OpenLDAP Everywhere Revisited
Listing 6. The smbldap-populate tool automatically adds the accounts required to make your OpenLDAP server work with Samba.
[root]# smbldap-populate Using builtin directory structure adding new entry: dc=foo,dc=com adding new entry: ou=Users,dc=foo,dc=com adding new entry: ou=Groups,dc=foo,dc=com adding new entry: ou=Computers,dc=foo,dc=com adding new entry: ou=Idmap,dc=foo,dc=org adding new entry: cn=NextFreeUnixId,dc=foo,dc=org adding new entry: uid=Administrator,ou=Users,dc=foo,dc=com adding new entry: uid=nobody,ou=Users,dc=foo,dc=com adding new entry: cn=Domain Admins,ou=Groups,dc=foo,dc=com adding new entry: cn=Domain Users,ou=Groups,dc=foo,dc=com adding new entry: cn=Domain Guests,ou=Groups,dc=foo,dc=com adding new entry: cn=Print Operators,ou=Groups,dc=foo,dc=com adding new entry: cn=Backup Operators,ou=Groups,dc=foo,dc=com adding new entry: cn=Replicator,ou=Groups,dc=foo,dc=com adding new entry: cn=Domain Computers,ou=Groups,dc=foo,dc=com
If you examine the sample output of this populate script, you should notice that it has added several new users, groups and OUs to the directory. For example, the script adds the well-known Domain Admins and Domain Users groups to the directory. The NT-based versions of Microsoft Windows all are preconfigured with specific user and group entries. Each one of those has a relative identifier (RID) associated with it. What this means to LDAP is the corresponding LDAP user or group entry must be assigned to the respective RID of the Windows user or group. Using the smbldap-populate script takes care of making the relation for you. The well-known user and groups RIDs that are required are:
Name RID ----------------- Domain Admins 512 Domain Users 513 Domain Guests 514
Aside from the new user and group entries, several new OU entries can provide further domain functionality. The first of these is ou=Computers, which is used to store all machine accounts for member servers and workstations on the domain. Second, the ou=Idmap is used if Samba is being used as a domain member server of a Windows server controlled domain. The last new entry is ou=NextFreeUnixId. This entry is used to defined the next UID and GID available for creating new users and groups.
After your LDAP directory is populated and Samba is set up correctly, you are ready to start adding users and groups to populate your directory. The Idealx command-line utilities can take care of this job nicely for you. Some PHP-based directory managers are available that can be useful here as well. Consider using phpLDAPadmin and/or the LDAP Account Manager (LAM) to take on this task. Both are helpful, providing a graphical view of your directory. Each also provides the ability to view and edit LDAP entries in a user-friendly graphical environment (Figure 3). The LDAP browser, which is Java-based, is another option for viewing and editing your directory.
Since the December 2002 article, we have seen much improvement in Samba with the 3.x releases. Moving to the new version should mean greater control over accounts and improved group mapping functionality, thus giving you greater control over your domain.
We strongly suggest that you use simple authentication and security layer (SASL) and transport layer security (TLS) to secure your new LDAP directory. See Resources for details.
Congratulations! Your LDAP server is up and running with shared e-mail contacts, unified login and shared file storage that is accessible from any client.
Resources for this article: /article/8267.
Craig Swanson (email@example.com) designs networks and offers Linux consulting at SLS Solutions. He also develops Linux software at Midwest Tool & Die. Craig has used Linux since 1993.
Matt Lung (firstname.lastname@example.org) provides network and computer systems consulting at SLS Solutions. He also works at Midwest Tool & Die as a Network Engineer.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- May 2016 Issue of Linux Journal
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The Humble Hacker?
- The US Government and Open-Source Software
- BitTorrent Inc.'s Sync
- The Death of RoboVM
- Open-Source Project Secretly Funded by CIA
- New Container Image Standard Promises More Portable Apps
- ACI Worldwide's UP Retail Payments
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide