Copyright (c) 2004 Fernando Ribeiro <musb@nerdgroup.org>.

Permission is granted to copy, distribute and/or modify this document under the terms of
the GNU Free Documentation License, Version 1.2 or any later version published by the
Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no BackCover Texts. A copy of the license can be found here.
Verso: 0.0.1
TODO: Tunning

Como instalar um PDC Samba+OpenLDAP

-----------------------------------

Neste documento ser abordado em todos os detalhes necessrios em

como montar um Primary Domain Server (PDC) utilizando Samba+OpenLDAP. Este
documento no aborda a explicao terica, mas sim a parte prtica de tudo
isso. Minha inteno na elaborao dessa soluo a unificao da
autenticao da empresa, podendo assim os clientes acessarem todos os servios
disponibilizados utilizando 1 (Um) e somente 1 (Um) usurio e senha.
1. O Que necessrio
Nesta soluo utilizaremos os seguintes pacotes:
samba-3.0.7.tar.gz
smbldap-tools-0.8.5.tgz
cyrus-sasl-2.1.19.tar.gz
openldap-2.2.17.tgz
nss_ldap.tgz
MigrationTools.tgz
Authen-SASL-2.08.tar.gz
Convert-ASN1-0.18.tar.gz
Crypt-SmbHash-0.02.tar.gz
IO-Socket-SSL-0.96.tar.gz
Net_SSLeay.pm-1.25.tar.gz
URI-1.33.tar.gz
XML-SAX-Base-1.04.tar.gz
perl-ldap-0.3202.tar.gz
2. Preparando o Ambiente
Foi utilizado Slackware 10.0.0 com todos os updates (stable) disponveis at
(01/09/2004);

Foi utilizado o kernel 2.6.8.1, que no ser abordado nesse documento;

No foi utilizado nenhum tipo de frontend para a administrao do LDAP, pois,
nenhum se adequou
s necessidades do momento;
2.1 Particionamento do Disco
Foi utilizado 3 discos (2 scsi, 1 ide) da seguinte forma:
1 - SCSI: Sistema Operacional
2 - SCSI: Softwares
3 - IDE: Homes e Emails
Todos utilizando reiserfs.
3. Instalando o cyrus-sasl
tar -zxvf cyrus-sasl-2.1.19.tar.gz
cd cyrus-sasl-2.1.19
./configure --with-bdb-libdir=/usr/lib --with-bdb-incdir=/usr/include/db4
make
make install
Se tudo der certo, crie o link sinblico:
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
Obs.: necessrio ter o DB4 instalado.

Rode o ldconfig:
ldconfig
4. Instalando o OpenLDAP
tar -zxvf openldap-2.2.17.tgz
cd openldap-2.2.17
env CPPFLAGS="-I/usr/include/db4" LDFLAGS="-L/usr/lib" ./configure --enablecrypt

make depend
make
make install
4.1 Configurando o Servidor LDAP.

No pacote do samba existe o samba.schema que ser necessrio aqui.

Ele esta em samba-3.0.7/examples/LDAP, basta copia-lo para /
usr/local/etc/openldap/schemas.
O qmail.schema foi includo porque usarei esta mesma base para a autenticao no
qmail.
Ele pode ser encontrado em
http://www.nerdgroup.org/musb/files/schemas/qmail.schema
O /usr/local/etc/openldap/slapd.conf deve ficar da seguinte forma:
include
include
include
include
include
include

/usr/local/etc/openldap/schema/core.schema
/usr/local/etc/openldap/schema/cosine.schema
/usr/local/etc/openldap/schema/inetorgperson.schema
/usr/local/etc/openldap/schema/nis.schema
/usr/local/etc/openldap/schema/samba.schema
/usr/local/etc/openldap/schema/qmail.schema

pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
database bdb
suffix "dc=dominio,dc=com,dc=br"
rootdn "cn=suporte,dc=dominio,dc=com,dc=br"
rootpw {SSHA}9M3rhZOn5EZSYdKr3IyBOd1URp6EH0AV
directory /usr/local/var/openldap-data
password-hash {CRYPT}
password-crypt-salt-format "$1$.8s"
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index
memberUid,mail,mailAlternateAddress,givenname,accountStatus,mailHost,deliveryMode eq
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index default sub
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
Observaes: O rootpw deve ser gerado com slappasswd
4.2 - Populando o LDAP
Como nossa base bem simples, basta criar um arquivo chamado /root/base.ldif
com o seguinte contedo:
dn: dc=dominio,dc=com,dc=br
dc: dominio
objectClass: top
objectClass: domain

