Directory Server on Ubuntu

Directory Server on Ubuntu

First Published in Full Circle magazine, issue #9 

A lot distributions are implementing software programs based in LDAP, in order to create a Directory Service like Microsoft offers with Active Directory.

This is the first delivery of a series of articles which explain how to build a Primary Domain Controller (PDC); these articles attempt to offer all the service that Microsoft Active Directory can offer. In order to construct this PDC, several “open source” software programs are used: OpenLDAP, OpenAFS, Samba, Kerberos and OpenSSH.

The heart of the PDC will be OpenLDAP, it will be the database where the users´ accounts will be saved. In the users´ accounts we can save information about each user. This would include user name, password, mail, home directory, …All the services of the PDC that will authenticate a user will have to authenticate it against that database.

OpenLDAP is a free implementation and open source of the protocol LDAP (Lightweight Directory Access Protocol) development by the OpenLDAP Project. OpenLDAP is liberated by its own license: OpenLDAP Public License.

LDAP is a protocol at application level which grants access to the service which the administrator of the net allows.

The LDAP database has a tree-like organization, as shown in the example below (although the drawing is a little elementary):

The meaning of the acronyms are:

CN : Common Name.
OU : Organizational Unit.
DN : Domain Name.

Later we’ll see how we have to use these acronyms to identify the members of the PDC.

OK, let’s go with the practice. We assume that we have a Debian server, or in this case Ubuntu Server (updated by apt-get, I’m using 6.06 version). We need to install some packets from the repositories of Ubuntu and follow some steps for the configuration. Personally, I find it useless to fill out the questions that make up the installation process; therefore, I do not answer the questions and instead simply press ‘enter’. Later we can rebuild the ‘conf’ file.

apt-get install slapd ldap-utils

addgroup --system slapd

adduser slapd --home /var/lib/ldap –shell /bin/false --no-create-home --ingroup slapd --system

/bin/chown -R slapd.slapd /etc/ldap /var/lib/slapd /var/lib/ldap /var/run/slapd slapd

With this we create the user and group who execute the daemon, and we give permission to execute.

Now we need to modify a configuration file; we can find this file at: ‘/etc/default/slapd’, but we edit the file to look like this:

#######################################################################
SLAPD_CONF=/etc/ldap/slapd.conf
SLAPD_USER="slapd"
SLAPD_GROUP="slapd"
SLAPD_SERVICES="ldap://ubuntuserver.ironman.es:389/ ldaps://ubuntuserver.ironman.es:636/"
#######################################################################

In ‘slapd services’,’ubuntuserver’ is the name of the server machine, ‘ironman.es’ is our domain name, and we actually don’t need ‘ldap:…’ because we encrypt all connections with SSL by 636 port.

Let’s see another configuration file, ‘/etc/ldap/ldap.conf’:

#######################################################################
HOST    ubuntuserver.ironman.es:636
BASE    dc=ironman,dc=es
URI     ldaps://ubuntuserver.ironman.es:636
PORT    636

#Certificados SSL

TLS_CACERT /etc/ldap/ssl/ubuntuserver.pem

ssl start_tls
ssl on
TLS_REQCERT demand
tls_checkpeer yes
#######################################################################

HOST: the name of the server with the port that we’ll use.
BASE: The base of our domain, where we search the users.
URI: very important for the connection with SSL, the address where ldap has to search.
PORT: the port where we connect.
TLS_CACERT: The route to our cert file which we create later.

This conf file is the client’s part. Let’s start with the real conf file of ldap server (for parts):

#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Read slapd.conf(5) for possible values
loglevel        0

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb
####################################################

The above is quite well commented, we’ll just say that we just have to modify the ‘schemas’ later to add samba features and others.

######################################################
# SSL conexion:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldap/ssl/ubuntuserver.pem
TLSCertificateFile /etc/ldap/ssl/ubuntuserver.pem
TLSCertificateKeyFile /etc/ldap/ssl/ubuntuserver.pem

TLSVerifyClient never
###############################################

This is the part where we tell slapd server where to find the cert file.

#######################################################################
backend         bdb
checkpoint 512 30
#######################################################################

In this part, we specify the kind of database we are going to use. In this case ‘BDB’, which is the most used.

#######################################################################
database        bdb
suffix          "dc=ironman,dc=es"
rootdn          "cn=admin,dc=ironman,dc=es"
rootpw          secret
directory       "/var/lib/ldap"
index           objectClass eq
lastmod         on
include                 /etc/ldap/slapd.access
#######################################################################

suffix: it will be the base of our tree. rootdn: the full address of our administrator user in the tree. rootpw: the password of administrator user, which we’ll change later. directory: where the database will be stored. include: the path to the access list, which says what users are allowed to use some attributes. index. we do not touch it at the moment, we’ll modify it later.

Now we have to create the access list, in ‘/etc/ldap/slapd.access’:

#######################################################################
access to attrs=userPassword
        by dn="cn=admin,dc=ironman,dc=es" write
        by anonymous auth
        by self write
        by * write
#######################################################################

We allow these files to be seen by ‘slapd’:

/bin/chmod -v 644 /etc/ldap/ldap.conf

/bin/chmod -v 600 /etc/ldap/slapd.conf

(Note: we have to add the name of the server to ‘/etc/hosts’, in all machines, for example;

192.168.1.2 ubuntuserver ubuntuserver.ironman.es

or define in our DNS of our local network)

We now have to create the SSL cert, for the SSL connection between the server and client; both the server and the client have to have a copy of the SSL cert. We’ll need to install some packets.

apt-get install openssl

And for creating the certificate:

openssl req -newkey rsa:1024 -x509 -nodes -out ubuntuserver.pem -keyout ubuntuserver.pem -days 365

We are going to use a self-signed certificate. We can change the name of the files ‘.pem’, but for the configuration I think it’s easier if both of the files have the same name, and we can change the lifetime of the certificate with ‘-days’. I’m not an expert in SSL, but with these we can get a good idea of the PDC. This is going to pose some questions, we can type whatever we want. The only time we cannot type whatever we want is when the command asks about the ‘Common Name’, we then have to type the ‘FQND’ (Fully Qualified Domain Name), or rather, the name of the machine followed by the name of the domain (our domain is ‘ironman.es’).

Generating a 1024 bit RSA private key
.................................................................++++++
...............................++++++
writing new private key to 'ubuntuserver.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value.
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Cantabria
Locality Name (eg, city) []:Santander
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IRONMAN
Organizational Unit Name (eg, section) []:IRONMAN.ubuntu
Common Name (eg, YOUR name) []:ubuntuserver.ironman.es
Email Address []:chechu@ubuntu.ironman.es

Now we have to store it where we told ‘slapd.conf’ that it would be. In our case, it will be in ‘/etc/ldap/ssl/’. And we change the owner of the file to slapd:

chown slapd.slapd /etc/ldap/ssl/ubuntuserver.pem

Let’s start with the part of the client. We need to install some packets in the clients machines,(we press ‘enter’ to answer all the questions that the process make up), you’ll have to add the ‘universe’ and ‘multiverse’ repositories to the ‘sources.list’:

apt-get install libpam-ldap libnss-ldap libpam- cracklib

The important files for the client machine are the following, which we are leaving like this. (we’ll have to set up too in the server machine):


‘/etc/libnss-ldap.conf’

#######################################################################
host ubuntuserver.ironman.es:636
base dc=ironman,dc=es
ldap_version 3
rootbinddn cn=admin,dc=ironman,dc=es
port 636
ssl start_tls
ssl on
#######################################################################

‘/etc/pam_ldap.conf’

#######################################################################
host ubuntuserver.ironman.es:636
base dc=ironman,dc=es
ldap_version 3
rootbinddn cn=admin,dc=ironman,dc=es
port 636
ssl start_tls
ssl on
#######################################################################

host: this is the FQDN of our server. base: The base of our tree. ldap version: The version which is going to be implemented. rootbinddn: The full address administrator user in the tree. port: The port we are going to use for the connection, 636 because the connexion is by SSL. ssl: The lines needed for make the SSL connection possible.

We have to change the permission of some files, and change the file ‘/etc/nsswitch.conf’, which contains the order that the services consult the databases, we must set LDAP after files, because it can generate problems with the ‘root’ user:

chmod 644 /etc/pam_ldap.conf

chmod 644 /etc/libnss-ldap.conf


‘/etc/nsswitch.conf’

passwd:         files nis ldap
group:          files nis ldap
shadow:         files nis ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       ldap nis

In order to connect with the daemon, ‘slapd’, we have to modify the ‘pam’, pluggable authentication modules. Below we can see a diagram:

We’ll change the following files:


‘/etc/pam.d/common-account’

account required          pam_unix.so
account sufficient        pam_ldap.so

‘/etc/pam.d/common-auth’

auth     sufficient     pam_unix.so
auth     sufficient     pam_ldap.so try_first_pass
auth     required       pam_env.so
auth     required       pam_securetty.so
auth     required       pam_unix_auth.so
auth     required       pam_warn.so
auth     required       pam_deny.so

‘/etc/pam.d/common-session’

session required        pam_limits.so
session required        pam_unix.so
session optional        pam_ldap.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022

The module ‘pam_mkhomedir’ let us create a new home directory when an user authenticate the first time.

‘/etc/pam.d/common-password’

password required       pam_cracklib.so  retry=3 minlen=8 difok=4
password sufficient     pam_unix.so use_authtok md5 shadow
password sufficient     pam_ldap.so use_authtok
password required       pam_warn.so
password required       pam_deny.so

The module ‘pam-cracklib’ let us to handle the length of the password’s user and how many letters have to be different in it.

Now everything is ready to restart the daemon:

/etc/init.d/slapd restart

We have to create the base of the tree and the users in the database. I recommend for doing this the software program ldap-account-manager, it makes the process of creating the tree so easy. I don’t recommend trying to create the users now. I would wait until we get ‘Samba’ installed, but this will be in the next article If you want you can create and start work with LDAP, but just for Unix/Linux clients.

Share it now!

Issuu


You can also read Full Circle online at: http://issuu.com/fullcirclemagazine

Go on Flattr us

All donations go to buying you folks some awesome competition prizes.

Subscribe

You can subscribe to get an email update every time a new issue of the magazine comes out.

Name:

E-mail:


About

Full Circle is a free, independent, monthly magazine dedicated to the Ubuntu family of Linux operating systems. Each month, it contains helpful how-to articles and reader submitted stories.

Full Circle also features a companion podcast, the Full Circle Podcast, which covers the magazine along with other news of interest.