OLD VERSIONS
LDAP, the Lightweight Directory Access Protocol is used as the base for our single (source of) sign on solution. It allows us to create a centralized database to store data for the corporate directory. The protocol supports replication for redundancy/high-availability. Secure connections via SSL/TLS are also supported.
In the future we expect to add Kerberos to the solution. Kerberos is a Ticket Granting system that supports building a single sign on solution. Even more interesting features are expected from the upcoming release of Samba 4. We'll definitely keep an eye on this piece of software. See http://us1.samba.org/samba/devel/roadmap-4.0.html for more information on Samba 4.
The Fedora Directory Server, the former Netscape-, Iplanet- and Sun Directory Server, generously made open source by RedHat, is chosen as the preferred LDAP-server for our solution at this moment.
You'll find lots of information on the Fedora Directory Server at the project's wiki, http://directory.fedora.redhat.com/wiki/Main_Page.
At this time there is no apt-repository for the Fedora Directory Server software. Fortunately the rpms from the Fedora community site are perfectly usable.
apt-get install apache2-mpm-worker ln -s /usr/sbin/apache2 /usr/sbin/httpd groupadd fds useradd -d /opt/fedora-ds -s /bin/false -g fds fds
Install a Java-Runtime-Environment on the system. The jdk-1_5_0_02-linux-i586.bin package from Sun-microsystems is known to work.
Now some distro specific steps and downloads. Download a prebuild Fedora Directory Server rpm from the download page which is available at http://directory.fedora.redhat.com/wiki/Download.
Choose the version suitable (explained below) for your server environment.
For Debian-sarge download the prebuild rpm for RHEL-3 (Sarge has libc6 version 2.3.2).
apt-get install termcap-compat
For Ubuntu-dapper download the prebuild rpm for Fedora-Core-4 (Dapper has libc6 version 2.3.6)
Download the packages below manually from the Breezy repository at http://packages.ubuntu.com The Dapper repository doesn't have these, however the packages build for Breezy seem to do just fine.
ldso_1.9.11-15_i386.deb libc5_5.4.46-15_i386.deb termcap-compat_1.2.3_i386.deb
In case you want to do an install on a x86_64 platform things seem worse at first as there aren't any termcap-compat packages for Ubuntu (or Debian) at all!
However this procedure provides a workaround to install the Fedora Directory Server on Ubuntu Dapper Server x86_64:
Convert the fedora-ds rpm package to .deb using alien:
alien fedora-ds-1.0.x-x.XXX.i386.opt.rpm
Install the newly obtained .deb package:
dpkg -i fedora-ds_1.0.x-y_i386.deb
Create a resource-file (/opt/install.inf):
[General] FullMachineName= ldap.intra.example.com SuiteSpotUserID= fds SuiteSpotGroup= fds ServerRoot= /opt/fedora-ds AdminDomain= intra.example.com ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= hannibal ConfigDirectoryLdapURL= ldap://ldap.intra.example.com:389/o=NetscapeRoot UserDirectoryAdminID= admin UserDirectoryAdminPwd= hannibal UserDirectoryLdapURL= ldap://ldap.intra.example.com:389/dc=intra,dc=example,dc=com [slapd] SlapdConfigForMC= Yes SecurityOn= No UseExistingMC= No UseExistingUG= No ServerPort= 389 ServerIdentifier= ldap Suffix= dc=intra, dc=example, dc=com RootDN= cn=Directory Manager AddSampleEntries= No InstallLdifFile= suggest AddOrgEntries= Yes DisableSchemaChecking= No RootDNPwd= hannibal [admin] SysUser= root Port= 7777 ServerIpAddress= ServerAdminID= admin ServerAdminPwd= hannibal ApacheDir= /usr/sbin ApacheRoot= /usr/lib/apache2
This file contains privacy information, so secure it:
chmod 640 /opt/install.inf
Run the setup-script like so:
/opt/fedora-ds/setup/setup -s -f /opt/install.inf
The installation-script will succesfully start the ns-slapd server and throw out some warnings that the admin-server can't be started. We'll solve that now. Make some changes to the /opt/fedora-ds/admin-serv/config/httpd.conf file. Some modules do not have to be loaded as they are compiled in statically. So comment these lines (put the pound-sign before 'LoadModule….etc':
... #LoadModule access_module /usr/lib/apache2/modules/mod_access.so #LoadModule auth_module /usr/lib/apache2/modules/mod_auth.so #LoadModule log_config_module /usr/lib/apache2/modules/mod_log_config.so #LoadModule env_module /usr/lib/apache2/modules/mod_env.so ... #LoadModule setenvif_module /usr/lib/apache2/modules/mod_setenvif.so #LoadModule mime_module /usr/lib/apache2/modules/mod_mime.so ... #LoadModule negotiation_module /usr/lib/apache2/modules/mod_negotiation.so #LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so ... #LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so ...
Now you can manually start the admin-server like so:
/opt/fedora-ds/start-admin
We created four custom LDAP-schemes for our project. They are required for running the other software modules. The LDAP-schemes are available for download below. The target directory for Fedora Directory Server LDAP-schemes is /opt/fedora-ds/slapd-ldap/config/schema
The directory server will activate the new schemes after a restart.
You can run the necessary commands by hand or use the available all-in-one 'setupssl.sh' script. For ease of configuration the latter option has been chosen. Get the script at the Fedora Directory Server Wiki, which is a very fine source for information on the SSL/TLS configuration details, see http://directory.fedora.redhat.com/wiki/Howto:SSL
The 'setupssl.sh' script requires the ldap-utils to be installed.
apt-get install ldap-utils
As the script runs 'hostname –fqdn' in order to obtain the FQDN, and we want to use the service name (which is 'ldap') rather than the FQDN hostname, we'll change that entry in the script. Change line number 111 to become:
myhost=ldap.intra.example.com
Check that the host can resolve the service name (ldap.intra.example.com) to its service IP address (192.168.1.12).
Now run the script
chmod +x setupssl.sh ./setupssl.sh
Finally restart the Directory Server as well as the Admin-server in order to activate the SSL/TLS.
The directory/admin-server can be managed with a client-server GUI application. This is an X-window-system application, so your workstation might be a good place to install and run this on. Mention that it is possible to run the admin-console from the directory-server itself when you install the X11 libraries on it.
Install the SUN JRE/JDK 1.5 (don't forget to check your PATH en JAVA environment variables).
Install the FDS software (as root) in /opt/fedora-ds
If the IP-number of your directory-server is not resolvable, add an entry in /etc/hosts on your workstation:
192.168.1.12 ldap.intra.example.com ldap
This has to do with the default access-restrictions of the admin-server
As a non-root user start the console (have your X settings correct):
/opt/fedora-ds/startconsole -u admin -a http://ldap.intra.example.com:7777 &
An X window pops up now, type in the admin password (ie. hannibal here).
Choose for a master-slave or a multi-master setup.
The Fedora Directory server supports Multi Master Replication. This allows you to create up to four writable LDAP master-servers. The Fedora wiki contains fine documentation on howto install a MMR-environment. See: http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication
The documentation on setting up a replication LDAP-server is available at: http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#pgfId-1027091
Create a full export of your directory to LDIF on a regular base. You wouldn't want to loose your precious data, would you? This is an example to do so.
#!/bin/sh # Full LDAP export to LDIF # # Olivier Brugman (Pref Sourcing) LDAPSEARCH=/usr/bin/ldapsearch FILEDATE=`date +%Y%m%d` TARGETDIR=/root/ldifs TARGETFILE=${TARGETDIR}/full_ldap2ldif-${FILEDATE} /usr/bin/test -d ${TARGETDIR} || mkdir -p ${TARGETDIR} ${LDAPSEARCH} -x \ -b 'dc=intra,dc=example,dc=com' \ -h YOUR_LDAPHOST \ -D 'cn=Directory Manager' \ -w 'YOUR_PASSWORD' \ -LLL \ '(objectclass=*)' > ${TARGETFILE}
The Fedora Directory Server is the directory server of choice for our project. This part of the documentation that describes the configuration of OpenLDAP is now legacy and not maintained!
Install the software.
(and Ubuntu dapper)
apt-get install slapd ldap-utils libsasl2-modules
advised is also the package db4.2-util, this is for dbrecover actions (which is automatically called by slapd in case of a starting failure).
Stop the LDAP-server
/etc/init.d/slapd stop
/etc/ldap/ldap.conf
BASE dc=intra, dc=example, dc=com URI ldap://ldap.intra.example.com TLS_CACERT /etc/ldap/tls/cacert.pem
/etc/ldap/slapd.conf
allow bind_v2 include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/postfix.schema include /etc/ldap/schema/samba.schema schemacheck on pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd.args loglevel 0 TLSCACertificateFile /etc/ldap/tls/cacert.pem TLSCertificateFile /etc/ldap/tls/ldapcert.pem TLSCertificateKeyFile /etc/ldap/tls/ldapkey.pem modulepath /usr/lib/ldap moduleload back_bdb backend bdb database bdb suffix "dc=intra,dc=example,dc=com" rootdn "cn=admin,dc=intra,dc=example,dc=com" rootpw {SSHA}passwordstringhere directory "/var/lib/ldap" index objectClass eq lastmod on access to attribute=userPassword by dn="cn=admin,dc=intra,dc=example,dc=com" write by self write by anonymous auth by * none access to attribute=sambaLMPassword by dn="cn=admin,dc=intra,dc=example,dc=com" write by self write by anonymous auth by * none access to attribute=sambaNTPassword by dn="cn=admin,dc=intra,dc=example,dc=com" write by self write by anonymous auth by * none access to * by dn="cn=admin,dc=intra,dc=example,dc=com" write by * read
/etc/ldap/schema/postfix.schema
attributetype ( 1.3.6.1.4.1.4203.666.1.200 NAME 'mailacceptinggeneralid' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( 1.3.6.1.4.1.4203.666.1.201 NAME 'maildrop' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) objectClass ( 1.3.6.1.4.1.4203.666.1.100 NAME 'postfixUser' DESC 'Postfix Mail User' SUP top AUXILIARY MAY ( mailacceptinggeneralid $ maildrop ) )
/etc/ldap/schema/samba.schema can be gunzipped and copied from /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz after installation of the package samba-doc The installation of samba is described in the samba section of this document.
apt-get install samba-doc cd /etc/ldap/schema cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz . ; gunzip *.gz
Root DN's password can be generated by issueing the slappasswd command. Add the result to slapd.conf.
slappasswd -vh {SSHA} -s newpasswordhere
Create a directory for the LDAP-server's certificates
mkdir /etc/ldap/tls
The OpenSSL section in this document describes howto create certificates. Create them now and copy them to /etc/ldap/tls. Make sure that their names correspond to the names in slapd.conf.
Make sure that /etc/default/slapd contains a line like 'SLAPD_SERVICES=“ldap://192.168.1.12/ ldaps:192.168.1.12/ ldapi:/”' You can make slapd listen on a specific interface. See for more security considerations http://www.openldap.org/doc/admin21/security.html.
Start the LDAP-server
/etc/init.d/slapd start
Note that the LDAP-server won't start if postfix.schema and samba.schema aren't in place!
Now the LDAP-server is up and running, let's fill it up with domain-entries as we need that to get the ldapdns-server to work.
You can find the hannibal-dnsstuff.ldif here http://hannibal.solstice.nl Download the file and modify it according to your environment. Beware: in some Hannibal configfiles and commands in this document we use IP's rather than domain names; so if you want to make changes to the IP's then pay attention to this in order not to break things!
Add the LDAP-entries like so
/usr/bin/ldapadd -x -D "cn=admin,dc=intra,dc=example,dc=com" -w therootdnpassword \ -h 192.168.1.12 -f hannibal-dnsstuff.ldif
Note: you can test the a LDAP-connection over TLS by hand. You could also use this command on regular base in order to make a full backup of the content of the LDAP-server. Just run a script from cron which pipes STOUT of the ldapsearch command to a file; then add the date (and time) to the filename.
ldapsearch -x -b 'dc=intra,dc=example,dc=com' \ -D "cn=admin,dc=intra,dc=example,dc=com" \ '(objectclass=*)' -H ldap://ldap.intra.example.com \ -W -ZZ