OLD VERSIONS
LDAP, the Lightweight Directory Access Protocol is used as the base for our single (source of) sign on solution. It allows us to create a centralized database to store data for the corporate directory. The protocol supports replication for redundancy/high-availability. Secure connections via SSL/TLS are also supported.
In the future we expect to add Kerberos to the solution. Kerberos is a Ticket Granting system that supports building a single sign on solution. Even more interesting features are expected from the upcoming release of Samba 4. We'll definitely keep an eye on this piece of software. See http://us1.samba.org/samba/devel/roadmap-4.0.html for more information on Samba 4.
======Fedora Directory server=======
The Fedora Directory Server, the former Netscape-, Iplanet- and Sun Directory Server, generously made open source by RedHat, is chosen as the preferred LDAP-server for our solution at this moment.
You'll find lots of information on the Fedora Directory Server at the project's wiki, http://directory.fedora.redhat.com/wiki/Main_Page.
=====Debian-3.1/Ubuntu-6.06=====
At this time there is no apt-repository for the Fedora Directory Server software. Fortunately the rpms from the Fedora community site are perfectly usable.
====Pre-installation====
apt-get install apache2-mpm-worker
ln -s /usr/sbin/apache2 /usr/sbin/httpd
groupadd fds
useradd -d /opt/fedora-ds -s /bin/false -g fds fds
Install a Java-Runtime-Environment on the system. The jdk-1_5_0_02-linux-i586.bin package from Sun-microsystems is known to work.
Now some distro specific steps and downloads.
Download a prebuild Fedora Directory Server rpm from the download page which is available at http://directory.fedora.redhat.com/wiki/Download.
Choose the version suitable (explained below) for your server environment.
===Debian===
For Debian-sarge download the prebuild rpm for RHEL-3 (Sarge has libc6 version 2.3.2).
apt-get install termcap-compat
===Ubuntu===
For Ubuntu-dapper download the prebuild rpm for Fedora-Core-4 (Dapper has libc6 version 2.3.6)
Download the packages below manually from the Breezy repository at http://packages.ubuntu.com
The Dapper repository doesn't have these, however the packages build for Breezy seem to do just fine.
ldso_1.9.11-15_i386.deb
libc5_5.4.46-15_i386.deb
termcap-compat_1.2.3_i386.deb
In case you want to do an install on a x86_64 platform things seem worse at first as there aren't any termcap-compat packages for Ubuntu (or Debian) at all!
However this procedure provides a workaround to install the Fedora Directory Server on Ubuntu Dapper Server x86_64:
* Download the termcap-5.4-4.noarch.rpm and libtermcap-2.0.8-41.x86_64.rpm from Fedora Core 4 (x86_64 version!!!).
* Convert the rpm's to .deb using the 'alien' tool.
* Install the newly obtained .deb packages using 'dpkg -i'.
====Installation====
Convert the fedora-ds rpm package to .deb using alien:
alien fedora-ds-1.0.x-x.XXX.i386.opt.rpm
Install the newly obtained .deb package:
dpkg -i fedora-ds_1.0.x-y_i386.deb
Create a resource-file (/opt/install.inf):
[General]
FullMachineName= ldap.intra.example.com
SuiteSpotUserID= fds
SuiteSpotGroup= fds
ServerRoot= /opt/fedora-ds
AdminDomain= intra.example.com
ConfigDirectoryAdminID= admin
ConfigDirectoryAdminPwd= hannibal
ConfigDirectoryLdapURL= ldap://ldap.intra.example.com:389/o=NetscapeRoot
UserDirectoryAdminID= admin
UserDirectoryAdminPwd= hannibal
UserDirectoryLdapURL= ldap://ldap.intra.example.com:389/dc=intra,dc=example,dc=com
[slapd]
SlapdConfigForMC= Yes
SecurityOn= No
UseExistingMC= No
UseExistingUG= No
ServerPort= 389
ServerIdentifier= ldap
Suffix= dc=intra, dc=example, dc=com
RootDN= cn=Directory Manager
AddSampleEntries= No
InstallLdifFile= suggest
AddOrgEntries= Yes
DisableSchemaChecking= No
RootDNPwd= hannibal
[admin]
SysUser= root
Port= 7777
ServerIpAddress=
ServerAdminID= admin
ServerAdminPwd= hannibal
ApacheDir= /usr/sbin
ApacheRoot= /usr/lib/apache2
This file contains privacy information, so secure it:
chmod 640 /opt/install.inf
Run the setup-script like so:
/opt/fedora-ds/setup/setup -s -f /opt/install.inf
The installation-script will succesfully start the ns-slapd server and throw out some warnings that the admin-server can't be started. We'll solve that now. Make some changes to the /opt/fedora-ds/admin-serv/config/httpd.conf file. Some modules do not have to be loaded as they are compiled in statically. So comment these lines (put the pound-sign before 'LoadModule....etc':
...
#LoadModule access_module /usr/lib/apache2/modules/mod_access.so
#LoadModule auth_module /usr/lib/apache2/modules/mod_auth.so
#LoadModule log_config_module /usr/lib/apache2/modules/mod_log_config.so
#LoadModule env_module /usr/lib/apache2/modules/mod_env.so
...
#LoadModule setenvif_module /usr/lib/apache2/modules/mod_setenvif.so
#LoadModule mime_module /usr/lib/apache2/modules/mod_mime.so
...
#LoadModule negotiation_module /usr/lib/apache2/modules/mod_negotiation.so
#LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so
...
#LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so
...
Now you can manually start the admin-server like so:
/opt/fedora-ds/start-admin
We created four custom LDAP-schemes for our project. They are required for running the other software modules. The LDAP-schemes are available for download below. The target directory for Fedora Directory Server LDAP-schemes is /opt/fedora-ds/slapd-ldap/config/schema
* [[61samba.ldif]]
* [[62postfix.ldif]]
* [[63ldapdns.ldif]]
* [[64ldapdhcp.ldif]]
The directory server will activate the new schemes after a restart.
====SSL/TLS configuration====
You can run the necessary commands by hand or use the available all-in-one 'setupssl.sh' script. For ease of configuration the latter option has been chosen. Get the script at the Fedora Directory Server Wiki, which is a very fine source for information on the SSL/TLS configuration details, see http://directory.fedora.redhat.com/wiki/Howto:SSL
The 'setupssl.sh' script requires the ldap-utils to be installed.
apt-get install ldap-utils
As the script runs 'hostname --fqdn' in order to obtain the FQDN, and we want to use the service name (which is 'ldap') rather than the FQDN hostname, we'll change that entry in the script.
Change line number 111 to become:
myhost=ldap.intra.example.com
Check that the host can resolve the service name (ldap.intra.example.com) to its service IP address (192.168.1.12).
Now run the script
chmod +x setupssl.sh
./setupssl.sh
Finally restart the Directory Server as well as the Admin-server in order to activate the SSL/TLS.
=====DS management console=====
The directory/admin-server can be managed with a client-server GUI application. This is an X-window-system application, so your workstation might be a good place to install and run this on.
Mention that it is possible to run the admin-console from the directory-server itself when you install the X11 libraries on it.
====Ubuntu-6.06====
===Install the software===
Install the SUN JRE/JDK 1.5 (don't forget to check your PATH en JAVA environment variables).
Install the FDS software (as root) in /opt/fedora-ds
If the IP-number of your directory-server is not resolvable, add an entry in /etc/hosts on your workstation:
192.168.1.12 ldap.intra.example.com ldap
This has to do with the default access-restrictions of the admin-server
===Start the console===
As a non-root user start the console (have your X settings correct):
/opt/fedora-ds/startconsole -u admin -a http://ldap.intra.example.com:7777 &
An X window pops up now, type in the admin password (ie. hannibal here).
=====Directory-Server replication=====
Choose for a master-slave or a multi-master setup.
====Installation====
The Fedora Directory server supports Multi Master Replication. This allows you to create up to four writable LDAP master-servers. The Fedora wiki contains fine documentation on howto install a MMR-environment. See: http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication
The documentation on setting up a replication LDAP-server is available at: http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#pgfId-1027091
=====LDAP Export/Backup=====
Create a full export of your directory to LDIF on a regular base. You wouldn't want to loose your precious data, would you?
This is an example to do so.
#!/bin/sh
# Full LDAP export to LDIF
#
# Olivier Brugman (Pref Sourcing)
LDAPSEARCH=/usr/bin/ldapsearch
FILEDATE=`date +%Y%m%d`
TARGETDIR=/root/ldifs
TARGETFILE=${TARGETDIR}/full_ldap2ldif-${FILEDATE}
/usr/bin/test -d ${TARGETDIR} || mkdir -p ${TARGETDIR}
${LDAPSEARCH} -x \
-b 'dc=intra,dc=example,dc=com' \
-h YOUR_LDAPHOST \
-D 'cn=Directory Manager' \
-w 'YOUR_PASSWORD' \
-LLL \
'(objectclass=*)' > ${TARGETFILE}
======OpenLDAP Directory server======
The Fedora Directory Server is the directory server of choice for our project. This part of the documentation that describes the configuration of OpenLDAP is now legacy and not maintained!
Install the software.
====Debian-sarge====
(and Ubuntu dapper)
===Installaton===
apt-get install slapd ldap-utils libsasl2-modules
advised is also the package db4.2-util, this is for dbrecover actions (which is automatically called by slapd in case of a starting failure).
===Configuration===
Stop the LDAP-server
/etc/init.d/slapd stop
/etc/ldap/ldap.conf
BASE dc=intra, dc=example, dc=com
URI ldap://ldap.intra.example.com
TLS_CACERT /etc/ldap/tls/cacert.pem
/etc/ldap/slapd.conf
allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/postfix.schema
include /etc/ldap/schema/samba.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 0
TLSCACertificateFile /etc/ldap/tls/cacert.pem
TLSCertificateFile /etc/ldap/tls/ldapcert.pem
TLSCertificateKeyFile /etc/ldap/tls/ldapkey.pem
modulepath /usr/lib/ldap
moduleload back_bdb
backend bdb
database bdb
suffix "dc=intra,dc=example,dc=com"
rootdn "cn=admin,dc=intra,dc=example,dc=com"
rootpw {SSHA}passwordstringhere
directory "/var/lib/ldap"
index objectClass eq
lastmod on
access to attribute=userPassword
by dn="cn=admin,dc=intra,dc=example,dc=com" write
by self write
by anonymous auth
by * none
access to attribute=sambaLMPassword
by dn="cn=admin,dc=intra,dc=example,dc=com" write
by self write
by anonymous auth
by * none
access to attribute=sambaNTPassword
by dn="cn=admin,dc=intra,dc=example,dc=com" write
by self write
by anonymous auth
by * none
access to *
by dn="cn=admin,dc=intra,dc=example,dc=com" write
by * read
/etc/ldap/schema/postfix.schema
attributetype ( 1.3.6.1.4.1.4203.666.1.200
NAME 'mailacceptinggeneralid'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
attributetype ( 1.3.6.1.4.1.4203.666.1.201
NAME 'maildrop'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
objectClass ( 1.3.6.1.4.1.4203.666.1.100
NAME 'postfixUser'
DESC 'Postfix Mail User'
SUP top
AUXILIARY
MAY (
mailacceptinggeneralid $ maildrop
)
)
/etc/ldap/schema/samba.schema can be gunzipped and copied from /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz after installation of the package samba-doc
The installation of samba is described in the samba section of this document.
apt-get install samba-doc
cd /etc/ldap/schema
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz . ; gunzip *.gz
Root DN's password can be generated by issueing the slappasswd command. Add the result to slapd.conf.
slappasswd -vh {SSHA} -s newpasswordhere
Create a directory for the LDAP-server's certificates
mkdir /etc/ldap/tls
The OpenSSL section in this document describes howto create certificates. Create them now and copy them to /etc/ldap/tls. Make sure that their names correspond to the names in slapd.conf.
Make sure that /etc/default/slapd contains a line like 'SLAPD_SERVICES="ldap://192.168.1.12/ ldaps://192.168.1.12/ ldapi:///"' You can make slapd listen on a specific interface. See for more security considerations http://www.openldap.org/doc/admin21/security.html.
Start the LDAP-server
/etc/init.d/slapd start
Note that the LDAP-server won't start if postfix.schema and samba.schema aren't in place!
Now the LDAP-server is up and running, let's fill it up with domain-entries as we need that to get the ldapdns-server to work.
You can find the hannibal-dnsstuff.ldif here http://hannibal.solstice.nl
Download the file and modify it according to your environment.
Beware: in some Hannibal configfiles and commands in this document we use IP's rather than domain names; so if you want to make changes to the IP's then pay attention to this in order not to break things!
===Add LDAP-entries===
Add the LDAP-entries like so
/usr/bin/ldapadd -x -D "cn=admin,dc=intra,dc=example,dc=com" -w therootdnpassword \
-h 192.168.1.12 -f hannibal-dnsstuff.ldif
===Use it===
Note: you can test the a LDAP-connection over TLS by hand. You could also use this command on regular base in order to make a full backup of the content of the LDAP-server. Just run a script from cron which pipes STOUT of the ldapsearch command to a file; then add the date (and time) to the filename.
ldapsearch -x -b 'dc=intra,dc=example,dc=com' \
-D "cn=admin,dc=intra,dc=example,dc=com" \
'(objectclass=*)' -H ldap://ldap.intra.example.com \
-W -ZZ