldap_ldapconf |
|
3840 |
} |
|
3841 |
||
3842 |
... |
|
3843 |
||
3844 |
[domain_realm] |
|
3845 |
.example.com = EXAMPLE.COM |
|
3846 |
||
3847 |
... |
|
3848 |
||
3849 |
[dbdefaults] |
|
3850 |
ldap_kerberos_container_dn = dc=example,dc=com |
|
3851 |
||
3852 |
[dbmodules] |
|
3853 |
openldap_ldapconf = { |
|
3854 |
db_library = kldap |
|
3855 |
ldap_kdc_dn = "cn=admin,dc=example,dc=com" |
|
3856 |
||
3857 |
# this object needs to have read rights on |
|
3858 |
# the realm container, principal container and realm sub-trees |
|
3859 |
ldap_kadmind_dn = "cn=admin,dc=example,dc=com" |
|
3860 |
||
3861 |
# this object needs to have read and write rights on |
|
3862 |
# the realm container, principal container and realm sub-trees |
|
3863 |
ldap_service_password_file = /etc/krb5kdc/service.keyfile |
|
3864 |
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com |
|
3865 |
ldap_conns_per_server = 5 |
|
3866 |
} |
|
3867 |
</programlisting>
|
|
3868 |
||
3869 |
||
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3870 |
</step>
|
3871 |
<step>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3872 |
|
3873 |
<para>
|
|
3874 |
Create the stash for the LDAP bind password: |
|
3875 |
</para>
|
|
3876 |
||
3877 |
<screen>
|
|
51.1.1
by Doug Smythies
serverguide-pdf-truncation-part-02; Fix some more PDF truncation issues |
3878 |
<command>sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f \
|
3879 |
/etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com</command>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3880 |
</screen>
|
3881 |
||
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3882 |
</step>
|
3883 |
<step>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3884 |
|
3885 |
<para>
|
|
3886 |
Now, on the <emphasis>Primary KDC</emphasis> copy the <filename>/etc/krb5kdc/.k5.EXAMPLE.COM</filename> |
|
3887 |
<emphasis>Master Key</emphasis> stash to the Secondary KDC. Be sure to copy the file over an encrypted |
|
3888 |
connection such as <application>scp</application>, or on physical media. |
|
3889 |
</para>
|
|
3890 |
||
3891 |
<screen>
|
|
3892 |
<command>sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~</command> |
|
3893 |
<command>sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/</command> |
|
3894 |
</screen>
|
|
3895 |
||
3896 |
<note>
|
|
3897 |
<para>
|
|
3898 |
Again, replace <emphasis>EXAMPLE.COM</emphasis> with your actual realm. |
|
3899 |
</para>
|
|
3900 |
</note>
|
|
3901 |
||
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3902 |
</step>
|
3903 |
<step>
|
|
3904 |
||
3905 |
<para>
|
|
3906 |
Back on the <emphasis>Secondary KDC</emphasis>, (re)start the ldap |
|
3907 |
server only, |
|
3908 |
</para>
|
|
3909 |
||
3910 |
<screen>
|
|
3911 |
<command>sudo service slapd restart</command> |
|
3912 |
</screen>
|
|
3913 |
||
3914 |
</step>
|
|
3915 |
<step>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3916 |
|
3917 |
<para>
|
|
3918 |
Finally, start the <application>krb5-kdc</application> daemon: |
|
3919 |
</para>
|
|
3920 |
||
3921 |
<screen>
|
|
82.5.1
by Jonathan Davies
sed replaced all init.d commands with 'service'. |
3922 |
<command>sudo service krb5-kdc start</command> |
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3923 |
</screen>
|
3924 |
||
33.5.1
by raubvogel at gmail
Reviewing sub-chapter 6.1; Adding more tests, backup, and other small changes |
3925 |
</step>
|
3926 |
<step>
|
|
3927 |
||
3928 |
<para>
|
|
3929 |
Verify the two ldap servers (and kerberos by extension) are in sync. |
|
3930 |
</para>
|
|
3931 |
||
3932 |
</step>
|
|
3933 |
</procedure>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
3934 |
|
3935 |
<para>
|
|
3936 |
You now have redundant KDCs on your network, and with redundant LDAP servers you should be able to |
|
3937 |
continue to authenticate users if one LDAP server, one Kerberos server, or one LDAP and one Kerberos |
|
3938 |
server become unavailable. |
|
3939 |
</para>
|
|
3940 |
||
3941 |
</sect2>
|
|
3942 |
<sect2 id="kerberos-ldap-resources" status="review"> |
|
3943 |
<title>Resources</title> |
|
3944 |
||
3945 |
<itemizedlist>
|
|
3946 |
<listitem>
|
|
3947 |
<para>
|
|
3948 |
The <ulink url="http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend"> |
|
3949 |
Kerberos Admin Guide</ulink> has some additional details.
