OpenLDAP Everywhere

Step-by-step instructions for sharing e-mail directories, having a unified login and sharing files in a mixed environment.

The purpose of this article is to demonstrate the use of OpenLDAP as the core directory service for a heterogeneous environment. The LDAP server provides a shared e-mail directory, a unified login for Linux and Windows users, automount of home directories and file sharing for both Linux and Windows clients.

Midwest Tool & Die has been using OpenLDAP for three years, and the performance has been flawless. We have experienced 100% uptime for the directory. The company saw the first big benefit from sharing e-mail contacts in the directory. Now, we have unified logon from any networked computer. Our computer users can access the same file storage through Windows/Samba or through Linux/NFS/automount. The result is seamless access to network services.

Figure 1. OpenLDAP Mixed Environment

A simple mixed environment used in the examples in this article is shown in Figure 1. The configuration discussed in this article does not document the use of SSL. The ldapsync.pl program it uses may expose your LDAP manager password. As a result, Windows clients may cache user passwords, thereby creating a new risk to Linux security. Review your security needs with caution and prudence, and attempt this configuration at your own risk. Neither the authors, nor our employer, Midwest Tool & Die, takes any responsibility for your security.

LDAP Server Installation and Configuration

The LDAP server we discuss was installed using RPM binary packages and uses openldap-2.0.11-8 on Red Hat 7.1. You also need to have the auth_ldap and nss_ldap packages. This article assumes a domain name of foo.com.

To use the most recent source, follow the instructions at www.openldap.org/doc/admin/quickstart.html to download and install OpenLDAP. Edit the OpenLDAP server configuration file, /etc/openldap/slapd.conf as follows:

# Schemas to use
include  /etc/openldap/schema/core.schema
include  /etc/openldap/schema/cosine.schema
include  /etc/openldap/schema/inetorgperson.schema
include  /etc/openldap/schema/nis.schema
include  /etc/openldap/schema/redhat/
rfc822-MailMember.schema
include  /etc/openldap/schema/redhat/autofs.schema
include  /etc/openldap/schema/redhat/
kerberosobject.schema
database       ldbm
suffix         "dc=foo,dc=com"
rootdn         "cn=Manager, dc=foo,dc=com"
rootpw         {crypt}sadtCr0CILzv2
directory      /var/lib/ldap
index   default                             eq
index   objectClass,uid,uidNumber,gidNumber eq
index   cn,mail,surname,givenname           eq,sub
# Access Control (See openldap v.2.0 Admin Guide)
access to attr=userPassword
   by self         write
   by anonymous    auth
   by dn="cn=manager,dc=foo,dc=com"       write
   by *    compare
access to *
   by self write
   by dn="cn=manager,dc=foo,dc=com"       write
   by * read

The LDAP schemas define object classes and attributes that make up the directory entries. With the edits above, the hard work of defining schemas to fit our uses has been done. The schemas that we need, listed in the first section of slapd.conf, already have been defined and packaged with the RPM installation.

If you find that you need to add an objectClass or an attribute for your directory, see the OpenLDAP admin guide at www.openldap.org/doc/admin20/schema.html. We'll use the default database type ldbm, and our example uses the LDAP domain component. Therefore, foo.com becomes dc=foo,dc=com. In addition, the manager has full write access to LDAP entries.

The Red Hat 7.3 Reference Guide suggests using crypt to protect the manager's password:

perl -e "print crypt('passwd',
'salt_string',);"

In the previous Perl line, replace salt_string with a two-character salt, and passwd with the plain-text version of the password. Paste the resulting encrypted password into slapd.conf as shown above.

The index lines enhance performance for attributes that are often queried. Access control restricts access to the userPassword entry, but the user and manager may modify the entry. For all other entries, the manager has write access, and everyone else is granted read access.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

If i want to use fstab to

Anonymous's picture

If i want to use fstab to mount homeDirectory. what i must do ?

(HOST ldapserver.foo.com
BASE dc=foo,dc=com)

automount using LDAP

sergeyK's picture

Hello guys,

It seems that RedHat automount uses cn property to identify username. Is there any way to change it to uid as authentication does?

Thank you in advance!

/SergeyK

Woo, using Perl for crypt and salting... WHY?

gfolkert's picture

perl -e "print crypt('passwd','salt_string',);"

Why would one do this, when slappasswd is available? It comes with openldap.

# slappasswd -h
slappasswd: option requires an argument -- h
Usage: slappasswd [options]
-h hash password scheme
-s secret new password
-c format crypt(3) salt format
-u generate RFC2307 values (default)
-v increase verbosity
-T file read file for new password

By default it uses SSHA. Easier and less prone to error.
--
greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets used at the local large parking lot.

--
greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little mod

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix