Sihnon wiki

User Tools

Site Tools

You are here: start » ldap_active_directory
ldap_active_directory

This is an old revision of the document!

Table of Contents

LDAP/Active_Directory

= Configuring LDAP/Active Directory on Gentoo Linux =

Follow this HOWTO: http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain

Global use flags

<source lang=“bash”> USE=“acl apache2 bash-completion berkdb hal ipv6 kerberos ldap mysql mysqli nptl nptlonly pam pdf perl php png python quotas readline samba sasl sockets ssl syslog vhosts vim-syntax xml xml2 zlib -arts -debug -gnome -gtk -kde -selinux -qt -X” </source>

/etc/portage/package.use

<source lang=“bash”> net-misc/ntp caps net-fs/samba ads automount net-nds/openldap -sasl -kerberos sys-auth/nss_ldap -sasl -kerberos sys-auth/pam_ldap -sasl -kerberos </source>

Such that packages install with the following options

<source lang=“bash”> R net-nds/openldap-2.3.39-r2 USE=“berkdb crypt gdbm ipv6 perl samba ssl tcpd -debug -kerberos -minimal -odbc -overlays -sasl (-selinux) -slp -smbkrb5passwd (-readline%*)” 0 kB R app-crypt/mit-krb5-1.5.3-r1 USE=“ipv6 -doc -krb4 -tcl” 0 kB R net-fs/samba-3.0.28 USE=“acl ads automount cups ipv6 ldap pam python quotas readline syslog -async -caps -doc -examples -fam (-selinux) -swat -winbind” LINGUAS=“-ja -pl” 0 kB R sys-auth/nss_ldap-258 USE=“-debug -kerberos -sasl” 0 kB R sys-auth/pam_ldap-183 USE=“ssl -sasl” 0 kB </source>

Configuration

NTP

/etc/ntp.conf needs only the following four lines <source lang=“text”> server river.sihnon.net driftfile /var/lib/ntp/ntp.drift restrict default nomodify nopeer restrict 127.0.0.1 </source>

Start ntp-client to update the clock immediately, then ntpd to keep it in sync <source lang=“bash”>

  1. /etc/init.d/ntp-client start
  2. /etc/init.d/ntpd start
  3. rc-update add ntp-client default
  4. rc-update add ntpd default

</source>

Samba

/etc/samba/smb.conf <source lang=“ini”> global

  1. Server Naming Options:

workgroup = SIHNON 

 realm        = AD.SIHNON.NET
 netbios name = Patience
 server string = Patience File Server
  1. Logging Options:

log file = /var/log/samba/log.%m 

 max log size = 50
 log level = 2
  1. Security and Domain Membership Options:

map to guest = bad user 

 security = ADS
 password server = *
 encrypt passwords = yes
  1. Browser Control and Networking Options:

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 

 interfaces = 10.0.0.0/24
 local master = no
 domain master = no
  1. Name Resolution Options:

name resolve order = wins host lmhosts bcast 

 wins server = 87.194.163.94
 dns proxy = yes
  1. Misc

nt acl support = true 

 create mode     = 0664
 directory mode  = 0755
 use spnego      = yes

#

Share Definitions

homes 

 comment = Home Directories
 browseable = no
 writable = yes
- You can enable VFS recycle bin on a per share basis:
- Uncomment the next 2 lines (make sure you create a
- .recycle folder in the base of the share and ensure
- all users will have write access to it. See
- examples/VFS/recycle/REAME in the samba docs for details

; vfs object = /usr/lib/samba/vfs/recycle.so </source>

Start Samba, then join the machine to the Domain. <source lang=“bash”>

  1. /etc/init.d/samba start
  2. rc-config add samba default
  3. net ads join -U Administrator

Administrator's password: Using short domain name – SIHNON Joined 'PATIENCE' to realm 'AD.SIHNON.NET' </source>

LDAP

/etc/openldap/ldap.conf <source lang=“bash”>

  1. See ldap.conf(5) for details
  2. This file should be world readable but not world writable.

BASE dc=ad,dc=sihnon,dc=net URI ldaps:stitch.sihnon.net HOST 87.194.163.94 REFERRALS no #SIZELIMIT 12 #TIMELIMIT 15 DEREF never TLS_CACERT /etc/ssl/certs/stitch.sihnon.net.pem TLS_REQCERT never </source> /etc/ldap.conf <source lang=“bash”> host 87.194.163.94 uri ldaps:stitch.sihnon.net base dc=ad,dc=sihnon,dc=net ldap_version 3 binddn cn=scout,cn=Users,dc=ad,dc=sihnon,dc=net bindpw ** rootbinddn cn=root,ou=LDAP,dc=ad,dc=sihnon,dc=net scope sub timelimit 30

  1. Attribute mapping between ldap and AD

nss_base_passwd dc=ad,dc=sihnon,dc=net?sub nss_base_shadow dc=ad,dc=sihnon,dc=net?sub nss_base_group dc=ad,dc=sihnon,dc=net?sub?&(objectCategory=group)(gidnumber=*) nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute gecos cn nss_map_attribute uniqueMember member

logdir /var/log/nss_ldap

  1. Allow us to boot even if the LDAP server is inaccessible

bind_policy soft bind_timelimit 5

  1. force users to be a member of the linuxusers group to log in

pam_groupdn “cn=LinuxUsers,ou=LDAP,dc=ad,dc=sihnon,dc=net” pam_member_attribute member pam_passwd ad pam_password ad

  1. Encryption is required to be able to change user passwords

ssl on tls_cacertfile /etc/ssl/certs/stitch.sihnon.net.pem tls_checkpeer no tls_ciphers TLSv1 </source>

/etc/nsswitch.conf <source lang=“bash”>

  1. /etc/nsswitch.conf:
  2. $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $

passwd: files compat ldap shadow: files compat ldap group: files compat ldap

  1. passwd: db files nis
  2. shadow: db files nis
  3. group: db files nis

hosts: files dns networks: files dns

services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files

automount: files aliases: files </source>

Pam

/etc/pam.d/system-auth <source lang=“bash”> #%PAM-1.0

auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so

account sufficient pam_unix.so account sufficient pam_ldap.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so

session required pam_limits.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_ldap.so </source>

/etc/pam.d/su <source lang=“bash”> #%PAM-1.0

auth sufficient pam_rootok.so

  1. If you want to restrict users begin allowed to su even more,
  2. create /etc/security/suauth.allow (or to that matter) that is only
  3. writable by root, and add users that are allowed to su to that
  4. file, one per line.

#auth required pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow

  1. Uncomment this to allow users in the wheel group to su without
  2. entering a passwd.

#auth sufficient pam_wheel.so use_uid trust

  1. Alternatively to above, you can implement a list of users that do
  2. not need to supply a passwd with a list.

#auth sufficient pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.nopass

  1. Comment this to allow any user, even those not in the 'wheel'
  2. group to su

auth required pam_wheel.so use_uid auth sufficient pam_ldap.so

auth include system-auth

account include system-auth

password include system-auth

session include system-auth session required pam_env.so session optional pam_xauth.so </source>

Certificates

/etc/ssl/certs/stitch.sihnon.net.pem <source lang=“text”> —–BEGIN CERTIFICATE—– MIIEljCCA36gAwIBAgIQIkEhY3aR7olM0OSGrKd6ETANBgkqhkiG9w0BAQUFADBS MRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGc2lobm9uMRIw EAYKCZImiZPyLGQBGRYCYWQxDzANBgNVBAMTBlN0aXRjaDAeFw0wODAxMTMwMjU2 MjVaFw0xMzAxMTMwMzA1MTRaMFIxEzARBgoJkiaJk/IsZAEZFgNuZXQxFjAUBgoJ kiaJk/IsZAEZFgZzaWhub24xEjAQBgoJkiaJk/IsZAEZFgJhZDEPMA0GA1UEAxMG U3RpdGNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoDEsstUEWWme gXbQPhqlRC6KCL3/RD6UU9ySsAvYoReuW1kXs9kpmWseUrGuzIDyTyTRT3glfve/ 63qTT7LaCjDbDDiSF44j2Fu32dJEQyyqRItbaCS9BsbYOPZZ5JjQgYVwiy3wtR/g 6B3nQuvUjJKjFtkDLczHgnkuuDzJbUFZf6BASBFkeN3FBn2YsdVqaFN4Qu57oZjN GjWOMoBoy6+VkG3fFE9QucszEqNWsKwJ3DMo5fkwRvNuGiOp7Fs4ixlPHqgRUrrF qxHrh8x/sq1yR0SI/y37wRCUvnNN6oG5cpL3jVQJO3PuXNJPAdys9hUToxerLET8 1juJZPLAzQIDAQABo4IBZjCCAWIwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIx3boKheSjg+VQso3DU jeOD/yxFMIH7BgNVHR8EgfMwgfAwge2ggeqggeeGgbFsZGFwOi8vL0NOPVN0aXRj aCxDTj1zdGl0Y2gsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWQsREM9c2lobm9uLERDPW5l dD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JM RGlzdHJpYnV0aW9uUG9pbnSGMWh0dHA6Ly9zdGl0Y2guYWQuc2lobm9uLm5ldC9D ZXJ0RW5yb2xsL1N0aXRjaC5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcN AQEFBQADggEBAFHlAgQEpD5VA0CO5klWcX3JbzL4mW7jUstKt0cNNzC1tFz8yVGx CzuZs+L8QtnQ/djq0OyHQkoY2if2VveB54dagtG8w6KEP/J7GPSsFr71N/wueIDo WFvArXWnQP55DtOo6vfoEJMef8JKVLmQ58ymoxwow2KYBowSiQK+XolGRq21aJuV IXoh/1sX2xCGHk1b3Of3nCwAM1M67s1X+J4tLOyHBg8nD9NqYEXM3WlxtK9w465l Q82X3vq/bQWiG3AXLbbPCJeF5d5OJaPiH5asXB+UnpfDbN4wa4ZIcm/BDoxNUJH8 bFxOeG6JTRqz1MFbh9o+b3mChRnn9QXDHsw= —–END CERTIFICATE—– </source>

ldap_active_directory.1416791659.txt.gz · Last modified: 2014/11/24 01:14 by 0.0.0.0

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki