Page 1 of 10 123 ... LastLast
Results 1 to 10 of 94

Thread: Authenticating Windows to openLDAP server on Ubuntu 9.10

  1. #1
    Join Date
    Nov 2009
    Beans
    42

    Authenticating Windows to openLDAP server on Ubuntu 9.10

    This is a quick guide to setting up LDAP on your server so that Linux/Windows users can join your domain. This was written specifically because I saw several people complaining that it could not be done on Ubuntu 9.10 and I figured, "Hey I've worked it out, so why not share it?"

    I have used the guide at least 4 times on a clean install of Ubuntu 9.10. It has worked 100% without so much as a hiccup. It should work for you too ;)

    Edit: I forgot to mention, but this is based on this thread and is simply updated for 9.10 and fixed up a little in a few random areas.

    LDAP

    At-a-Glance
    1.Download necessary packages
    2.Prepare the System
    3.Configure slapd
    4.Prepare LDAP for use with Samba

    Download necessary packages



    apt-get --yes install slapd ldap-utils db4.2-util samba-doc


    You can use Synaptic Package Manager if you want, just make sure the following four packages are installed (make sure to accept any dependencies as well)

    • slapd
    • ldap-utils
    • db4.2-util
    • samba-doc

    I chose to use the terminal window because I’ve given you the entire command to just copy and paste. It’s a lot quicker than searching through Synaptic.

    Prepare the System

    Rather than having LDAP store every user we create in the home directory, we’re going to create a separate directory for LDAP to use. This is really more of a house keeping issue than anything else. It make keeping track of things a little easier (in my opinion).

    1.Make the directory
    Open a new terminal window and as a regular user enter
    mkdir /ldaphome
    2.Make the directory available to everyone
    chmod 777 /ldaphome -R

    Configure slapd

    There is one important thing you should know before following this part of my guide. slapd’s latest build allows you to dynamically make changes to the directory structure without requiring a restart. This is a great feature but there is one small problem: It sucks. I’ve spent HOURS reading the official documentation trying to figure out how to use the stupid thing and it still makes no sense. It’s bulky, complicated, and requires way too much work to make changes. It needs some serious revision (like an easy to use GUI) before I make the transition (Or at least some better documentation, shesh).

    However, using the old method is a temporary solution. It’s a known fact that at some point the people who release slapd will remove support for the older way of modifying slapd. So you have two choices.

    1.Follow this guide to replace the new method (slapd.d directory structure) with the original method (slapd.conf file) and then be forced to upgrade at some point in the (distant, not so distant?) future.
    2.Use this guide as a basis for what to do, but learn how to use the new method yourself.
    Okay, with that out of the way...

    1.The first step is to completely remove the slapd.d directory. To do so open a terminal window with root privileges and enter the following command.
    rm -r /etc/ldap/slapd.d

    2.Next we need to edit the main slapd file.
    gedit /etc/default/slapd
    Around the 6th line you should see

    SLAPD_CONF=
    We’re going to change the line to

    SLAPD_CONF=/etc/ldap/slapd.conf
    3.Add the samba schema for ldap

    Enter the following two commands in a terminal window with root privileges

    gunzip /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz
    cp -v /usr/share/doc/samba-doc/examples/LDAP/samba.schema /etc/ldap/schema
    4.Decide on a LDAP administrator password and generate a SSHA hash key for it

    slappasswd -s YOUR-PASSWORD-GOES-HERE

    It will return a line that looks something like this:

    {SSHA}LQFFfwELK3few56afcsdaDSADS135w

    5.Create an init.lidf file

    In just a minute we’re going to use this file to populate our LDAP server. Enter the command

    gedit /etc/ldap/init.ldif

    Since there is no file by that name yet, gedit will automatically create it for you. Copy and paste the following into your empty init.ldif file. Remember to replace each dc=example, dc=local with your own domain information. Look below the box for a description of the main term in this file.

    Code:
    dn: dc=example,dc=local
    objectClass: dcObject
    objectClass: organizationalUnit
    dc: example
    ou: My Example File 
    
    dn: cn=admin, dc=example,dc=local
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: admin
    description: LDAP administrator
    userPassword: {SSHA}paste-here-the-results-of-slappaswd
    
    dn: ou=Users, dc=example,dc=local
    objectClass: organizationalUnit
    ou: Users 
    
    dn: ou=Groups, dc=example,dc=local
    objectClass: organizationalUnit
    ou: Groups 
    
    dn: ou=Computers, dc=example,dc=local
    objectClass: organizationalUnit
    ou: Computers 
    
    dn: ou=Idmap, dc=example,dc=local
    objectClass: organizationalUnit
    ou: Idmap




    6.Create the slapd.conf file
    Okay so we’ve told slapd to use the old method of configuration, but the slapd.conf file doesn’t actually exist yet.

    To create it enter the following command

    gedit /etc/ldap/slapd.conf

    Copy and paste the following then save and close it. Remember to replace example.local with your actual domain information.

