OpenLDAP Everywhere

Step-by-step instructions for sharing e-mail directories, having a unified login and sharing files in a mixed environment.

The purpose of this article is to demonstrate the use of OpenLDAP as the core directory service for a heterogeneous environment. The LDAP server provides a shared e-mail directory, a unified login for Linux and Windows users, automount of home directories and file sharing for both Linux and Windows clients.

Midwest Tool & Die has been using OpenLDAP for three years, and the performance has been flawless. We have experienced 100% uptime for the directory. The company saw the first big benefit from sharing e-mail contacts in the directory. Now, we have unified logon from any networked computer. Our computer users can access the same file storage through Windows/Samba or through Linux/NFS/automount. The result is seamless access to network services.

Figure 1. OpenLDAP Mixed Environment

A simple mixed environment used in the examples in this article is shown in Figure 1. The configuration discussed in this article does not document the use of SSL. The ldapsync.pl program it uses may expose your LDAP manager password. As a result, Windows clients may cache user passwords, thereby creating a new risk to Linux security. Review your security needs with caution and prudence, and attempt this configuration at your own risk. Neither the authors, nor our employer, Midwest Tool & Die, takes any responsibility for your security.

LDAP Server Installation and Configuration

The LDAP server we discuss was installed using RPM binary packages and uses openldap-2.0.11-8 on Red Hat 7.1. You also need to have the auth_ldap and nss_ldap packages. This article assumes a domain name of foo.com.

To use the most recent source, follow the instructions at www.openldap.org/doc/admin/quickstart.html to download and install OpenLDAP. Edit the OpenLDAP server configuration file, /etc/openldap/slapd.conf as follows:

# Schemas to use
include  /etc/openldap/schema/core.schema
include  /etc/openldap/schema/cosine.schema
include  /etc/openldap/schema/inetorgperson.schema
include  /etc/openldap/schema/nis.schema
include  /etc/openldap/schema/redhat/
rfc822-MailMember.schema
include  /etc/openldap/schema/redhat/autofs.schema
include  /etc/openldap/schema/redhat/
kerberosobject.schema
database       ldbm
suffix         "dc=foo,dc=com"
rootdn         "cn=Manager, dc=foo,dc=com"
rootpw         {crypt}sadtCr0CILzv2
directory      /var/lib/ldap
index   default                             eq
index   objectClass,uid,uidNumber,gidNumber eq
index   cn,mail,surname,givenname           eq,sub
# Access Control (See openldap v.2.0 Admin Guide)
access to attr=userPassword
   by self         write
   by anonymous    auth
   by dn="cn=manager,dc=foo,dc=com"       write
   by *    compare
access to *
   by self write
   by dn="cn=manager,dc=foo,dc=com"       write
   by * read

The LDAP schemas define object classes and attributes that make up the directory entries. With the edits above, the hard work of defining schemas to fit our uses has been done. The schemas that we need, listed in the first section of slapd.conf, already have been defined and packaged with the RPM installation.

If you find that you need to add an objectClass or an attribute for your directory, see the OpenLDAP admin guide at www.openldap.org/doc/admin20/schema.html. We'll use the default database type ldbm, and our example uses the LDAP domain component. Therefore, foo.com becomes dc=foo,dc=com. In addition, the manager has full write access to LDAP entries.

The Red Hat 7.3 Reference Guide suggests using crypt to protect the manager's password:

perl -e "print crypt('passwd',
'salt_string',);"

In the previous Perl line, replace salt_string with a two-character salt, and passwd with the plain-text version of the password. Paste the resulting encrypted password into slapd.conf as shown above.

The index lines enhance performance for attributes that are often queried. Access control restricts access to the userPassword entry, but the user and manager may modify the entry. For all other entries, the manager has write access, and everyone else is granted read access.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

If i want to use fstab to

Anonymous's picture

If i want to use fstab to mount homeDirectory. what i must do ?

(HOST ldapserver.foo.com
BASE dc=foo,dc=com)

automount using LDAP

sergeyK's picture

Hello guys,

It seems that RedHat automount uses cn property to identify username. Is there any way to change it to uid as authentication does?

Thank you in advance!

/SergeyK

Woo, using Perl for crypt and salting... WHY?

gfolkert's picture

perl -e "print crypt('passwd','salt_string',);"

Why would one do this, when slappasswd is available? It comes with openldap.

# slappasswd -h
slappasswd: option requires an argument -- h
Usage: slappasswd [options]
-h hash password scheme
-s secret new password
-c format crypt(3) salt format
-u generate RFC2307 values (default)
-v increase verbosity
-T file read file for new password

By default it uses SSHA. Easier and less prone to error.
--
greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets used at the local large parking lot.

--
greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little mod

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState