Differences

This shows you the differences between two versions of the page.

--- ldap_active_directory [2014/11/24 01:14] – created 0.0.0.0
+++ ldap_active_directory [2014/11/24 02:13] (current) – removed ben
@@ Line 1: / Line 1: @@
-====== LDAP/Active_Directory ======
-= Configuring LDAP/Active Directory on Gentoo Linux =
-Follow this HOWTO: http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain
-===== Global use flags =====
-<source lang="bash">
-USE="acl apache2 bash-completion berkdb hal ipv6 kerberos ldap mysql mysqli nptl nptlonly pam pdf perl php png python quotas readline samba sasl sockets ssl syslog vhosts vim-syntax xml xml2 zlib -arts -debug -gnome -gtk -kde -selinux -qt -X"
-</source>
-===== /etc/portage/package.use =====
-<source lang="bash">
-net-misc/ntp caps
-net-fs/samba ads automount
-net-nds/openldap -sasl -kerberos
-sys-auth/nss_ldap -sasl -kerberos
-sys-auth/pam_ldap -sasl -kerberos
-</source>
-Such that packages install with the following options
-<source lang="bash">
-[[ebuild|  R   ]] net-nds/openldap-2.3.39-r2  USE="berkdb crypt gdbm ipv6 perl samba ssl tcpd -debug -kerberos -minimal -odbc -overlays -sasl (-selinux) -slp -smbkrb5passwd (-readline%*)" 0 kB
-[[ebuild|  R   ]] app-crypt/mit-krb5-1.5.3-r1  USE="ipv6 -doc -krb4 -tcl" 0 kB
-[[ebuild|  R   ]] net-fs/samba-3.0.28  USE="acl ads automount cups ipv6 ldap pam python quotas readline syslog -async -caps -doc -examples -fam (-selinux) -swat -winbind" LINGUAS="-ja -pl" 0 kB
-[[ebuild|  R   ]] sys-auth/nss_ldap-258  USE="-debug -kerberos -sasl" 0 kB
-[[ebuild|  R   ]] sys-auth/pam_ldap-183  USE="ssl -sasl" 0 kB
-</source>
-===== Configuration =====
-==== NTP ====
-/etc/ntp.conf needs only the following four lines
-<source lang="text">
-server river.sihnon.net
-driftfile       /var/lib/ntp/ntp.drift
-restrict default nomodify nopeer
-restrict 127.0.0.1
-</source>
-Start ntp-client to update the clock immediately, then ntpd to keep it in sync
-<source lang="bash">
-  - /etc/init.d/ntp-client start
-  - /etc/init.d/ntpd start
-  - rc-update add ntp-client default
-  - rc-update add ntpd default
-</source>
-==== Samba ====
-/etc/samba/smb.conf
-<source lang="ini">
-[[global]]
-  - Server Naming Options:
-   workgroup    = SIHNON
-   realm        = AD.SIHNON.NET
-   netbios name = Patience
-   server string = Patience File Server
-  - Logging Options:
-   log file = /var/log/samba/log.%m
-   max log size = 50
-   log level = 2
-  - Security and Domain Membership Options:
-   map to guest = bad user
-   security = ADS
-   password server = *
-   encrypt passwords = yes
-  - Browser Control and Networking Options:
-   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
-   interfaces = 10.0.0.0/24
-   local master = no
-   domain master = no
-  - Name Resolution Options:
-   name resolve order = wins host lmhosts bcast
-   wins server = 87.194.163.94
-   dns proxy = yes
-  - Misc
-   nt acl support = true
-   create mode     = 0664
-   directory mode  = 0755
-   use spnego      = yes
-#============================ Share Definitions ==============================
-[[homes]]
-   comment = Home Directories
-   browseable = no
-   writable = yes
-  - You can enable VFS recycle bin on a per share basis:
-  - Uncomment the next 2 lines (make sure you create a
-  - .recycle folder in the base of the share and ensure
-  - all users will have write access to it. See
-  - examples/VFS/recycle/REAME in the samba docs for details
-;   vfs object = /usr/lib/samba/vfs/recycle.so
-</source>
-Start Samba, then join the machine to the Domain.
-<source lang="bash">
-  - /etc/init.d/samba start
-  - rc-config add samba default
-  - net ads join -U Administrator
-Administrator's password:
-Using short domain name -- SIHNON
-Joined 'PATIENCE' to realm 'AD.SIHNON.NET'
-</source>
-==== LDAP ====
-/etc/openldap/ldap.conf
-<source lang="bash">
-  - See ldap.conf(5) for details
-  - This file should be world readable but not world writable.
-BASE    dc=ad,dc=sihnon,dc=net
-URI     ldaps://stitch.sihnon.net
-HOST    87.194.163.94
-REFERRALS no
-#SIZELIMIT      12
-#TIMELIMIT      15
-DEREF           never
-TLS_CACERT /etc/ssl/certs/stitch.sihnon.net.pem
-TLS_REQCERT never
-</source>
-/etc/ldap.conf
-<source lang="bash">
-host 87.194.163.94
-uri ldaps://stitch.sihnon.net
-base dc=ad,dc=sihnon,dc=net
-ldap_version 3
-binddn cn=scout,cn=Users,dc=ad,dc=sihnon,dc=net
-bindpw ******
-rootbinddn cn=root,ou=LDAP,dc=ad,dc=sihnon,dc=net
-scope sub
-timelimit 30
-  - Attribute mapping between ldap and AD
-nss_base_passwd dc=ad,dc=sihnon,dc=net?sub
-nss_base_shadow dc=ad,dc=sihnon,dc=net?sub
-nss_base_group dc=ad,dc=sihnon,dc=net?sub?&(objectCategory=group)(gidnumber=*)
-nss_map_objectclass posixAccount user
-nss_map_objectclass shadowAccount user
-nss_map_objectclass posixGroup group
-nss_map_attribute homeDirectory unixHomeDirectory
-nss_map_attribute gecos cn
-nss_map_attribute uniqueMember member
-logdir /var/log/nss_ldap
-  - Allow us to boot even if the LDAP server is inaccessible
-bind_policy soft
-bind_timelimit 5
-  - force users to be a member of the linuxusers group to log in
-pam_groupdn "cn=LinuxUsers,ou=LDAP,dc=ad,dc=sihnon,dc=net"
-pam_member_attribute member
-pam_passwd ad
-pam_password ad
-  - Encryption is required to be able to change user passwords
-ssl on
-tls_cacertfile /etc/ssl/certs/stitch.sihnon.net.pem
-tls_checkpeer no
-tls_ciphers TLSv1
-</source>
-/etc/nsswitch.conf
-<source lang="bash">
-  - /etc/nsswitch.conf:
-  - $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $
-passwd:      files compat ldap
-shadow:      files compat ldap
-group:       files compat ldap
-  - passwd:    db files nis
-  - shadow:    db files nis
-  - group:     db files nis
-hosts:       files dns
-networks:    files dns
-services:    db files
-protocols:   db files
-rpc:         db files
-ethers:      db files
-netmasks:    files
-netgroup:    files
-bootparams:  files
-automount:   files
-aliases:     files
-</source>
-==== Pam ====
-/etc/pam.d/system-auth
-<source lang="bash">
-#%PAM-1.0
-auth       required     pam_env.so
-auth       sufficient   pam_unix.so likeauth nullok
-auth       sufficient   pam_ldap.so use_first_pass
-auth       required     pam_deny.so
-account    sufficient   pam_unix.so
-account    sufficient   pam_ldap.so
-password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
-password   sufficient   pam_unix.so nullok md5 shadow use_authtok
-password   sufficient   pam_ldap.so use_authtok
-password   required     pam_deny.so
-session    required     pam_limits.so
-session    required     pam_unix.so
-session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
-session    required     pam_ldap.so
-</source>
-/etc/pam.d/su
-<source lang="bash">
-#%PAM-1.0
-auth       sufficient   pam_rootok.so
-  - If you want to restrict users begin allowed to su even more,
-  - create /etc/security/suauth.allow (or to that matter) that is only
-  - writable by root, and add users that are allowed to su to that
-  - file, one per line.
-#auth       required     pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow
-  - Uncomment this to allow users in the wheel group to su without
-  - entering a passwd.
-#auth       sufficient   pam_wheel.so use_uid trust
-  - Alternatively to above, you can implement a list of users that do
-  - not need to supply a passwd with a list.
-#auth       sufficient   pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.nopass
-  - Comment this to allow any user, even those not in the 'wheel'
-  - group to su
-auth       required     pam_wheel.so use_uid
-auth       sufficient   pam_ldap.so
-auth       include              system-auth
-account    include              system-auth
-password   include              system-auth
-session    include              system-auth
-session    required     pam_env.so
-session    optional             pam_xauth.so
-</source>
-===== Certificates =====
-/etc/ssl/certs/stitch.sihnon.net.pem
-<source lang="text">
------BEGIN CERTIFICATE-----
-MIIEljCCA36gAwIBAgIQIkEhY3aR7olM0OSGrKd6ETANBgkqhkiG9w0BAQUFADBS
-MRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGc2lobm9uMRIw
-EAYKCZImiZPyLGQBGRYCYWQxDzANBgNVBAMTBlN0aXRjaDAeFw0wODAxMTMwMjU2
-MjVaFw0xMzAxMTMwMzA1MTRaMFIxEzARBgoJkiaJk/IsZAEZFgNuZXQxFjAUBgoJ
-kiaJk/IsZAEZFgZzaWhub24xEjAQBgoJkiaJk/IsZAEZFgJhZDEPMA0GA1UEAxMG
-U3RpdGNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoDEsstUEWWme
-gXbQPhqlRC6KCL3/RD6UU9ySsAvYoReuW1kXs9kpmWseUrGuzIDyTyTRT3glfve/
-qTT7LaCjDbDDiSF44j2Fu32dJEQyyqRItbaCS9BsbYOPZZ5JjQgYVwiy3wtR/g
-B3nQuvUjJKjFtkDLczHgnkuuDzJbUFZf6BASBFkeN3FBn2YsdVqaFN4Qu57oZjN
-GjWOMoBoy6+VkG3fFE9QucszEqNWsKwJ3DMo5fkwRvNuGiOp7Fs4ixlPHqgRUrrF
-qxHrh8x/sq1yR0SI/y37wRCUvnNN6oG5cpL3jVQJO3PuXNJPAdys9hUToxerLET8
-juJZPLAzQIDAQABo4IBZjCCAWIwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P
-BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIx3boKheSjg+VQso3DU
-jeOD/yxFMIH7BgNVHR8EgfMwgfAwge2ggeqggeeGgbFsZGFwOi8vL0NOPVN0aXRj
-aCxDTj1zdGl0Y2gsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
-PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWQsREM9c2lobm9uLERDPW5l
-dD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JM
-RGlzdHJpYnV0aW9uUG9pbnSGMWh0dHA6Ly9zdGl0Y2guYWQuc2lobm9uLm5ldC9D
-ZXJ0RW5yb2xsL1N0aXRjaC5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcN
-AQEFBQADggEBAFHlAgQEpD5VA0CO5klWcX3JbzL4mW7jUstKt0cNNzC1tFz8yVGx
-CzuZs+L8QtnQ/djq0OyHQkoY2if2VveB54dagtG8w6KEP/J7GPSsFr71N/wueIDo
-WFvArXWnQP55DtOo6vfoEJMef8JKVLmQ58ymoxwow2KYBowSiQK+XolGRq21aJuV
-IXoh/1sX2xCGHk1b3Of3nCwAM1M67s1X+J4tLOyHBg8nD9NqYEXM3WlxtK9w465l
-Q82X3vq/bQWiG3AXLbbPCJeF5d5OJaPiH5asXB+UnpfDbN4wa4ZIcm/BDoxNUJH8
-bFxOeG6JTRqz1MFbh9o+b3mChRnn9QXDHsw=
------END CERTIFICATE-----
-</source>