|
|
3950 |
</para>
|
|
3951 |
</listitem>
|
|
3952 |
<listitem>
|
|
3953 |
<para>
|
|
3954 |
For more information on <application>kdb5_ldap_util</application> see |
|
3955 |
<ulink url="http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Global-Operations-on-the-Kerberos-LDAP-Database"> |
|
3956 |
Section 5.6</ulink> and the
|
|
3957 |
<ulink url="http://manpages.ubuntu.com/manpages/&distro-short-codename;/en/man8/kdb5_ldap_util.8.html">kdb5_ldap_util man page</ulink>. |
|
3958 |
</para>
|
|
3959 |
</listitem>
|
|
3960 |
<listitem>
|
|
3961 |
<para>
|
|
3962 |
Another useful link is the <ulink url="http://manpages.ubuntu.com/manpages/&distro-short-codename;/en/man5/krb5.conf.5.html">krb5.conf man page</ulink>. |
|
3963 |
</para>
|
|
3964 |
</listitem>
|
|
3965 |
<listitem>
|
|
3966 |
<para>
|
|
3967 |
Also, see the <ulink url="https://help.ubuntu.com/community/Kerberos#kerberos-ldap">Kerberos and LDAP</ulink> Ubuntu wiki page. |
|
3968 |
</para>
|
|
3969 |
</listitem>
|
|
3970 |
</itemizedlist>
|
|
3971 |
||
3972 |
</sect2>
|
|
3973 |
</sect1>
|
|
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
3974 |
<sect1 id="sssd-ad" status="review"> |
3975 |
<title>SSSD and Active Directory</title> |
|
3976 |
<para>
|
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
3977 |
This section describes the use of sssd to authenticate user logins against an Active Directory via using sssd's "ad" provider. In previous versions of sssd, it was possible to authenticate using the "ldap" provider. However, when authenticating against a Microsoft Windows AD Domain Controller, it was generally necessary to install the POSIX AD extensions on the Domain Controller. The "ad" provider simplifies the configuration and requires no modifications to the AD structure. |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
3978 |
</para>
|
3979 |
<sect2 id="sssd-ad-requirements" status="review"> |
|
3980 |
<title>Prerequisites, Assumptions, and Requirements</title> |
|
3981 |
<itemizedlist>
|
|
3982 |
<listitem>
|
|
266
by Doug Smythies
the old ascii checker command missed some issues, found by improved command. |
3983 |
<para>This guide does not explain Active Directory, how it works, how to set one up, or how to maintain it. It may not provide <quote>best practices</quote> for your environment.</para></listitem> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
3984 |
<listitem>
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
3985 |
<para>This guide assumes that a working Active Directory domain is already configured.</para></listitem> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
3986 |
<listitem>
|
3987 |
<para>The domain controller is acting as an authoritative DNS server for the domain.</para></listitem> |
|
3988 |
<listitem>
|
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
3989 |
<para>The domain controller is the primary DNS resolver as specified in <filename>/etc/resolv.conf</filename>.</para> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
3990 |
</listitem>
|
3991 |
<listitem>
|
|
3992 |
<para>The appropriate <emphasis>_kerberos</emphasis>, <emphasis>_ldap</emphasis>, <emphasis>_kpasswd</emphasis>, etc. entries are configured in the DNS zone (see Resources section for external links).</para></listitem> |
|
3993 |
<listitem>
|
|
3994 |
<para>System time is synchronized on the domain controller (necessary for Kerberos).</para></listitem> |
|
3995 |
<listitem>
|
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
3996 |
<para>The domain used in this example is <emphasis>myubuntu.example.com</emphasis> .</para></listitem> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
3997 |
</itemizedlist>
|
3998 |
</sect2>
|
|
3999 |
<sect2 id="sssd-ad-installation" status="review"> |
|
4000 |
<title>Software Installation</title> |
|
4001 |
<para>The following packages are needed: <emphasis>krb5-user</emphasis>, <emphasis>samba</emphasis>, <emphasis>sssd</emphasis>, and <emphasis>ntp</emphasis>. Samba needs to be installed, even if the system is not exporting shares. The Kerberos realm and FQDN or IP of the domain controllers are needed for this step.</para> |
|
4002 |
<para>Install these packages now.
|
|
4003 |
</para>
|
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4004 |
<screen><command>sudo apt-get install krb5-user samba sssd ntp</command></screen> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4005 |
<para>See the next section for the answers to the questions asked by the <emphasis>krb5-user</emphasis> postinstall script.</para> |
4006 |
</sect2>
|
|
4007 |
<sect2 id="sssd-ad-kerberos" status="review"> |
|
4008 |
<title>Kerberos Configuration</title> |
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4009 |
<para>The installation of <emphasis>krb5-user</emphasis> will prompt for the realm name (in ALL UPPERCASE), the kdc server (i.e. domain controller) and admin server (also the domain controller in this example.) This will write the [realm] and [domain_realm] sections in <filename>/etc/krb5.conf</filename>. These sections may not be necessary if domain autodiscovery is working. If not, then both are needed.</para> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4010 |
<para>If the domain is <emphasis>myubuntu.example.com</emphasis>, enter the realm as <emphasis>MYUBUNTU.EXAMPLE.COM</emphasis> |
4011 |
</para>
|
|
4012 |
||
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4013 |
<para>Optionally, edit <emphasis>/etc/krb5.conf</emphasis> with a few additional settings to specify Kerberos ticket lifetime (these values are safe to use as defaults):</para> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4014 |
<programlisting>
|
4015 |
[libdefaults] |
|
4016 |
||
4017 |
default_realm = MYUBUNTU.EXAMPLE.COM |
|
4018 |
ticket_lifetime = 24h # |
|
4019 |
renew_lifetime = 7d |
|
4020 |
</programlisting>
|
|
4021 |
||
266
by Doug Smythies
the old ascii checker command missed some issues, found by improved command. |
4022 |
<para>If default_realm is not specified, it may be necessary to log in with <quote>username@domain</quote> instead of <quote>username</quote>.</para> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4023 |
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4024 |
<para>The system time on the Active Directory member needs to be consistent with that of the domain controller, or Kerberos authentication may fail. Ideally, the domain controller server itself will provide the NTP service. Edit <filename>/etc/ntp.conf</filename>:</para> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4025 |
|
4026 |
<programlisting>
|
|
4027 |
server dc.myubuntu.example.com |
|
4028 |
</programlisting>
|
|
4029 |
||
4030 |
</sect2>
|
|
4031 |
<sect2 id="sssd-ad-samba" status="review"> |
|
4032 |
<title>Samba Configuration</title> |
|
4033 |
<para>Samba will be used to perform netbios/nmbd services related to Active Directory authentication, even if no file shares are exported. Edit the file /etc/samba/smb.conf and add the following to the <emphasis>[global]</emphasis> section:</para> |
|
4034 |
||
4035 |
<programlisting>
|
|
4036 |
[global] |
|
4037 |
||
4038 |
workgroup = MYUBUNTU |
|
4039 |
client signing = yes |
|
4040 |
client use spnego = yes |
|
4041 |
kerberos method = secrets and keytab |
|
4042 |
realm = MYUBUNTU.EXAMPLE.COM |
|
4043 |
security = ads |
|
4044 |
</programlisting>
|
|
4045 |
||
4046 |
<note><para>Some guides specify that "password server" should be specified and pointed to the domain controller. This is only necessary if DNS is not properly set up to find the DC. By default, Samba will display a warning if "password server" is specified with "security = ads".</para></note> |
|
4047 |
||
4048 |
</sect2>
|
|
4049 |
||
4050 |
<sect2 id="sssd-ad-sssdconfig" status="review"> |
|
4051 |
<title>SSSD Configuration</title> |
|
4052 |
||
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4053 |
<para>There is no default/example config file for <filename>/etc/sssd/sssd.conf</filename> included in the sssd package. It is necessary to create one. This is a minimal working config file:</para> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4054 |
|
4055 |
<programlisting>
|
|
4056 |
[sssd] |
|
4057 |
services = nss, pam |
|
4058 |
config_file_version = 2 |
|
4059 |
domains = MYUBUNTU.EXAMPLE.COM |
|
4060 |
||
4061 |
[domain/MYUBUNTU.EXAMPLE.COM] |
|
4062 |
id_provider = ad |
|
4063 |
access_provider = ad |
|
4064 |
||
4065 |
# Use this if users are being logged in at /. |
|
4066 |
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so |
|
4067 |
override_homedir = /home/%d/%u |
|
4068 |
||
4069 |
# Uncomment if the client machine hostname doesn't match the computer object on the DC. |
|
4070 |
# ad_hostname = mymachine.myubuntu.example.com |
|
4071 |
||
4072 |
