Directory Server on Ubuntu
First Published in Full Circle magazine, issue #9
A lot distributions are implementing software programs based in LDAP, in order to create a Directory Service like Microsoft offers with Active Directory.
This is the first delivery of a series of articles which explain how to build a Primary Domain Controller (PDC); these articles attempt to offer all the service that Microsoft Active Directory can offer. In order to construct this PDC, several “open source” software programs are used: OpenLDAP, OpenAFS, Samba, Kerberos and OpenSSH.
The heart of the PDC will be OpenLDAP, it will be the database where the users´ accounts will be saved. In the users´ accounts we can save information about each user. This would include user name, password, mail, home directory, …All the services of the PDC that will authenticate a user will have to authenticate it against that database.
OpenLDAP is a free implementation and open source of the protocol LDAP (Lightweight Directory Access Protocol) development by the OpenLDAP Project. OpenLDAP is liberated by its own license: OpenLDAP Public License.
LDAP is a protocol at application level which grants access to the service which the administrator of the net allows.
The LDAP database has a tree-like organization, as shown in the example below (although the drawing is a little elementary):
The meaning of the acronyms are:
CN : Common Name.
OU : Organizational Unit.
DN : Domain Name.
Later we’ll see how we have to use these acronyms to identify the members of the PDC.
OK, let’s go with the practice. We assume that we have a Debian server, or in this case Ubuntu Server (updated by apt-get, I’m using 6.06 version). We need to install some packets from the repositories of Ubuntu and follow some steps for the configuration. Personally, I find it useless to fill out the questions that make up the installation process; therefore, I do not answer the questions and instead simply press ‘enter’. Later we can rebuild the ‘conf’ file.
apt-get install slapd ldap-utils
addgroup --system slapd
adduser slapd --home /var/lib/ldap –shell /bin/false --no-create-home --ingroup slapd --system
/bin/chown -R slapd.slapd /etc/ldap /var/lib/slapd /var/lib/ldap /var/run/slapd slapd
With this we create the user and group who execute the daemon, and we give permission to execute.
Now we need to modify a configuration file; we can find this file at: ‘/etc/default/slapd’, but we edit the file to look like this:
####################################################################### SLAPD_CONF=/etc/ldap/slapd.conf SLAPD_USER="slapd" SLAPD_GROUP="slapd" SLAPD_SERVICES="ldap://ubuntuserver.ironman.es:389/ ldaps://ubuntuserver.ironman.es:636/" #######################################################################
In ‘slapd services’,’ubuntuserver’ is the name of the server machine, ‘ironman.es’ is our domain name, and we actually don’t need ‘ldap:…’ because we encrypt all connections with SSL by 636 port.
Let’s see another configuration file, ‘/etc/ldap/ldap.conf’:
####################################################################### HOST ubuntuserver.ironman.es:636 BASE dc=ironman,dc=es URI ldaps://ubuntuserver.ironman.es:636 PORT 636 #Certificados SSL TLS_CACERT /etc/ldap/ssl/ubuntuserver.pem ssl start_tls ssl on TLS_REQCERT demand tls_checkpeer yes #######################################################################
HOST: the name of the server with the port that we’ll use.
BASE: The base of our domain, where we search the users.
URI: very important for the connection with SSL, the address where ldap has to search.
PORT: the port where we connect.
TLS_CACERT: The route to our cert file which we create later.
This conf file is the client’s part. Let’s start with the real conf file of ldap server (for parts):
####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb ####################################################
The above is quite well commented, we’ll just say that we just have to modify the ‘schemas’ later to add samba features and others.
###################################################### # SSL conexion: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/ldap/ssl/ubuntuserver.pem TLSCertificateFile /etc/ldap/ssl/ubuntuserver.pem TLSCertificateKeyFile /etc/ldap/ssl/ubuntuserver.pem TLSVerifyClient never ###############################################
This is the part where we tell slapd server where to find the cert file.
####################################################################### backend bdb checkpoint 512 30 #######################################################################
In this part, we specify the kind of database we are going to use. In this case ‘BDB’, which is the most used.
####################################################################### database bdb suffix "dc=ironman,dc=es" rootdn "cn=admin,dc=ironman,dc=es" rootpw secret directory "/var/lib/ldap" index objectClass eq lastmod on include /etc/ldap/slapd.access #######################################################################
suffix: it will be the base of our tree. rootdn: the full address of our administrator user in the tree. rootpw: the password of administrator user, which we’ll change later. directory: where the database will be stored. include: the path to the access list, which says what users are allowed to use some attributes. index. we do not touch it at the moment, we’ll modify it later.
Now we have to create the access list, in ‘/etc/ldap/slapd.access’:
#######################################################################
access to attrs=userPassword
by dn="cn=admin,dc=ironman,dc=es" write
by anonymous auth
by self write
by * write
#######################################################################
We allow these files to be seen by ‘slapd’:
/bin/chmod -v 644 /etc/ldap/ldap.conf
/bin/chmod -v 600 /etc/ldap/slapd.conf
(Note: we have to add the name of the server to ‘/etc/hosts’, in all machines, for example;
192.168.1.2 ubuntuserver ubuntuserver.ironman.es
or define in our DNS of our local network)
We now have to create the SSL cert, for the SSL connection between the server and client; both the server and the client have to have a copy of the SSL cert. We’ll need to install some packets.
apt-get install openssl
And for creating the certificate:
openssl req -newkey rsa:1024 -x509 -nodes -out ubuntuserver.pem -keyout ubuntuserver.pem -days 365
We are going to use a self-signed certificate. We can change the name of the files ‘.pem’, but for the configuration I think it’s easier if both of the files have the same name, and we can change the lifetime of the certificate with ‘-days’. I’m not an expert in SSL, but with these we can get a good idea of the PDC. This is going to pose some questions, we can type whatever we want. The only time we cannot type whatever we want is when the command asks about the ‘Common Name’, we then have to type the ‘FQND’ (Fully Qualified Domain Name), or rather, the name of the machine followed by the name of the domain (our domain is ‘ironman.es’).
Generating a 1024 bit RSA private key .................................................................++++++ ...............................++++++ writing new private key to 'ubuntuserver.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value. If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ES State or Province Name (full name) [Some-State]:Cantabria Locality Name (eg, city) []:Santander Organization Name (eg, company) [Internet Widgits Pty Ltd]:IRONMAN Organizational Unit Name (eg, section) []:IRONMAN.ubuntu Common Name (eg, YOUR name) []:ubuntuserver.ironman.es Email Address []:chechu@ubuntu.ironman.es
Now we have to store it where we told ‘slapd.conf’ that it would be. In our case, it will be in ‘/etc/ldap/ssl/’. And we change the owner of the file to slapd:
chown slapd.slapd /etc/ldap/ssl/ubuntuserver.pem
Let’s start with the part of the client. We need to install some packets in the clients machines,(we press ‘enter’ to answer all the questions that the process make up), you’ll have to add the ‘universe’ and ‘multiverse’ repositories to the ‘sources.list’:
apt-get install libpam-ldap libnss-ldap libpam- cracklib
The important files for the client machine are the following, which we are leaving like this. (we’ll have to set up too in the server machine):
‘/etc/libnss-ldap.conf’
####################################################################### host ubuntuserver.ironman.es:636 base dc=ironman,dc=es ldap_version 3 rootbinddn cn=admin,dc=ironman,dc=es port 636 ssl start_tls ssl on #######################################################################
‘/etc/pam_ldap.conf’
####################################################################### host ubuntuserver.ironman.es:636 base dc=ironman,dc=es ldap_version 3 rootbinddn cn=admin,dc=ironman,dc=es port 636 ssl start_tls ssl on #######################################################################
host: this is the FQDN of our server. base: The base of our tree. ldap version: The version which is going to be implemented. rootbinddn: The full address administrator user in the tree. port: The port we are going to use for the connection, 636 because the connexion is by SSL. ssl: The lines needed for make the SSL connection possible.
We have to change the permission of some files, and change the file ‘/etc/nsswitch.conf’, which contains the order that the services consult the databases, we must set LDAP after files, because it can generate problems with the ‘root’ user:
chmod 644 /etc/pam_ldap.conf
chmod 644 /etc/libnss-ldap.conf
‘/etc/nsswitch.conf’
passwd: files nis ldap group: files nis ldap shadow: files nis ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: ldap nis
In order to connect with the daemon, ‘slapd’, we have to modify the ‘pam’, pluggable authentication modules. Below we can see a diagram:
We’ll change the following files:
‘/etc/pam.d/common-account’
account required pam_unix.so account sufficient pam_ldap.so
‘/etc/pam.d/common-auth’
auth sufficient pam_unix.so auth sufficient pam_ldap.so try_first_pass auth required pam_env.so auth required pam_securetty.so auth required pam_unix_auth.so auth required pam_warn.so auth required pam_deny.so
‘/etc/pam.d/common-session’
session required pam_limits.so session required pam_unix.so session optional pam_ldap.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
The module ‘pam_mkhomedir’ let us create a new home directory when an user authenticate the first time.
‘/etc/pam.d/common-password’
password required pam_cracklib.so retry=3 minlen=8 difok=4 password sufficient pam_unix.so use_authtok md5 shadow password sufficient pam_ldap.so use_authtok password required pam_warn.so password required pam_deny.so
The module ‘pam-cracklib’ let us to handle the length of the password’s user and how many letters have to be different in it.
Now everything is ready to restart the daemon:
/etc/init.d/slapd restart
We have to create the base of the tree and the users in the database. I recommend for doing this the software program ldap-account-manager, it makes the process of creating the tree so easy. I don’t recommend trying to create the users now. I would wait until we get ‘Samba’ installed, but this will be in the next article If you want you can create and start work with LDAP, but just for Unix/Linux clients.