dn: ou=Usuarios,dc=dominio,dc=com,dc=br
ou: Usuarios
objectClass: top
objectClass: organizationalUnit
dn: ou=Grupos,dc=dominio,dc=com,dc=br
ou: Grupos
objectClass: top
objectClass: organizationalUnit
dn: ou=Computadores,dc=dominio,dc=com,dc=br
ou: Computadores
objectClass: top
objectClass: organizationalUnit
E depois basta incluir essas entradas no ldap com o seguinte comando:
ldapadd -x -D cn=suporte,dc=dominio,dc=com,dc=br -W -f /root/base.ldif
Enter LDAP Password:
adding new entry "dc=dominio,dc=com,dc=br"
adding new entry "ou=Usuarios,dc=dominio,dc=com,dc=br"
adding new entry "ou=Grupos,dc=dominio,dc=com,dc=br"
adding new entry "ou=Computadores,dc=dominio,dc=com,dc=br"
Com isso, nossa base j esta inicializada, um simples ldapsearch -x mostra como
esta nossa base no ldap. =)
Ela esta da seguinte forma:
dc=dominio,dc=com,dc=br
|
`--- ou=Usuarios
|
`--- ou=Grupos
|
`--- ou=Computadores
4.3 - Migrando contas do sistema para o ldap
Utilizaremos o MigrationTools-45
tar zxvf MigrationTools.tgz
cd MigrationTools-45
Edite o arquivo migrate_common.ph e altere as seguintes linhas:
$NAMINGCONTEXT{'passwd'} = "ou=Usuarios";
$NAMINGCONTEXT{'group'} = "ou=Grupos";
$DEFAULT_MAIL_DOMAIN = "dominio.com.br";
$DEFAULT_BASE = "dc=dominio,dc=com,dc=br";
$DEFAULT_MAIL_HOST = "mail.dominio.com.br";
Salve e execute o seguinte comando para gerar o arquivo grupos.ldif que conter
todos os grupos do sistema.
./migrate_group.pl /etc/group /root/grupos.ldif
Com isso ser gerado o arquivo /root/grupos.ldif com as entradas necessrias,
execute o comando:
ldapadd -x -D cn=suporte,dc=dominio,dc=com,dc=br -W -f /root/grupos.ldif
Ele adicionar todos os grupos do sistema no ldap. =)
Agora iremos migrar os usurios para o ldap:
./migrate_passwd.pl /etc/passwd /root/usuarios.ldif
ldapadd -x -D cn=suporte,dc=dominio,dc=com,dc=br -W -f /
root/usuarios.ldif
Pronto, nossa base do sistema j esta ok, basta agora informarmos para o sistema
se autenticar no LDAP.

4.4 - Instalando o nss_ldap

tar zxvf nss_ldap.tgz
cd nss_ldap-220
./configure
make
make install
necessrio modificar o arquivo: /etc/ldap.conf
host 127.0.0.1
base dc=dominio,dc=com,dc=br
rootbinddn cn=suporte,dc=dominio,dc=com,dc=br
nss_base_passwd ou=Usuarios,dc=dominio,dc=com,dc=br?one
nss_base_shadow ou=Usuarios,dc=dominio,dc=com,dc=br?one
nss_base_group ou=Grupos,dc=dominio,dc=com,dc=br?one
4.4 - Modificando o /etc/nsswitch.conf
Altere as seguinte linhas:
passwd:
group:

compat ldap
compat ldap

Pronto, agora pode testar com:

id root
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6
(disk),10(wheel),11(floppy)
Se voc verificar nos logs, ele buscou essas informaes no LDAP.
tail -f /var/log/debug
Oct 1 12:46:10 terra slapd[19496]: conn=16 fd=12 ACCEPT from
IP=127.0.0.1:32837 (IP=0.0.0.0:389)
Oct 1 12:46:10 terra slapd[19504]: conn=16 op=0 BIND dn="" method=128
Oct 1 12:46:10 terra slapd[19504]: conn=16 op=0 RESULT tag=97 err=0
text=
Oct 1 12:46:10 terra slapd[19504]: conn=16 op=1 SRCH
base="ou=Grupos,dc=dominio,dc=com,dc=br" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
Oct 1 12:46:10 terra slapd[19504]: conn=16 op=1 SRCH attr=cn
userPassword memberUid gidNumber
Oct 1 12:46:10 terra slapd[19504]: conn=16 op=1 SEARCH RESULT tag=101
err=0 nentries=34 text=
Oct 1 12:46:10 terra slapd[19498]: conn=16 op=2 SRCH
base="ou=Grupos,dc=dominio,dc=com,dc=br" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
Oct 1 12:46:10 terra slapd[19498]: conn=16 op=2 SRCH attr=cn
userPassword memberUid gidNumber
Oct 1 12:46:10 terra slapd[19498]: conn=16 op=2 SEARCH RESULT tag=101
err=0 nentries=34 text=
Oct 1 12:46:10 terra slapd[19496]: conn=16 fd=12 closed
LDAP j esta funcionando =)
5.0 - Samba
tar zxvf samba-3.0.7.tar.gz
cd samba-3.0.7/source
env CPPFLAGS="-I/usr/local/include/"
./configure --bindir=/usr/local/bin/ \
--sbindir=/usr/local/sbin/ \
--libexecdir=/usr/local/libexec/ \
--with-configdir=/etc/samba \
--with-mandir=/usr/local/man \
--with-logfilebase=/var/log/samba \
--enable-cups \
--with-smbmount \
--with-ldapsam \
--with-syslog \

--with-quotas \
--with-acl-support
make
make install
Gere o arquivo /etc/samba/smb.conf com o seguinte contedo:
[global]
workgroup = dominio
netbios name = PDC
server string = PDC
security = user
encrypt passwords = yes
load printers = yes
log file = /var/log/samba/%m.log
max log size = 50
os level = 33
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
admin users = fernando.ribeiro
logon script = %U.bat
logon path = \\%L\profiles\%U
wins support = no
dns proxy = no
ldap passwd sync = yes
ldap delete dn = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=suporte,dc=dominio,dc=com,dc=br
ldap suffix = dc=dominio,dc=com,dc=br
ldap group suffix = ou=Grupos
ldap user suffix = ou=Usuarios
ldap machine suffix = ou=Computadores
idmap uid = 10000-15000
idmap gid = 10000-15000
nt acl support = yes
create mask = 600
directory mask = 0700
force directory mode = 0700
passwd chat = *New*password* %n\n *Retype*new*password* %
n\n*passwd:*all*authentication*tokens*updated*successfully*
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
dos charset = UTF-8
unix charset = UTF-8
cups server = 10.0.0.11
[homes]

comment = Diretorio Home

browseable = no
writable = yes
force user = %U

[profiles]
path = /home/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = Yes
csc policy = disable
force user = %U

valid users = %U @"Domain Admins"

[netlogon]
path = /home/netlogon
browseable = No
read only = yes
[printers]
comment = Impressoras
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[publico]
comment = Area Publica
path = /home/publico
browseable = yes
guest ok = yes
writable = yes
force user = %U
Salve e saia.
Crie o seguinte script /etc/rc.d/rc.samba com o seguinte contedo:
#!/bin/sh
#
# /etc/rc.d/rc.samba
#
# Start/stop/restart the Samba SMB file/print server.
#
# To make Samba start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.samba
#
samba_start() {
if [ -x /usr/local/sbin/smbd -a -x /usr/local/sbin/nmbd -a -r /
etc/samba/smb.conf ]; then
echo "Starting Samba: /usr/local/sbin/smbd -D"
/usr/local/sbin/smbd -D
echo "
/usr/local/sbin/nmbd -D"
/usr/local/sbin/nmbd -D
fi
}
samba_stop() {
killall smbd nmbd
}
samba_restart() {
samba_stop
sleep 2
samba_start
}
case "$1" in
'start')
samba_start
;;
'stop')
samba_stop
;;
'restart')
samba_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions. This may change to a 'usage' error someday.
samba_start
esac

Crie o diretrio /var/log/samba

Rode o script /etc/rc.d/rc.samba:
/etc/rc.d/rc.samba start
O samba estar no ar =)
Agora iremos configurar o smbldap-tools
tar zxvf smbldap-tools-0.8.5.tgz
cd smbldap-tools-0.8.5
cp -f smbldap-* /usr/local/sbin/
mkdir /etc/smbldap-tools/
cp smbldap.conf smbldap_bind.conf /etc/smbldap-tools/
chmod 644 /etc/smbldap-tools/smbldap.conf
chmod 600 /etc/smbldap-tools/smbldap_bind.conf
Edite o /etc/smbldap-tools/smbldap.conf da seguinte forma:
SID="S-1-5-21-715268823-1473299472-2771147885"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify=""
cafile=""
clientcert=""
clientkey=""
suffix="dc=dominio,dc=com,dc=br"
usersdn="ou=Usuarios,${suffix}"
computersdn="ou=Computadores,${suffix}"
groupsdn="ou=Grupos,${suffix}"
idmapdn="ldapidmapsuffix,${suffix}"
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
scope="sub"
hash_encrypt="CRYPT"
crypt_salt_format="$1$%.8s"
userLoginShell="/bin/false"
userHome="/home/%G/%U"
userGecos="Ldap User"
defaultUserGid="1000"
defaultComputerGid="1000"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\PDC\home\%U"
userProfile="\\PDC\profiles\%U"
userHomeDrive="U:"
userScript="%U.bat"
mailDomain="dominio.com.br"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
OBS.: O SID obtido com o seguinte commando:
net getlocalsid dominio
E se notar, aps isso ele cria uma entrada automaticamente no ldap.
dn: sambaDomainName=dominio,dc=dominio,dc=com,dc=br
sambaDomainName: dominio
sambaSID: S-1-5-21-715268823-1473299472-2771147885
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 31000
sambaNextGroupRid: 31001
tambm necessrio armazenar o password do ldap no secrets, utilize o comando:
smbpasswd -w SENHA
forma:

Edite o arquivo /etc/smbldap-tools/smbldap_bind.conf e configure da seguinte

slaveDN="cn=suporte,dc=dominio,dc=com,dc=br"
slavePw="dominio"
masterDN="cn=suporte,dc=dominio,dc=com,dc=br"
masterPw="dominio"
Aps isso, necessrio copiar o arquivo smbldap_tools.pm para o diretrio /
usr/lib/perl5/5.8.4/i486-linux/
cp smbldap_tools.pm /usr/lib/perl5/5.8.4/i486-linux/
Neste ponto notamos a falta de alguns mdulos para perl, o qual instalaremos
agora:
tar zxvf Convert-ASN1-0.18.tar.gz
perl Makefile.PL
make
make test
make install
tar zxvf Authen-SASL-2.08.tar.gz
perl Makefile.PL
make
make test
make install
tar zxvf URI-1.33.tar.gz
perl Makefile.PL
make
make test
make install
tar zxvf Net_SSLeay.pm-1.25.tar.gz
perl Makefile.PL
make
make test
make install
tar zxvf IO-Socket-SSL-0.96.tar.gz
perl Makefile.PL
make
make test
make install
tar zxvf XML-SAX-Base-1.04.tar.gz
perl Makefile.PL
make
make test
make install
tar zxvf Crypt-SmbHash-0.02.tar.gz
perl Makefile.PL
make
make test
make install
Pronto, agora precisamos informar qual ser o prximo uid disponvel para ele
criar os usurios.
Para isso, inserimos a seguinte entrada no ldap:
Salve as seguintes informaes em um arquivo chamado nextuid.ldif
dn: cn=NextFreeUnixId,dc=dominio,dc=com,dc=br
objectClass: inetOrgPerson
objectClass: sambaUnixIdPool
uidNumber: 1000
gidNumber: 1000
cn: NextFreeUnixId
sn: NextFreeUnixId
E inclua no LDAP com:
ldapadd -x -D cn=suporte,dc=dominio,dc=com,dc=br -W -f nextuid.ldif

Aps isso, j podemos popular a base com as entradas necessrias para o windows.
Utilize:
smbldap-populate
Se algumas entradas nao forem includas, porque elas j esto no LDAP, pode
ignor-las.
Pronto, nosso samba+ldap j esta parcialmente funcionando, basta somente
administr-lo, para isso usaremos o phpldapadmin
6.0 - Apache+php
tar jxvf httpd-2.0.52.tar.bz2
cd httpd-2.0.52
./configure --enable-so
make
make install
tar zxvf php-4.3.9.tar.gz
env CPPFLAGS="-I/usr/local/include"
./configure \
--with-ldap \
--libexecdir=/usr/libexec/apache/ \
--with-apxs2=/usr/local/apache2/bin/apxs
make
make install
Inclua no /usr/local/apache2/conf/httpd.conf as seguintes linhas:
LoadModule php4_module modules/libphp4.so
AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps
e
/usr/local/apache2/bin/apachectl start
para inicializar o apache.
6.1 phpLDAPAdmin
tar zxvf phpldapadmin-0.9.4b.tar.gz
mv phpldapadmin-0.9.4b /usr/local/apache2/htdocs/ldap
cd /usr/local/apache2/htdocs/ldap
cp config.php.example config.php
Edite o config.php de acordo com as necessidade.
V em seu browser e acesse http://host/ldap
Agora voce pode administrar sua base ldap mais facilmente.
OBS.: Terei que modificar essa ferramenta s minhas necessidades.
7.0 Incluir TLS ao OpenLDAP
mkdir
-p /usr/local/ssl
cd
/usr/local/ssl
mkdir
certs
mkdir
private
chmod 700 private
echo
'01' > serial
touch
index.txt
Antes de gerar o certificado, eu tive que incluir uma entrada no DNS para o
ldap, porque ele estava reclamando o hostname, ai bastou somente incluir
ldap.dominio.com.br no dns e estava resolvido.
Gere o arquivo CA.conf com o seguinte contedo:

[ ca ]
default_ca

= local_ca

[ local_ca ]
dir = /usr/local/ssl
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 3650
default_days = 3650
default_md = md5
default_bits = 1024
encrypt_key = yes
policy = local_ca_policy
x509_extensions = local_ca_extensions
unique_subject = no
[ local_ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied
[ local_ca_extensions ]
subjectAltName = DNS:sol.dominio.com.br
basicConstraints = CA:false
nsCertType = server
[ req ]
default_bits = 2048
default_keyfile = /usr/local/ssl/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = dominio
x509_extensions = x509_cert
[ dominio ]
countryName = BR
stateOrProvinceName = Distrito Federal
localityName = Brasilia
emailAddress = root@dominio.com.br
organizationName = dominio Tecnologia LTDA
organizationalUnitName = Sede
commonName = ldap.dominio.com.br
[ x509_cert ]
nsCertType = server
basicConstraints = CA:true
E o arquivo LocalServer.conf com o seguinte contedo:
[ req ]
prompt = no
distinguished_name = dominio
[ dominio ]
countryName = BR
stateOrProvinceName = Distrito Federal
localityName = Brasilia
emailAddress= root@dominio.com.br
organizationName = dominio Tecnologia LTDA
organizationalUnitName = Sede
commonName = ldap.dominio.com.br
A basta executar os seguinte comandos:
export OPENSSL_CONF=/usr/local/ssl/CA.conf
openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 3650
export OPENSSL_CONF=/usr/local/ssl/LocalServer.conf

openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out

tempreq.pem -outform PEM
openssl rsa < tempkey.pem > server_key.pem
chmod 400 server_key.pem
export OPENSSL_CONF=/usr/local/ssl/CA.conf
openssl ca -in tempreq.pem -out server_crt.pem
rm -f tempkey.pem
rm -f tempreq.pem
Aps isso, modifique o arquivo /etc/ldap.conf para:
base dc=dominio,dc=com,dc=br
uri ldaps://ldap.dominio.com.br
ssl true
port 636
TLS_CACERT /usr/local/ssl/cacert.pem
rootbinddn cn=suporte,dc=dominio,dc=com,dc=br
nss_base_passwd ou=Usuarios,dc=dominio,dc=com,dc=br?one
nss_base_shadow ou=Usuarios,dc=dominio,dc=com,dc=br?one
nss_base_group ou=Grupos,dc=dominio,dc=com,dc=br?one
Observao, este arquivo pode existir no /usr/local/etc/openldap/ldap.conf
Deixe eles sempre iguais.
Agora basta inicializar o slapd com o seguinte comando:
/usr/local/libexec/slapd -h "ldap:/// ldaps:///" -4
Agora vamos aos testes:
ldapsearch -x -ZZ -h ldap.dominio.com.br -b 'dc=dominio,dc=com,dc=br'
'(objectclass=*)'
pronto =)