# Uncomment if DNS SRV resolution is not working |
|
4073 |
# ad_server = dc.mydomain.example.com |
|
4074 |
||
4075 |
# Uncomment if the AD domain is named differently than the Samba domain |
|
4076 |
# ad_domain = MYUBUNTU.EXAMPLE.COM |
|
4077 |
||
4078 |
# Enumeration is discouraged for performance reasons. |
|
4079 |
# enumerate = true |
|
4080 |
</programlisting>
|
|
4081 |
||
4082 |
<para>After saving this file, set the ownership to root and the file permissions to 600:</para> |
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4083 |
<screen><command>sudo chown root:root /etc/sssd/sssd.conf</command></screen> |
4084 |
<screen><command>sudo chmod 600 /etc/sssd/sssd.conf</command></screen> |
|
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4085 |
|
4086 |
<para>If the ownership or permissions are not correct, sssd will refuse to start.</para> |
|
4087 |
</sect2>
|
|
4088 |
||
4089 |
<sect2 id="sssd-ad-nsswitch" status="review"> |
|
4090 |
<title>Verify nsswitch.conf Configuration</title> |
|
4091 |
<para>The post-install script for the sssd package makes some modifications to /etc/nsswitch.conf automatically. It should look something like this:</para> |
|
4092 |
||
4093 |
<programlisting>
|
|
4094 |
passwd: compat sss |
|
4095 |
group: compat sss |
|
4096 |
... |
|
4097 |
netgroup: nis sss |
|
4098 |
sudoers: files sss |
|
4099 |
</programlisting>
|
|
4100 |
</sect2>
|
|
4101 |
||
4102 |
<sect2 id="sssd-ad-hosts" status="review"> |
|
4103 |
<title>Modify /etc/hosts</title> |
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4104 |
<para>Add an alias to the localhost entry in /etc/hosts specifying the FQDN. For example:</para> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4105 |
<programlisting>192.168.1.10 myserver myserver.myubuntu.example.com</programlisting> |
4106 |
||
4107 |
<para>This is useful in conjunction with dynamic DNS updates.</para> |
|
4108 |
</sect2>
|
|
4109 |
||
4110 |
<sect2 id="sssd-ad-join" status="review"> |
|
4111 |
<title>Join the Active Directory</title> |
|
4112 |
<para>Now, restart ntp and samba and start sssd.</para> |
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4113 |
<screen><command>sudo service ntp restart</command> |
4114 |
<command>sudo restart smbd</command> |
|
4115 |
<command>sudo restart nmbd</command> |
|
4116 |
<command>sudo start sssd</command></screen> |
|
4117 |
||
4118 |
<para>Test the configuration by obtaining a Kerberos ticket:</para> |
|
4119 |
||
4120 |
<screen><command>sudo kinit Administrator</command></screen> |
|
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4121 |
|
4122 |
<para>Verify the ticket with:</para> |
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4123 |
<screen><command>sudo klist</command></screen> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4124 |
|
4125 |
<para>If there is a ticket with an expiration date listed, then it is time to join the domain:</para> |
|
4126 |
||
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4127 |
<screen><command>sudo net ads join -k</command></screen> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4128 |
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4129 |
<para>A warning about "No DNS domain configured. Unable to perform DNS Update." probably means that there is no (correct) alias in <filename>/etc/hosts</filename>, and the system could not provide its own FQDN as part of the Active Directory update. This is needed for dynamic DNS updates. Verify the alias in <filename>/etc/hosts</filename> described in "Modify /etc/hosts" above.</para> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4130 |
|
4131 |
<para>(The message "NT_STATUS_UNSUCCESSFUL" indicates the domain join failed and something is incorrect. Review the prior steps before proceeding).</para> |
|
4132 |
||
4133 |
<para>Here are a couple of (optional) checks to verify that the domain join was successful. Note that if the domain was successfully joined but one or both of these steps fail, it may be necessary to wait 1-2 minutes and try again. Some of the changes appear to be asynchronous.</para> |
|
4134 |
||
4135 |
<para>Verification option #1:</para> |
|
4136 |
<para>Check the default Organizational Unit for computer accounts in the Active Directory to verify that the computer account was created. (Organizational Units in Active Directory is a topic outside the scope of this guide).</para> |
|
4137 |
||
4138 |
<para>Verification option #2</para> |
|
4139 |
<para>Execute this command for a specific AD user (e.g. administrator)</para> |
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4140 |
<screen><command>getent passwd username</command></screen> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4141 |
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4142 |
<note><para>If <emphasis>enumerate = true</emphasis> is set in <filename>sssd.conf</filename>, <emphasis>getent passwd</emphasis> with no username argument will list all domain users. This may be useful for testing, but is slow and not recommended for production.</para></note> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4143 |
</sect2>
|
4144 |
||
4145 |
<sect2 id="sssd-ad-test" status="review"> |
|
4146 |
<title>Test Authentication</title> |
|
4147 |
<para>It should now be possible to authenticate using an Active Directory User's credentials:</para> |
|
4148 |
||
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4149 |
<screen><command>su - username</command></screen> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4150 |
|
4151 |
<para>If this works, then other login methods (getty, ssh) should also work.</para> |
|
4152 |
||
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4153 |
<para>If the computer account was created, indicating that the system was "joined" to the domain, but authentication is unsuccessful, it may be helpful to review <filename>/etc/pam.d</filename> and <filename>nssswitch.conf</filename> as well as the file changes described earlier in this guide.</para> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4154 |
</sect2>
|
4155 |
||
4156 |
<sect2 id="sssd-ad-mkhomedir" status="review"> |
|
4157 |
<title>Home directories with pam_mkhomedir (optional)</title> |
|
266
by Doug Smythies
the old ascii checker command missed some issues, found by improved command. |
4158 |
<para>When logging in using an Active Directory user account, it is likely that user has no home directory. This can be fixed with pam_mkdhomedir.so, which will create the user's home directory on login. Edit <filename>/etc/pam.d/common-session</filename>, and add this line directly after <emphasis>session required pam_unix.so:</emphasis></para> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4159 |
<programlisting>
|
4160 |
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
|
4161 |
</programlisting>
|
|
4162 |
||
266
by Doug Smythies
the old ascii checker command missed some issues, found by improved command. |
4163 |
<note><para>This may also need <emphasis>override_homedir</emphasis> in <filename>sssd.conf</filename> to function correctly, so make sure that's set.</para></note> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4164 |
</sect2>
|
4165 |
||
4166 |
<sect2 id="sssd-ad-desktop" status="review"> |
|
4167 |
<title>Desktop Ubuntu Authentication</title> |
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4168 |
<para>It is possible to also authenticate logins to Ubuntu Desktop using Active Directory accounts. The AD accounts will not show up in the pick list with local users, so lightdm will need to be modified. Edit the file <filename>/etc/lightdm/lightdm.conf.d/50-unity-greeter.conf</filename> and append the following two lines:</para> |
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4169 |
|
4170 |
<programlisting>
|
|
4171 |
greeter-show-manual-login=true |
|
4172 |
greeter-hide-users=true |
|
4173 |
</programlisting>
|
|
4174 |
||
4175 |
<para>Reboot to restart lightdm. It should now be possible to log in using a domain account using either <emphasis>username</emphasis> or <emphasis>username/username@domain</emphasis> format.</para> |
|
4176 |
</sect2>
|
|
4177 |
||
4178 |
<sect2 id="sssd-ad-resources" status="review"> |
|
4179 |
<title>Resources</title> |
|
4180 |
<itemizedlist>
|
|
236.1.2
by Mark Thomas
Changes based on feedback in LP |
4181 |
<listitem><para><ulink url="https://fedorahosted.org/sssd">SSSD Project</ulink></para></listitem> |
4182 |
<listitem><para><ulink url="http://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/dnsconfig">DNS Server Configuration guidelines</ulink></para></listitem> |
|
4183 |
<listitem><para><ulink url="https://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx">Active Directory DNS Zone Entries</ulink></para></listitem> |
|
4184 |
<listitem><para><ulink url="http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html">Kerberos config options</ulink></para></listitem> |
|
236.1.1
by mark.thomas at canonical
Draft of SSSD addition to section 7.5 |
4185 |
</itemizedlist>
|
4186 |
||
4187 |
</sect2>
|
|
4188 |
</sect1>
|
|
1
by Matthew East
Add files from ubuntu-docs natty branch, trim to use only those necessary for serverguide |
4189 |
</chapter>
|