Home

OpenLDAP Everywhere

Issue 104

From Issue #104
December 2002

Dec 01, 2002  By Craig Swanson and Matt Lung
 in
Step-by-step instructions for sharing e-mail directories, having a unified login and sharing files in a mixed environment.
Configure the Linux LDAP Client

You now need to install the authentication package, auth_ldap, and the name switch service package, nss_ldap. The Red Hat tool /usr/bin/authconfig is handy for configuring the client. Select Use LDAP®Server: ldapserver.foo.com, base DN: dc=foo,dc=com. Authconfig writes to these files: /etc/ldap.conf, /etc/openldap/ldap.conf and /etc/nsswitch.conf.

Verify that /etc/nsswitch.conf has the following entries:

passwd:    files ldap
shadow:    files
group:     files ldap
automount: files ldap

Verify that /etc/ldap.conf has these entries: 

host ldapserver.foo.com
base dc=foo,dc=com
and that /etc/openldap/ldap.conf has these entries: 
HOST ldapserver.foo.com
BASE dc=foo,dc=com

Final Linux Server Configuration

The LDAP server also is a client of LDAP. On the LDAP server, disable the automount of /home as /h. nsswitch is configured to check the files first, and then LDAP for automount information. So, we will make a dummy entry in ldapserver.foo.com:/etc/auto.master:

/h /etc/auto.null

The user's password and group entries must be removed from the password and group files on the home directory server. Create backups, then edit /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow to remove the LDAP real-people entries.

To test, log in to a Linux LDAP client, using an LDAP user name. You should see the appropriate login shell and home directory for that user. To test auto.misc shares, you must access the share by name:

cd /share/redhat

Automount only mounts NFS shares as they are used, so the directory /share/redhat is not visible until it has been accessed.

Microsoft Windows Unified Login with Samba and LDAP

To have a Windows and Linux unified login, first configure a Samba Primary Domain Controller (PDC). User home directories are shared with SMB clients. The details of Samba configuration are outside the scope of this article.

Configure ldapsync.pl and Samba

User passwords may be changed from MS Windows using Samba and the Perl program ldapsync.pl, which is available from www.mami.net/univr/tng-ldap/howto/#how_to_change_password.

The ldapsync.pl script is a replacement for the /bin/passwd program called by Samba to change users' passwords, and it keeps them in sync with the Samba passwords. The ldapsync.pl script is called from Samba when changing user passwords within Windows, and it is run as root just as /bin/passwd is normally run in an unmodified Samba. The ldapsync.pl script is needed for LDAP-enabled users to function. Because the user passwords are not stored locally in /etc/passwd but in LDAP, the ldapsync.pl script binds to the LDAP directory and modifies the user's password entry in LDAP.

In simpler terms, here's how this process works:

  1. User calls password-changing program from Windows.

  2. User clicks OK to change password and sends data to Samba server.

  3. Samba looks at its config file and knows to call ldapsync.pl to change LDAP passwords.

  4. ldapsync.pl is executed with -o %u options that specify the program to run without prompting for the old password. It passes the user's name to the script as it runs (important if you don't want to change root's password without knowing it).

  5. Samba passes the user's new password to ldapsync.pl without caring about what the old one was.

  6. ldapsync.pl chats with Samba, expecting the correct responses with the new password.

  7. If it passes the chat correctly, the password is encrypted by ldapsync.pl.

  8. ldapsync.pl then binds LDAP with the correct dn of the user and does an ldapmodify on the user's LDAP entry, replacing the userPassword field stored in LDAP. LDAP and Samba chat for a final time, listening for success from LDAP, at which point the process ends.

To configure Samba for this, you will need the following Smb.conf entries: 

passwd program = /etc/samba/ldapsync.pl -o %u
passwd chat = *New*password* %n\n
*Retype*new*password* %n\n *modifying*
When users change their passwords in Windows they are prompted for the old password, a new one and then are asked to confirm the new one. Because ldapsync.pl is called without caring about the old password, only the two new entries are examined. First of all, the * instructs it to look for anything and then a specific match. So the *New*password*%n\n is saying match anything, then the word New, then anything and the word password, then anything and the new password the user entered (%n). The *modifying* is saying if LDAP returns that it modified the entry, then the process was successful.

You must edit ldapsync.pl to enter the LDAP bind information:

$binddn = "cn=manager,dc=foo,dc=com";
$passwd = "passwd";

Then, limit the access of ldapsync.pl to root only (0700).

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

If i want to use fstab to

Anonymous's picture
Submitted by Anonymous (not verified) on Mon, 04/27/2009 - 04:35.

If i want to use fstab to mount homeDirectory. what i must do ?

(HOST ldapserver.foo.com
BASE dc=foo,dc=com)

automount using LDAP

sergeyK's picture
Submitted by sergeyK (not verified) on Thu, 10/23/2008 - 18:47.

Hello guys,

It seems that RedHat automount uses cn property to identify username. Is there any way to change it to uid as authentication does?

Thank you in advance!

/SergeyK

Woo, using Perl for crypt and salting... WHY?

gfolkert's picture
Submitted by gfolkert on Mon, 01/16/2006 - 09:03.

perl -e "print crypt('passwd','salt_string',);"

Why would one do this, when slappasswd is available? It comes with openldap.

# slappasswd -h
slappasswd: option requires an argument -- h
Usage: slappasswd [options]
-h hash password scheme
-s secret new password
-c format crypt(3) salt format
-u generate RFC2307 values (default)
-v increase verbosity
-T file read file for new password

By default it uses SSHA. Easier and less prone to error.
--
greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets used at the local large parking lot.

--
greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little mod

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState