Difference between revisions of "LDAP Ramblings"

From New IAC Wiki
Jump to navigation Jump to search
m (Protected "LDAP Ramblings" ([edit=comp] (indefinite) [move=comp] (indefinite) [read=comp] (indefinite)))
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Intro==
 
==Intro==
 
On the IAC's user accessable Linux servers (Brems, web, Inca, backup) there is a need for centralized user authentication. With the addition of email users this need becomes critical. The proposed solution is to use OpenLDAP replicated across the mail servers for redundancy.
 
On the IAC's user accessable Linux servers (Brems, web, Inca, backup) there is a need for centralized user authentication. With the addition of email users this need becomes critical. The proposed solution is to use OpenLDAP replicated across the mail servers for redundancy.
 +
 +
==Adding users manually==
 +
# Create ldap entry, either by web form or manually
 +
# Create home directory: '''mkdir /home/user'''
 +
# Copy skel files: '''cp /etc/skel/.* /home/user/'''
 +
# Change permissions: '''chown -R user:email /home/user/'''
 +
 +
==Converting mail from Athena==
 +
On athena, create .forward with the following contents:
 +
user@iac.isu.edu, \user
 +
And make sure the permissions are fine:
 +
chmod a+x .
 +
chown user:group .forward
 +
chmod a+r .forward
 +
 +
Then on IAC mail:
 +
mkdir oldmail
 +
chmod go-rwx ./oldmail
 +
cd oldmail
 +
rsync -rzP root@athena.physics.isu.edu:/var/spool/mail/user ./mbox
 +
rsync -rzP root@athena.physics.isu.edu:/home/whatever/user/mail ./
 +
rsync -rzP root@athena.physics.isu.edu:/home/whatever/user/Sent ./
 +
---and so on for all mail folders<br/>
 +
Translate the old mbox files to Maildir
 +
mb2md -s oldmail/
 +
mv Maildir/.mbox/cur/* Maildir/cur ##this glob man fail for huge numbers of messages
 +
''Maildir/.mbox/new/, Maildir/.mbox/tmp/ should be empty''<br/>
 +
This should be it, but maybe Sent needs to be copied somewhere else?
  
 
==Clients==
 
==Clients==
Line 15: Line 43:
 
==Datatypes==
 
==Datatypes==
 
====Users====
 
====Users====
Same data for all users:
+
The standard LDIF:
*objectClass
+
version: 1
Data web interface needs to display:
+
*uid ''Username''
+
dn: uid=oborn,ou=People,dc=iac,dc=isu,dc=edu
*uidNumber ''user number''
+
cn: Brian Oborn
*gidNumber ''group number, maybe link to group name?''
+
sn: Brian Oborn
*homeDirectory
+
uid: oborn
 +
loginShell: /bin/bash
 +
mail: oborn@iac.isu.edu
 +
gidNumber: 5001
 +
homeDirectory: /home/oborn
 +
uidNumber: 20XX
 +
objectClass: person
 +
objectClass: organizationalPerson
 +
objectClass: IACperson
 +
objectClass: posixAccount
 +
objectClass: CourierMailAccount
 +
objectClass: shadowAccount
 +
userPassword:: e0N...
 +
IACpermission: iacmail
  
Data web interface needs to modify:
+
'''Note that sn breaks the standard (should be last name), but it's easier to create as-is'''
*Allow login ''sets loginShell to /bin/bash or /bin/false''
 
*mail ''multiple value??''
 
*cn ''Common Name''
 
*sn ''surname''
 
*userPassword ''set, not display''
 
  
Data web interface does not need to display:
+
For samba authentication add the following classes:
*loginShell ''set by allow login''
+
*sambaSamAccount
*gecos ''set to same as cn''
+
*sambaGroupMapping
*shadowLastChange
+
*These are in samba.schema, but require nis.schema, inetorgperson.schema, and cosine.schema first
 +
*Check ACL's as explained on page 126 of "Using Samba"
  
==Creating a new user==
+
====Mail Aliases====
*set password in Luma using crypt option
+
Mail Aliases are routed by Postfix, and follow the RFC822 standard.
*make home directory
+
The CourierMailAlias class is used for the ''maildrop'' attribute.
  
 +
# testdrop, MailAlias, iac.isu.edu
 +
dn: mailAcceptingGeneralID=testdrop,ou=MailAlias,dc=iac,dc=isu,dc=edu
 +
mailAcceptingGeneralID: testdrop
 +
rfc822ForwardingMailbox: oborn@iac.isu.edu
 +
rfc822ForwardingMailbox: oborn
 +
objectClass: rfc822Delivery
 +
objectClass: CourierMailAlias
 +
mail: testdrop@iac.isu.edu
 +
maildrop: oborn
 +
maildrop: ashleykswingle
  
 
==Example LDAP Commands==
 
==Example LDAP Commands==
 
Create a ssh tunnel from local port 3890 to darwin.iac.isu.edu port 389
 
Create a ssh tunnel from local port 3890 to darwin.iac.isu.edu port 389
*ssh -L 3890:darwin.iac.isu.edu:389 darwin.iac.isu.edu
+
*ssh -L 3890:localhost:389 darwin.iac.isu.edu
  
 
Search directory, simple password bind:
 
Search directory, simple password bind:
Line 63: Line 110:
  
 
==LDAP Settings==
 
==LDAP Settings==
====Debian LDAP VM====
 
*Distinguished name of the search base:"dc=iac,dc=isu,dc=edu"
 
*LDAP version 3
 
*Priviledged account for libpam/libnss ldap: "cn=admin,dc=iac,dc=isu,dc=edu"
 
*Need to modify /etc/nsswitch.conf to use the "ldap" datasource.  Example file /usr/share/doc/libnss-ldap/examples/nsswitch.ldap
 
The following /etc/nsswitch lines:
 
passwd:        compat
 
group:          compat
 
shadow:        compat
 
hosts:          files dns
 
netgroup:      nis
 
will be changed to:
 
passwd:        files ldap
 
group:          files ldap
 
#shadow line removed (only needed for pre-nsswitch compat programs?)
 
hosts:          files dns ldap
 
netgroup:      files ldap
 
 
   
 
   
====SUSE Test====
 
*Base DN: dc=iac, dc=isu, dc=edu
 
*Root DN: cn=Administrator, Append Base DN=true
 
*Default Policy Object DN: cn=Default Password Policy, Append Base DN=true
 
The rest of the schema was set up by the SUSE tools
 
SUSE /etc/nsswitch.conf file has the following relevent lines:
 
passwd:        compat
 
group:         files ldap
 
services:      files ldap #probably not needed
 
netgroup: files ldap
 
aliases: files ldap
 
passwd_compat: ldap
 
The line "passwd: ldap" should be able to replace the 2 passwd lines as long as you're not using the "+" NIS notation in the /etc/passwd file?
 
 
 
==Multimaster Replication==
 
==Multimaster Replication==
 
*Requires ntp time syncronization between replication servers.
 
*Requires ntp time syncronization between replication servers.
Line 102: Line 118:
 
==Resources==
 
==Resources==
 
====Books====
 
====Books====
 +
*There is a good section on [http://us1.samba.org/samba/docs/man/Samba-Guide/happy.html#id2573279 debugging] LDAP with extra syslogging in '''Samba 3 by Example'''.
 
*[http://www.amazon.com/Deploying-OpenLDAP-Tom-Jackiewicz/dp/1590594134/ref=sr_11_1?ie=UTF8&qid=1199748798&sr=11-1 Deploying OpenLDAP]
 
*[http://www.amazon.com/Deploying-OpenLDAP-Tom-Jackiewicz/dp/1590594134/ref=sr_11_1?ie=UTF8&qid=1199748798&sr=11-1 Deploying OpenLDAP]
 
*[http://www.amazon.com/LDAP-Directories-Explained-Introduction-Independent/dp/020178792X/ref=sr_11_1?ie=UTF8&qid=1199748823&sr=11-1 LDAP Directories Explained]
 
*[http://www.amazon.com/LDAP-Directories-Explained-Introduction-Independent/dp/020178792X/ref=sr_11_1?ie=UTF8&qid=1199748823&sr=11-1 LDAP Directories Explained]

Latest revision as of 02:07, 31 December 2010

Intro

On the IAC's user accessable Linux servers (Brems, web, Inca, backup) there is a need for centralized user authentication. With the addition of email users this need becomes critical. The proposed solution is to use OpenLDAP replicated across the mail servers for redundancy.

Adding users manually

  1. Create ldap entry, either by web form or manually
  2. Create home directory: mkdir /home/user
  3. Copy skel files: cp /etc/skel/.* /home/user/
  4. Change permissions: chown -R user:email /home/user/

Converting mail from Athena

On athena, create .forward with the following contents:

user@iac.isu.edu, \user

And make sure the permissions are fine:

chmod a+x .
chown user:group .forward
chmod a+r .forward

Then on IAC mail:

mkdir oldmail
chmod go-rwx ./oldmail
cd oldmail
rsync -rzP root@athena.physics.isu.edu:/var/spool/mail/user ./mbox
rsync -rzP root@athena.physics.isu.edu:/home/whatever/user/mail ./
rsync -rzP root@athena.physics.isu.edu:/home/whatever/user/Sent ./

---and so on for all mail folders
Translate the old mbox files to Maildir

mb2md -s oldmail/
mv Maildir/.mbox/cur/* Maildir/cur ##this glob man fail for huge numbers of messages

Maildir/.mbox/new/, Maildir/.mbox/tmp/ should be empty
This should be it, but maybe Sent needs to be copied somewhere else?

Clients

Linux Clients

Administrative users will retain entries in the local /etc/passwd and /etc/shadow files for troubleshooting access. All other users will exist in LDAP and will have individual server permissions.

Email Clients

Ideally email users can be accommodated without having local accounts. If this is not possible, the local shell can be set to disallow logins for security purposes.

Windows Clients

Currently not planned, but possible once the setup has been proven. This would allow users to log into any machine using their username and login. Only a select few machines (data aquisition etc.) would retain generic iacuser access.

Datatypes

Users

The standard LDIF:

version: 1

dn: uid=oborn,ou=People,dc=iac,dc=isu,dc=edu
cn: Brian Oborn
sn: Brian Oborn
uid: oborn
loginShell: /bin/bash
mail: oborn@iac.isu.edu
gidNumber: 5001
homeDirectory: /home/oborn
uidNumber: 20XX
objectClass: person
objectClass: organizationalPerson
objectClass: IACperson
objectClass: posixAccount
objectClass: CourierMailAccount
objectClass: shadowAccount
userPassword:: e0N...
IACpermission: iacmail

Note that sn breaks the standard (should be last name), but it's easier to create as-is

For samba authentication add the following classes:

  • sambaSamAccount
  • sambaGroupMapping
  • These are in samba.schema, but require nis.schema, inetorgperson.schema, and cosine.schema first
  • Check ACL's as explained on page 126 of "Using Samba"

Mail Aliases

Mail Aliases are routed by Postfix, and follow the RFC822 standard. The CourierMailAlias class is used for the maildrop attribute.

# testdrop, MailAlias, iac.isu.edu
dn: mailAcceptingGeneralID=testdrop,ou=MailAlias,dc=iac,dc=isu,dc=edu
mailAcceptingGeneralID: testdrop
rfc822ForwardingMailbox: oborn@iac.isu.edu
rfc822ForwardingMailbox: oborn
objectClass: rfc822Delivery
objectClass: CourierMailAlias
mail: testdrop@iac.isu.edu
maildrop: oborn
maildrop: ashleykswingle

Example LDAP Commands

Create a ssh tunnel from local port 3890 to darwin.iac.isu.edu port 389

  • ssh -L 3890:localhost:389 darwin.iac.isu.edu

Search directory, simple password bind:

  • ldapsearch -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -W -b dc=iac,dc=isu,dc=edu '*'

Search directory, anonymous bind:

  • ldapsearch -h localhost -x -b dc=iac,dc=isu,dc=edu '*'

Add an LDIF file:

  • ldapadd -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -W < ~brian/oborn.ldif

Delete an LDAP entry:

  • ldapdelete -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -W 'uid=oborn,dc=iac,dc=isu,dc=edu'

Change an LDAP password:

  • ldappasswd -h localhost -x -D uid=oborn,ou=People,dc=iac,dc=isu,dc=edu -A -W -S

As admin, change someone else's password:

  • ldappasswd -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -A -W -S uid=oborn,ou=People,dc=iac,dc=isu,dc=edu

LDAP Settings

Multimaster Replication

  • Requires ntp time syncronization between replication servers.
  • Only works with OpenLDAP 2.4 (not available in current Debian/Ubuntu/SUSE repositories)
  • Probably not needed with our very infrequent writes

Resources

Books

Websites