4 069
contributi
Riga 340: | Riga 340: | ||
# chmod 0600 /etc/smbldap-tools/smbldap_bind.conf | # chmod 0600 /etc/smbldap-tools/smbldap_bind.conf | ||
</pre><br/> | </pre><br/> | ||
== Configurazione del server LDAP == | |||
Passiamo ora alla configurazione del server LDAP.<br/> | |||
Innanzitutto effettuiamo un backup di LDAP: | |||
<pre> | |||
# slapcat > ~/slapd.ldif | |||
</pre> | |||
Adesso dobbiamo recuperare gli schemi mancanti, che aggiungeremo poi alla configurazione di LDAP, e copiare in <tt>/etc/ldap/schema</tt> lo schema LDAP necessario per SAMBA. | |||
<pre> | |||
# wget http://www.pepinet.com/download/samba/hdb.schema -P /etc/ldap/schema/ | |||
# wget http://www.pepinet.com/download/samba/qmailuser.schema -P /etc/ldap/schema/ | |||
# zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema | |||
</pre> | |||
Quindi generate l'hash MD5 della password di root di LDAP: | |||
<pre> | |||
# slappasswd -h {MD5} | |||
</pre> | |||
e prendete nota del risultato.<br/> | |||
Ora occorre modificare il file di configurazione di slapd (<tt>/etc/ldap/slapd.conf</tt>) aggiungendo nella sezione <tt>Schema and objectClass definitions</tt> lo schema per samba: | |||
<pre> | |||
include /etc/ldap/schema/samba.schema | |||
</pre> | |||
Nella sezione <tt>Indexing options</tt> aggiungere una serie di indicizzazioni che ottimizzeranno le interogazioni per l'utilizzo del server SAMBA: | |||
<pre> | |||
index objectClass eq,pres | |||
index uid,uidNumber,gidNumber,memberUid eq,pres | |||
index ou,cn,mail,surname,givenname eq,pres,sub | |||
index loginShell eq,pres | |||
index displayName pres,sub,eq | |||
index nisMapName,nisMapEntry eq,pres,sub | |||
index sambaSID eq | |||
index sambaPrimaryGroupSID eq | |||
index sambaDomainName eq | |||
index sambaGroupType eq | |||
index sambaSIDList eq | |||
index uniqueMember eq | |||
index default sub | |||
</pre> | |||
Bisogna consentire agli utenti di cambiare non solo la propria password LDAP, ma anche le password di SAMBA e contemporaneamente proteggere tali informazioni da un accesso pubblico sostituendo la riga: | |||
<pre> | |||
access to attribute=userPassword | |||
</pre> | |||
con: | |||
<pre> | |||
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet | |||
</pre> | |||
Infine aggiungere le informazioni per l'autenticazione: | |||
<pre> | |||
rootdn "cn=admin,dc=dominio,dc=local" | |||
rootpw {MD5}Qhz9FD5FDD9YFKBJVAngcw== | |||
</pre> | |||
Il contenuto del file dovrebbe essere il seguente:<br/> | |||
'''/etc/ldap/sldap.conf''': | |||
<pre> | |||
####################################################################### | |||
# Global Directives: | |||
#sizelimit 20 | |||
timelimit -1 | |||
threads 8 | |||
# Features to permit | |||
allow bind_v2 | |||
# Schema and objectClass definitions | |||
include /etc/ldap/schema/core.schema | |||
include /etc/ldap/schema/cosine.schema | |||
include /etc/ldap/schema/nis.schema | |||
include /etc/ldap/schema/inetorgperson.schema | |||
include /etc/ldap/schema/qmailuser.schema | |||
include /etc/ldap/schema/samba.schema | |||
#include /etc/ldap/schema/hdb.schema | |||
# Where the pid file is put. The init.d script | |||
# will not stop the server if you change this. | |||
pidfile /var/run/slapd/slapd.pid | |||
# List of arguments that were passed to the server | |||
argsfile /var/run/slapd/slapd.args | |||
# Read slapd.conf(5) for possible values | |||
loglevel none | |||
# Where the dynamically loaded modules are stored | |||
modulepath /usr/lib/ldap | |||
moduleload back_bdb | |||
# The maximum number of entries that is returned for a search operation | |||
sizelimit 500 | |||
# The tool-threads parameter sets the actual amount of cpu's that is used | |||
# for indexing. | |||
tool-threads 1 | |||
####################################################################### | |||
# Specific Backend Directives for bdb: | |||
# Backend specific directives apply to this backend until another | |||
# 'backend' directive occurs | |||
backend bdb | |||
####################################################################### | |||
# Specific Backend Directives for 'other': | |||
# Backend specific directives apply to this backend until another | |||
# 'backend' directive occurs | |||
#backend <other> | |||
####################################################################### | |||
# Specific Directives for database #1, of type bdb: | |||
# Database specific directives apply to this databasse until another | |||
# 'database' directive occurs | |||
database bdb | |||
# The base of your directory in database #1 | |||
suffix "dc=dominio,dc=local" | |||
# rootdn directive for specifying a superuser on the database. This is needed | |||
# for syncrepl. | |||
rootdn "cn=admin,dc=dominio,dc=local" | |||
rootpw {MD5}8Fy5aWO9Ks1d5nFGx3aQ3D== | |||
# Where the database file are physically stored for database #1 | |||
directory "/var/lib/ldap" | |||
# The dbconfig settings are used to generate a DB_CONFIG file the first | |||
# time slapd starts. | |||
dbconfig set_cachesize 0 2097152 0 | |||
# Number of objects that can be locked at the same time. | |||
dbconfig set_lk_max_objects 1500 | |||
# Number of locks (both requested and granted) | |||
dbconfig set_lk_max_locks 1500 | |||
# Number of lockers | |||
dbconfig set_lk_max_lockers 1500 | |||
# Indexing options for database #1 | |||
#index objectClass eq | |||
index mail,mailAlternateAddress,objectClass,deliveryMode,accountStatus,ou pres,eq | |||
index cn pres,sub,eq | |||
index sn pres,sub,eq | |||
index uid pres,sub,eq | |||
index displayName pres,sub,eq | |||
index uidNumber eq | |||
index gidNumber eq | |||
index memberUID eq | |||
index sambaSID eq | |||
index sambaPrimaryGroupSID eq | |||
index sambaDomainName eq | |||
index mailHost eq | |||
index givenName pres,sub,eq | |||
index default sub | |||
# Password Hash Definition | |||
password-hash {MD5} | |||
# Overlay Unique | |||
#overlay unique | |||
#unique_uri ldap:///ou=Users,dc=dominio,dc=local?uidNumber,cn?sub | |||
#unique_uri ldap:///ou=Groups,dc=dominio,dc=local?gidNumber,cn?sub | |||
# Save the time that the entry gets modified, for database #1 | |||
lastmod on | |||
# Checkpoint the BerkeleyDB database periodically in case of system | |||
# failure and to speed slapd shutdown. | |||
checkpoint 512 30 | |||
# Where to store the replica logs for database #1 | |||
# replogfile /var/lib/ldap/replog | |||
########################################################## | |||
# Configurazione dei permessi per i vari utenti | |||
# del'albero LDAP | |||
############################################################ | |||
# The userPassword by default can be changed | |||
# by the entry owning it if they are authenticated. | |||
# Others should not be able to see it, except the | |||
# admin entry below | |||
# These access lines apply to database #1 only | |||
#access to attrs=userPassword,shadowLastChange | |||
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory | |||
by dn="cn=admin,dc=dominio,dc=local" write | |||
by anonymous auth | |||
by self write | |||
by * none | |||
# Everyone must be able to read password expiry attributes, | |||
# if you are not granting rootdn access to workstations. | |||
# Otherwise, the client system won't be able to know if | |||
# user's password has expired, and will prompt him/her to | |||
# change his/her password everytime he/she logs in. | |||
# The owner must also be able to write it when he/she | |||
# changes his/her own password. | |||
access to attrs=shadowLastChange,sambaPwdLastSet,sambaPwdMustChange | |||
by dn="cn=admin,dc=dominio,dc=local" write | |||
by self write | |||
by * read | |||
# Ensure read access to the base for things like | |||
# supportedSASLMechanisms. Without this you may | |||
# have problems with SASL not knowing what | |||
# mechanisms are available and the like. | |||
# Note that this is covered by the 'access to *' | |||
# ACL below too but if you change that as people | |||
# are wont to do you'll still need this if you | |||
# want SASL (and possible other things) to work | |||
# happily. | |||
access to dn.base="" by * read | |||
# The admin dn has full write access, everyone else | |||
# can read everything. | |||
access to * | |||
by dn="cn=admin,dc=dominio,dc=local" write | |||
by * read | |||
# For Netscape Roaming support, each user gets a roaming | |||
# profile for which they have write access to | |||
#access to dn=".*,ou=Roaming,o=morsnet" | |||
# by dn="cn=admin,dc=dominio,dc=local" write | |||
# by dnattr=owner write | |||
####################################################################### | |||
# Specific Directives for database #2, of type 'other' (can be bdb too): | |||
# Database specific directives apply to this databasse until another | |||
# 'database' directive occurs | |||
#database <other> | |||
# The base of your directory for database #2 | |||
#suffix "dc=debian,dc=org" | |||
</pre> | |||
Possiamo far ripartire <tt>slapd</tt> affinché tutte le modifiche apportate siano prese in considerazione. | |||
<pre> | |||
# /etc/init.d/slapd stop | |||
# rm -rf /var/lib/ldap/* | |||
# slapadd -l ~/slapd.ldif | |||
# slapindex | |||
# chown -Rf openldap:openldap /var/lib/ldap | |||
# /etc/init.d/slapd start | |||
</pre> | |||
Si può controllare che il server sia correttamente partito eseguendo una query con i comandi: | |||
<pre> | |||
# slapcat | |||
# ldapsearch -x | |||
</pre> | |||
La risposta deve essere un file LDIF. Se invece si ottiene un errore di connessione ricontrollare tutte le impostazioni e i file di log. Per controllare il funzionamento di <tt>slapd</tt> può sempre tornare utile fermare il servizio e farlo partire, anziché con gli script standard debian con il comando: | |||
<pre> | |||
# slapd -d 256 | |||
</pre> | |||
In tal modo viene avviato visualizzando varie informazioni di debug a video. | |||
<br/> |