    Code:
    # Remember to replace suffix "dc=example,dc=local" with your domain name
    # Change the rootpw entry with the results from slappaswd (Must match the same you pasted on init.ldif) 
    
    # /etc/ldap/slapd.conf
    # This is the main slapd configuration file. See slapd.conf(5) for more
    # info on the configuration options.
    
    ######################################################################## 
    #Global Directives: 
    
    # Features to permit
    #allow bind_v2
    
    # Schema and objectClass definitions
    include         /etc/ldap/schema/core.schema
    include         /etc/ldap/schema/cosine.schema
    include         /etc/ldap/schema/nis.schema
    include         /etc/ldap/schema/inetorgperson.schema
    include         /etc/ldap/schema/samba.schema
    include         /etc/ldap/schema/misc.schema
    
    # Where the pid file is put. The init.d script
    # will not stop the server if you change this.
    pidfile                      /var/run/slapd/slapd.pid
    
    # List of arguments that were passed to the server
    argsfile                   /var/run/slapd/slapd.args
    
    # Read slapd.conf(5) for possible valuesloglevel        0
    # Where the dynamically loaded modules are stored
    modulepath               /usr/lib/ldap
    moduleload          back_bdb
    
    # The maximum number of entries that is returned for a search operation
    sizelimit 500 
    
    # The tool-threads parameter sets the actual amount of cpu's that is used
    # for indexing.
    tool-threads 1 
    
    #######################################################################
    # Specific Backend Directives for bdb:
    # Backend specific directives apply to this backend until another
    # 'backend' directive occurs
    backend                   bdb
    #checkpoint 512 30 
    
    #######################################################################
    # Specific Backend Directives for 'other':
    # Backend specific directives apply to this backend until another
    # 'backend' directive occurs
    #backend                <other> 
    
    #######################################################################
    # Specific Directives for database #1, of type bdb:
    # Database specific directives apply to this databasse until another
    # 'database' directive occurs
    database              bdb 
    
    # The base of your directory in database #1
    suffix                       "dc=example,dc=local" 
    
    # rootdn directive for specifying a superuser on the database. This is needed
    # for syncrepl.
    rootdn                       "cn=admin,dc=example,dc=local"
    rootpw                      {SSHA}iPFTqrtwr3yT3XGQot2wxCuuljKA9vMU # REMEMBER!  REPLACE THIS WITH THE RESULTS FROM SLAPPASSWD 
    
    # Where the database file are physically stored for database #1
    directory       "/var/lib/ldap" 
    
    # For the Debian package we use 2MB as default but be sure to update this
    # value if you have plenty of RAM
    dbconfig set_cachesize 0 2097152 0 
    
    # Sven Hartge reported that he had to set this value incredibly high
    # to get slapd running at all. See http://bugs.debian.org/303057
    # for more information. 
    
    # Number of objects that can be locked at the same time.
    dbconfig set_lk_max_objects 1500
    # Number of locks (both requested and granted)
    dbconfig set_lk_max_locks 1500
    # Number of lockers
    dbconfig set_lk_max_lockers 1500 
    
    # Indexing options for database #1
    #index                  objectClass eq, pres
    index ou,cn,sn,mail,givenname                            eq,pres,sub
    index uidNumber,gidNumber,memberUid        eq,pres
    index loginShell                                       eq,pres
    index uniqueMember                                                    eq,pres
    index uid                                               pres,sub,eq
    index displayName                                   pres,sub,eq
    index sambaSID                                      eq
    index sambaPrimaryGroupSID                                  eq
    index sambaDomainName                                            eq
    index default                                                                    sub
    #index   uid                                 pres,eq,sub 
    
    # Save the time that the entry gets modified, for database #1
    lastmod         on 
    
    # Where to store the replica logs for database #1
    # replogfile    /var/lib/ldap/replog 
    
    # The userPassword by default can be changed
    # by the entry owning it if they are authenticated.
    # Others should not be able to see it, except the
    # admin entry below
    # These access lines apply to database #1 only
    access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
        by dn="cn=admin,dc=example,dc=local"  write
        by anonymous auth        
        by self write
        by * none 
     
    # Ensure read access to the base for things like
    # supportedSASLMechanisms.  Without this you may
    # have problems with SASL not knowing what
    # mechanisms are available and the like.
    # Note that this is covered by the 'access to *'
    # ACL below too but if you change that as people
    # are wont to do you'll still need this if you
    # want SASL (and possible other things) to work
    # happily.
    access to dn.base="" by * read 
    
    # The admin dn has full write access, everyone else
    # can read everything.
    access to * 
           by dn="cn=admin,dc=example,dc=local" write        
        by * read 
     
    # For Netscape Roaming support, each user gets a roaming
    # profile for which they have write access to
    #access to dn=".*,ou=Roaming,o=morsnet"
    #                          by dn="cn=admin,dc=example,dc=ch" write
    #                   by dnattr=owner write 
    
    ######################################################################
    # Specific Directives for database #2, of type 'other' (can be bdb too):
    # Database specific directives apply to this databasse until another
    # 'database' directive occurs
    #database        <other> 
    
    # The base of your directory for database #2
    #suffix         "dc=debian,dc=org"




    7.Initialize the LDAP database


    First stop the slapd service

    /etc/init.d/slapd stop
    Ensure that the ldap folder is clean

    rm -rf /var/lib/ldap/*

    Add the .ldif file you created


    slapadd -v -l /etc/ldap/init.ldif

    If all goes well you should see a final line that looks like this:

    #################### 100.00% eta none elapsed none fast!



    Make sure that LDAP has the correct privileges to access its own directory

    chown -R openldap:openldap /var/lib/ldap
    Start the slapd service back up

    /etc/init.d/slapd start
    If everything was done correctly it will say starting OpenLDAP: slapd
    If you get an error message go back and make sure you’ve done everything correctly

    8.Test to see if everything is working

    ldapsearch -xLLL -b "dc=example,dc=com"

    If it’s working then it should list all the entries that we created in the init.ldif file.

    Samba


    At-a-Glance
    1.Install Samba
    2.Configure Samba
    3.Configure smbldap-tools

    Install Samba


    Again, we have two options of installing Samba. For those who want to use a bash prompt:
    apt-get --yes install samba libpam-smbpass smbldap-tools

    For the Synaptic fans make sure you install the following packages

    • samba (not samba 4! I've discovered at the time of this writing Samba 3.4 is one of two versions (the other is 3.3.4) of samba that can allow Windows 7 machines to join the domain! samba 4 might work, but use it at your own risk! So PLEASE use 3.4!)
    • libpam-smppass
    • smbldap-tools

    Configure Samba for use with LDAP

    1.Create Samba folders that have not been automatically created ..


    mkdir -v /var/lib/samba/profiles
    chmod 777 /var/lib/samba/profiles
    mkdir -v -p /var/lib/samba/netlogon

    2.Edit the smb.conf file

    gedit /etc/samba/smb.conf

    Delete EVERYTHING that is there and replace it with the following. Be sure to replace EXAMPLE with your information.

    Code:
    
    [global]
    
    # Domain name .. workgroup = EXAMPLE # Server name - as seen by Windows PCs .. netbios name = SERVERNAME # Be a PDC .. domain logons = Yes domain master = Yes # Be a WINS server .. wins support = true obey pam restrictions = Yes dns proxy = No os level = 35 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d pam password change = Yes # Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del unix password sync = no ldap passwd sync = yes # Printing from PCs will go via CUPS .. load printers = yes printing = cups printcap name = cups # Use LDAP for Samba user accounts and groups .. passdb backend = ldapsam:ldap://localhost # This must match init.ldif .. ldap suffix = dc=example,dc=com # The password for cn=admin MUST be stored in /etc/samba/secrets.tdb # This is done by running 'sudo smbpasswd -w'. ldap admin dn = cn=admin,dc=example,dc=com # 4 OUs that Samba uses when creating user accounts, computer accounts, etc. # (Because we are using smbldap-tools, call them 'Users', 'Computers', etc.) ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap # Samba and LDAP server are on the same server in this example. ldap ssl = no # Scripts for Samba to use if it creates users, groups, etc. add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' # Script that Samba users when a PC joins the domain .. # (when changing 'Computer Properties' on the PC) add machine script = /usr/sbin/smbldap-useradd -w '%u' # Values used when a new user is created .. # (Note: '%L' does not work properly with smbldap-tools 0.9.4-1) logon drive = logon home = logon path = logon script = # This is required for Windows XP client .. server signing = auto server schannel = Auto
    [homes]
    comment = Home Directories valid users = %S read only = No browseable = No
    [netlogon]
    comment = Network Logon Service path = /var/lib/samba/netlogon admin users = root guest ok = Yes browseable = No
    [Profiles]
    comment = Roaming Profile Share # would probably change this to elsewhere in a production system .. path = /var/lib/samba/profiles read only = No profile acls = Yes browsable = No
    [printers]
    comment = All Printers path = /var/spool/samba use client driver = Yes create mask = 0600 guest ok = Yes printable = Yes browseable = No public = yes writable = yes admin users = root write list = root
    [print$]
    comment = Printer Drivers Share path = /var/lib/samba/printers write list = root create mask = 0664 directory mask = 0775 admin users = root

    3.Store LDAP password for Samba use

    smbpasswd -W
    It will display the following

    Setting stored password for "cn=admin,dc=example,dc=com" in secrets.tdb
    New SMB password:
    Retype new SMB password:
    Make sure that the password you type in is the same one you created with slappasswd -s


    4.Restart Samba

    /etc/init.d/samba restart

    Configure smbldap-tools


    1.Getting smbldap-tools ready

    cd /usr/share/doc/smbldap-tools/examples/
    Then execute the following commands

    cp smbldap_bind.conf /etc/smbldap-tools/
    cp smbldap.conf.gz /etc/smbldap-tools/
    gzip -d /etc/smbldap-tools/smbldap.conf.gz
    Open up the smbldap-tools directory:

    cd /etc/smbldap-tools/
    2.Get your netSID for your domain


    net getlocalsid

    It will return something like:

    SID for domain SERVERNAME is: S-1-5-21-2899629268-4176875250-2352135513


    Copy this number


    3.Edit your smbldap.conf file

    gedit /etc/smbldap-tools/smbldap.conf


    We need to make the following changes, but you cannot just copy and paste them into the file. You need to search for them and make the adjustments.



    Code:
    SID="S-1-5-21-949328747-3404738746-3052206637" ## This line must have the same SID as when you ran "net getlocalsid"
    sambaDomain="EXAMPLE"
    ldapTLS="0"
    suffix="dc=example,dc=local"
    sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}" ## Be careful with this section!!
    userHome="/ldaphome/%U" ## This is found in the UNIX section.
    userSmbHome=
    userProfile=
    userHomeDrive=
    userScript=
    mailDomain="example.local"

    4.Open the file /etc/smbldap-tools/smbldap_bind.conf file for editing:

    gedit /etc/smbldap-tools/smbldap_bind.conf


    Edit the file so the following is correct according to your setup

    Code:
    
    slaveDN="cn=admin,dc=example,dc=local"
    slavePw="12345"
    masterDN="cn=admin,dc=example,dc=local"
    masterPw="12345" 


    5.Set the correct permission for the above two files


    chmod 0644 /etc/smbldap-tools/smbldap.conf
    chmod 0600 /etc/smbldap-tools/smbldap_bind.conf


    6.Populate the LDAP database with essential Samba entries.
    This includes the creation of standard groups, such as Administrators and Domain Users.


    smbldap-populate


    You will see an output like

    Populating LDAP directory for domain EXAMPLE(S-1-5-21-2899629268-4176875250-2352135513)
    At the very end it will ask you to enter a password for samba. Go ahead and enter the same password you used when you used the command slappasswd –s

    7.Stop the LDAP server, run slapindex, and restart the LDAP server.

    /etc/init.d/slapd stop
    slapindex
    chown openldap:openldap /var/lib/ldap/*
    /etc/init.d/slapd start

    Slapd should start with no problem. If it doesn’t retrace your steps in the config files and check for the following. Especially check smbladp_bind.conf and make sure you didn’t misspell your password. Otherwise check your smbldap.conf file and make sure you made all the appropriate changes.

    You shouldn’t need to look anywhere else but those two files. The reason being that slapd was already running successfully up to this point. Any reason for its failure should be isolated to the changes you just made.

    OpenLDAP


    At-a-Glance
    1.Add a User
    2.Add LDAP authentication
    3.Add a Windows computer to the domain

    Add a User

    Your directory is almost ready for use, but so far no one is in it! Let’s add a user. I’ll use the example of matthew, but you might as well change it to be whatever user name you plan on using yourself (we’ll be giving it root privileges). I suggest on making the name different from user name you set up during installation just to keep things clean.

    1.Add the user

    smbldap-useradd -a -m -M matthewb -c “Matthew B” matthewb
    The -a sets up a Samba (and UNIX) account
    The -m will create a home directory for the user if one does not yet exist
    The -M sets their username as part of their e-mail
    The -c sets their fully name
    matthewb is the name of the user

    Before we’re done setting up this user account, we need to add a password.

    smbldap-passwd matthewb

    It will prompt you for a password.

    2.Give it administrator privileges


    /usr/sbin/smbldap-groupmod -m 'matthewb' 'Administrators'
    /usr/sbin/smbldap-groupmod -m 'root' 'Administrators'

    Configure Authentication

    1.Add LDAP Authentication on the Server

    apt-get --yes install ldap-auth-client
    It will ask you a series of questions, here’s how to answer them.
    LDAP server Uniform Resource Identifier:ldap://127.0.0.1
    Distinguished name of the search base:dc=example,dc=com
    LDAP version to use: 3
    Make local root Database admin:Yes
    Does the LDAP database require login?No
    LDAP account for root:cn=admin,dc=example,dc=com
    LDAP root account password:< enter the LDAP admin password>>

    2.Edit your ldap.conf file

    gedit /etc/ldap.conf
    Find the following referenced lines and make the changes indicated (Make sure to uncomment them if they are commented out)

    Code:
    host 127.0.0.1
    base dc=example,dc=loca
    luri ldap://127.0.0.1/
    rootbinddn cn=admin,dc=example,dc=local
    bind_policy soft


    3.Copy your ldap.conf into the correct folder


    cp /etc/ldap.conf /etc/ldap/ldap.conf
    4.Configure the authentication

    Create a new file by running

    gedit /etc/auth-client-config/profile.d/open_ldap
    Copy and paste the following into the new file

    Code:
    [open_ldap]
    nss_passwd=passwd: compat ldap
    nss_group=group: compat ldap
    nss_shadow=shadow: compat ldap
    nss_netgroup=netgroup: nis
    pam_auth=auth          required                   pam_env.so 
            auth                sufficient               pam_unix.so likeauth nullok 
            auth                sufficient               pam_ldap.so use_first_pass 
            auth                required                    pam_deny.so
    pam_account=account      sufficient            pam_unix.so 
           account                sufficient               pam_ldap.so 
           account                 required                   pam_deny.so
    pam_password=password           sufficient          pam_unix.so nullok md5 shadow use_authtok 
            password                     sufficient            pam_ldap.so use_first_pass 
            password                          required                   pam_deny.so
    pam_session=session      required                     pam_limits.so 
            session                   required                  pam_mkhomedir.so skel=/etc/skel/ umask=0077 
            session                  required               pam_unix.so 
            session                  optional                pam_ldap.so


    5.Enable the new profile


    auth-client-config -a -p open_ldap
    If you receive the following error:

    Error in updating the file: 'nss_netgroup' not found
    Then open your open_ldap file

    gedit /etc/auth-client-config/profile.d/open_ldap
    Delete the line that says

    nss_netgroup=netgroup: nis
    And replace it with

    nss_netgroup=netgroup: compat ldap
    Finally, run the

    auth-client-config -a -p open_ldap
    Command again, you’ll get server error messages about how a certain command already exists. As long as you do not see

    Error in updating the file: 'nss_netgroup' not found
    Then everything installed correctly and you’re good to go!

    6.Enable Samba in Firewall

    All that's left to do is to allow Samba services through your firewall
    (Ports 137-139 and 445). This is necessary because we are using Samba as a stop-gap between LDAP and the windows machines.


    7.Restart the server
    You can now join a computer to your domain like normal (If you are using XP, Vista and 7 have some more steps on the client's end). When it prompts you for a user name with administrative passwords, don't use root. Use the one you made. The reason is that Ubuntu disables root, so I don't think that username will work if you try to use it.

    I really hope this guide helps you. Windows and openLDAP certainly aren't the easiest thing to get to work together (A direct authentication via Kerberos would be awesome), but it CAN be done! Good luck guys (and gals too I guess:P)!

    Getting Vista and Windows 7 to Join Domain

    THIS IS NOT NECESSARY FOR XP MACHINES!

    While getting one of my machines to join the domain I learned two very nasty little tidbits. The first is that
    Vista and 7 have about 3 too many versions (stupid Microsoft) and for some reason only professional and up have the ability to actually join a domain. The second thing I learned was that they both require some... convincing to join a Samba domain. I don't have Vista so I couldn't test if the second part was needed or not, if you use vista please let me know if it worked and if it didn't what did work for you in the end.


    Steps for both Windows 7 and Vista on a Samba Domain.
    1. Click on the Windows button (It used to be the Start button)

    2. In the "Search programs and files" box type in "secpol.msc"

    3. Go to:
    Local Policies -> Security Options
    4. Find the Policy named "Network Security: LAN Manager authentication level.

    5. Change it to "Send LM & NTLM - use NTLMv2 session security if negotiated"

    6. Click okay and close the secpol.msc window.

    At this point, I am unaware of anything else Vista needs to get onto the domain. Windows 7, however needs some more work.
    1. Samba 3.4 MUST be installed. I mentioned this earlier but there are some known issues with samba and windows 7. Samba 3.4 does not have those problems (3.4 is, at the time of this writing, the most recent version of the "samba" package)

    2. You need to make the following registry edits

    Go to: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\LanmanWorkstation\Parameters]

    And add two new dword values:

    “DomainCompatibilityMode” (set to 1)
    “DNSNameResolutionRequired” (set to 0)

    The above need to be added to allow the join to work.

    Then go to: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\Netlogon\Parameters]

    And make sure the following two values are set to 1 (they should already exist)

    “RequireSignOrSeal”
    “RequireStrongKey”

    Okay, Windows 7 should now join the domain! Good luck to all!
    Last edited by abishur; December 28th, 2009 at 04:16 PM.

  2. #2
    Join Date
    Aug 2007
    Beans
    22

    Re: Authenticating Windows to openLDAP server on Ubuntu 9.10

    Hi. Thanks for this tutorial. I'm trying to install it in Ubuntu 9.04 server.
    I have a problem when
    slapadd -v -l /etc/ldap/init.ldif
    It shows an error

    /etc/ldap/slapd.conf: line 10: unknown directive <Global> outside backend info and database definitions.
    slapadd: bad configuration file!

    If I add a #, like in your other thread about ldap, a new error is showed, and now I dont know how to solve it.


    root@linuxserver:/etc/ldap# slapadd -v -l /etc/ldap/init.ldif
    /etc/ldap/slapd.conf: line 112: warning: no by clause(s) specified in access line.
    <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+
    <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]
    <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>
    <attrlist> ::= <attr> [ , <attrlist> ]
    <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children
    <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
    [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
    [dnattr=<attrname>]
    [realdnattr=<attrname>]
    [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
    [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
    [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
    [dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]
    [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
    <style> ::= exact | regex | base(Object)
    <dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex
    <attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children
    <peernamestyle> ::= exact | regex | ip | ipv6 | path
    <domainstyle> ::= exact | regex | base(Object) | sub(tree)
    <access> ::= [[real]self]{<level>|<priv>}
    <level> ::= none|disclose|auth|compare|search|read|{write|add| delete}|manage
    <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
    <control> ::= [ stop | continue | break ]
    dynacl:
    <name>=ACI <pattern>=<attrname>

    slapadd: bad configuration file!

    Do you know any solution??
    Thanks

  3. #3
    Join Date
    Nov 2009
    Beans
    42

    Re: Authenticating Windows to openLDAP server on Ubuntu 9.10

    Quote Originally Posted by evayroberto View Post
    Hi. Thanks for this tutorial. I'm trying to install it in Ubuntu 9.04 server.
    I have a problem when
    slapadd -v -l /etc/ldap/init.ldif
    It shows an error

    /etc/ldap/slapd.conf: line 10: unknown directive <Global> outside backend info and database definitions.
    slapadd: bad configuration file!

    If I add a #, like in your other thread about ldap, a new error is showed, and now I dont know how to solve it.

    Are you using slapd.conf file or the slapd.d directory structure? If you're using the slapd.d directory structure than I'm afraid I don't know how to help you. I got fed up trying to figure that garbage out, an update that makes the software 10 times more difficult to use is... well Windows Vista is the best analogy I can think of.

    Well, my little soapbox aside, if you are using the slapd.conf like I did, make sure you updated the information in /etc/default/slapd. It's not enough to just add a slapd.conf file, you have to make certain slapd knows to use it.

    It's also possible that there's a problem with the ldif file. There are 6 places where you need to change "dc=example,dc=local" to your network's information.

    Would you mind posting your ldif file? Maybe with two pairs of eyes we can spot what's going on.
    Last edited by abishur; December 2nd, 2009 at 02:35 AM.

  4. #4
    Join Date
    Jul 2009
    Beans
    571
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Authenticating Windows to openLDAP server on Ubuntu 9.10

    Hi, I really appreciate the time and effort you put in this tutorial. The reason I haven't done this tutorial or this one for 9.04:

    http://ubuntuforums.org/showthread.php?t=1184288

    is because of this command:

    rm -r /etc/ldap/slapd.d
    How would this affect future versions of OpenLDAP? But I found this great guide in YouTube explaining how to install OpenLDAP in 8.04 LTS. He's the only one with a VIDEO on how to do it in the entire universe! If I'm wrong, pls. tell me otherwise.

    http://www.youtube.com/watch?v=DM_UQVVVtoY

    http://www.youtube.com/watch?v=kSCx3tzC0cA


    So I emailed the guy about the 9.04 guide, and assumes this is quite similar to it and asked for his opinion. I think he looked at the guide, but he told me that he would only recommend an Hardy Heron LTS Server because a server is critical to a production environment.

    Now, what do you think? Also, would you agree that an LTS is better because it's critical to a production environment?

    Waiting for your kind response.
    It's OK, everything we know will become obsolete at some time.

  5. #5
    Join Date
    Nov 2009
    Beans
    42

    Re: Authenticating Windows to openLDAP server on Ubuntu 9.10

    Quote Originally Posted by AlexanderDGreat View Post

    How would this affect future versions of OpenLDAP?
    As I mentioned in the post itself, it is a known fact that the designers of slapd already plan to remove slapd.conf support at some unknown future time. However, I, and many others besides, are reluctant to upgrade because it is such a cumbersome change. The features the new slapd offers are nice, but in my opinion not too big a deal. The main selling point of the new slapd structure is dynamic updating. This means that you no longer need to restart slapd when you modify it. Okay, that's nice, but once I get slapd set up, how often do I really mess with it? (so far the answer is seldom to never). On the negative side of the update, is the fact that the makers decided to make every single little change so MASSIVE to enact. I literally wasted DAYS trying to work out their new system before just going back to the old slapd.conf system.

    SO to answer you question. How will it affect the future? Well best case scenario, the makers realize that it would be folly to isolate such a large group of its users and continue supporting slapd.conf. Worst case scenario, some time down the line you run a simple conversion script which takes the slapd.conf file and turns it into a slapd.d directory, not a big deal at all.


    But I found this great guide in YouTube explaining how to install OpenLDAP in 8.04 LTS. He's the only one with a VIDEO on how to do it in the entire universe! If I'm wrong, pls. tell me otherwise.

    http://www.youtube.com/watch?v=DM_UQVVVtoY

    http://www.youtube.com/watch?v=kSCx3tzC0cA


    So I emailed the guy about the 9.04 guide, and assumes this is quite similar to it and asked for his opinion. I think he looked at the guide, but he told me that he would only recommend an Hardy Heron LTS Server because a server is critical to a production environment.

    Now, what do you think? Also, would you agree that an LTS is better because it's critical to a production environment?

    Waiting for your kind response.
    When trying to set up my own ldap server, I also ran into his video. It is a very well made video but, in my humble opinion, not very useful. It gave me a very good understanding of what LDAP was and phpldapadmin, but it wasn't so useful for setting up slapd (at least for me).

    Everyone has their own "this = best" version of Linux. Having used 8.04 I can honestly say that you would actually be crippling yourself if you limited yourself to that. 9.10 is completely stable, but if you're really worried about it, at least use 9.04 (which this guide also works for by the way).

    To go one step further, let me give you this piece of advice: Linux is a great free choice for small business/ home set ups. If you truly want the best server, the most dependable server with the best documentation for help, go windows server 2003 or 2008. I know, that's heresy on a Linux forum, but the simple truth is Windows computers have no problem connecting to a windows server

    That said, if you have the time to learn Linux or lack the budget for Windows then Linux is a WONDERFUL tool to learn, and Ubuntu is the best version I used by far.

  6. #6
    Join Date
    Aug 2007
    Beans
    22

    Re: Authenticating Windows to openLDAP server on Ubuntu 9.10

    Hi Abishur
    Here is my init.ldif file

    dn: dc=ibertestint,dc=local
    objectClass: dcObject
    objectClass: organizationalUnit
    dc: ibertestint
    ou: Ibertestint

    dn: cn=admin,dc=ibertestint,dc=local
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: admin
    description: LDAP administrator
    userPassword: {SSHA}rKSjdNNqC3jhKgFslXLrShe/stIRxhOG

    dn: ou=Users,dc=ibertestint,dc=local
    objectClass: organizationalUnit
    ou: Users

    dn: ou=Groups,dc=ibertestint,dc=local
    objectClass: organizationalUnit
    ou: Groups

    dn: ou=Computers, dc=ibertestint,dc=local
    objectClass: organizationalUnit
    ou: Computers

    dn: ou=Idmap,dc=ibertestint,dc=local
    objectClass: organizationalUnit
    ou: Idmap

    The error seems to be in the slapd.conf file, about line 112, after lastmod on line, but I dont find any error :confused
    So, I post the slapd.conf too

    # Remember to replace suffix "dc=example,dc=local" with your domain name
    # Change the rootpw entry with the results from slappaswd (Must match the same you pasted on init.ldif)

    # /etc/ldap/slapd.conf
    # This is the main slapd configuration file. See slapd.conf(5) for more
    # info on the configuration options.

    ################################################## ######################

    # Global Directives:
    # Features to permit
    #allow bind_v2

    # Schema and objectClass definitions
    include /etc/ldap/schema/core.schema
    include /etc/ldap/schema/cosine.schema
    include /etc/ldap/schema/nis.schema
    include /etc/ldap/schema/inetorgperson.schema
    include /etc/ldap/schema/samba.schema
    include /etc/ldap/schema/misc.schema

    # Where the pid file is put. The init.d script
    # will not stop the server if you change this.
    pidfile /var/run/slapd/slapd.pid

    # List of arguments that were passed to the server
    argsfile /var/run/slapd/slapd.args

    # Read slapd.conf(5) for possible valuesloglevel 0
    # Where the dynamically loaded modules are stored
    modulepath /usr/lib/ldap
    moduleload back_bdb

    # The maximum number of entries that is returned for a search
    sizelimit 500

    # The tool-threads parameter sets the actual amount of cpu's that is used
    # for indexing.
    tool-threads 1

    ################################################## #####################
    # Specific Backend Directives for bdb:
    # Backend specific directives apply to this backend until another
    # 'backend' directive occurs
    backend bdb
    #checkpoint 512 30

    ################################################## #####################
    # Specific Backend Directives for 'other':
    # Backend specific directives apply to this backend until another
    # 'backend' directive occurs
    #backend <other>

    ################################################## #####################
    # Specific Directives for database #1, of type bdb:
    # Database specific directives apply to this databasse until another
    # 'database' directive occurs
    database bdb

    # The base of your directory in database #1
    suffix "dc=ibertestint,dc=local"

    # rootdn directive for specifying a superuser on the database. This is needed
    # for syncrepl.
    rootdn "cn=admin,dc=ibertestint,dc=local"
    rootpw {SSHA}rKSjdNNqC3jhKgFslXLrShe/stIRxhOG

    # Where the database file are physically stored for database #1
    directory "/var/lib/ldap"

    # For the Debian package we use 2MB as default but be sure to update this
    # value if you have plenty of RAM
    dbconfig set_cachesize 0 2097152 0

    # Sven Hartge reported that he had to set this value incredibly high
    # to get slapd running at all. See http://bugs.debian.org/303057
    # for more information.

    # Number of objects that can be locked at the same time.
    dbconfig set_lk_max_objects 1500
    # Number of locks (both requested and granted)
    dbconfig set_lk_max_locks 1500
    # Number of lockers
    dbconfig set_lk_max_lockers 1500

    # Indexing options for database #1
    #index objectClass eq, pres
    index ou,cn,sn,mail,givenname eq,pres,sub
    index uidNumber,gidNumber,memberUid eq,pres
    index loginShell eq,pres
    index uniqueMember eq,pres
    index uid pres,sub,eq
    index displayName pres,sub,eq
    index sambaSID eq
    index sambaPrimaryGroupSID eq
    index sambaDomainName eq
    index default sub
    # index uid pres,eq,sub

    # Save the time that the entry gets modified, for database #1
    lastmod on


    # Where to store the replica logs for database #1
    # replogfile /var/lib/ldap/replog

    # The userPassword by default can be changed
    # by the entry owning it if they are authenticated.
    # Others should not be able to see it, except the
    # admin entry below
    # These access lines apply to database #1 only
    access to attrs=userPassword,shadowLastChange,sambaNTPasswor d,sambaLMPassword
    by dn="cn=admin,dc=ibertestint,dc=local" write
    by anonymous auth
    by self write
    by * none

    # Ensure read access to the base for things like
    # supportedSASLMechanisms. Without this you may
    # have problems with SASL not knowing what
    # mechanisms are available and the like.
    # Note that this is covered by the 'access to *'
    # ACL below too but if you change that as people
    # are wont to do you'll still need this if you
    # want SASL (and possible other things) to work
    # happily.
    access to dn.base="" by * read

    # The admin dn has full write access, everyone else
    # can read everything.
    access to *
    by dn="cn=admin,dc=ibertestint,dc=local" write
    by * read

    # For Netscape Roaming support, each user gets a roaming
    # profile for which they have write access to
    #access to dn=".*,ou=Roaming,o=morsnet"
    # by dn="cn=admin,dc=example,dc=ch" write
    # by dnattr=owner write

    ################################################## ####################
    # Specific Directives for database #2, of type 'other' (can be bdb too):
    # Database specific directives apply to this databasse until another
    # 'database' directive occurs
    #database <other>

    # The base of your directory for database #2
    #suffix "dc=debian,dc=org"

    Again, thanks for help me
    Last edited by evayroberto; December 2nd, 2009 at 10:24 AM.

  7. #7
    Join Date
    Aug 2007
    Beans
    22

    Re: Authenticating Windows to openLDAP server on Ubuntu 9.10

    This problem...SOLVED!!!
    I had to write all "by" in the same line of "access", not in different lines.
    The configuration continues..

  8. #8
    Join Date
    Nov 2009
    Beans
    42

    Re: Authenticating Windows to openLDAP server on Ubuntu 9.10

    Quote Originally Posted by evayroberto View Post
    This problem...SOLVED!!!
    I had to write all "by" in the same line of "access", not in different lines.
    The configuration continues..
    Good catch! I was just looking over my own slapd.conf file and I noticed that for some reason when I posted it in the thread above it took out all my spaces at the beginning of the lines! I'm going to try to fix that so no one else has the same problem you had. Slapd takes every line with a space at the beginning and goes "Oh, that's part of the previous line". So the fact that my spaces were removed when I posted it could really cause problems! Fortunately, I don't believe samba is the same way.

    Edit: Okay, I got the indentation problem fixed, sorry for not catching that when I posted it originally! Also, I caught a typo in my smb.conf file. In the [Profiles] section, there was a line that said "ead only = no" it was supposed to say "read only = no" but the r is on the line above it. When I originally pasted my file in there, it was just a single mess on one big line (For some reason posting it took away all my nice little edits). Oh, well. I checked over the rest of my post for typos and couldn't find any so there shouldn't be any more problems for you. Also, just went through a TON of problems getting a Windows 7 machine to join, so I'll be posting my solution to that in case you're using Vista or 7 too (I'll edit the main post for that and put it at the end of it)

    Edit 2: Instructions for Vista and 7 have been added!
    Last edited by abishur; December 2nd, 2009 at 03:34 PM.

  9. #9
    Join Date
    Aug 2007
    Beans
    22

    Re: Authenticating Windows to openLDAP server on Ubuntu 9.10

    I have seen your new Windows 7 guide to join samba domain..and, only with Samba 3.4?? I have installed 3.3.2, two weeks ago. Are you sure it will not works with my Samba versión?

  10. #10
    Join Date
    Nov 2009
    Beans
    42

    Re: Authenticating Windows to openLDAP server on Ubuntu 9.10

    From my understanding of what I've read here it requires either 3.3.4 or 3.4 but will not work on 3.3.2. That said, the page in question also incorrectly lists a registry value to add, so he could be wrong about the version. I'd say give it a shot with the version you're using. It's not like you're really going to loose anything by trying. You still have to make the registry changes, so if you find it doesn't work after you've made them it's not like you wasted your time. But if it does work, well then you've saved yourself the hassle of the samba upgrade!

    Let me know if it works out for you!

Page 1 of 10 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •