Permission is granted to copy, distribute and/or modify this document under the terms of
the GNU Free Documentation License, Version 1.2 or any later version published by the
Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no BackCover Texts. A copy of the license can be found here.
Verso: 0.0.1
TODO: Tunning
Rode o ldconfig:
ldconfig
4. Instalando o OpenLDAP
tar -zxvf openldap-2.2.17.tgz
cd openldap-2.2.17
env CPPFLAGS="-I/usr/include/db4" LDFLAGS="-L/usr/lib" ./configure --enablecrypt
make depend
make
make install
4.1 Configurando o Servidor LDAP.
/usr/local/etc/openldap/schema/core.schema
/usr/local/etc/openldap/schema/cosine.schema
/usr/local/etc/openldap/schema/inetorgperson.schema
/usr/local/etc/openldap/schema/nis.schema
/usr/local/etc/openldap/schema/samba.schema
/usr/local/etc/openldap/schema/qmail.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
database bdb
suffix "dc=dominio,dc=com,dc=br"
rootdn "cn=suporte,dc=dominio,dc=com,dc=br"
rootpw {SSHA}9M3rhZOn5EZSYdKr3IyBOd1URp6EH0AV
directory /usr/local/var/openldap-data
password-hash {CRYPT}
password-crypt-salt-format "$1$.8s"
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index
memberUid,mail,mailAlternateAddress,givenname,accountStatus,mailHost,deliveryMode eq
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index default sub
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
Observaes: O rootpw deve ser gerado com slappasswd
4.2 - Populando o LDAP
Como nossa base bem simples, basta criar um arquivo chamado /root/base.ldif
com o seguinte contedo:
dn: dc=dominio,dc=com,dc=br
dc: dominio
objectClass: top
objectClass: domain
dn: ou=Usuarios,dc=dominio,dc=com,dc=br
ou: Usuarios
objectClass: top
objectClass: organizationalUnit
dn: ou=Grupos,dc=dominio,dc=com,dc=br
ou: Grupos
objectClass: top
objectClass: organizationalUnit
dn: ou=Computadores,dc=dominio,dc=com,dc=br
ou: Computadores
objectClass: top
objectClass: organizationalUnit
E depois basta incluir essas entradas no ldap com o seguinte comando:
ldapadd -x -D cn=suporte,dc=dominio,dc=com,dc=br -W -f /root/base.ldif
Enter LDAP Password:
adding new entry "dc=dominio,dc=com,dc=br"
adding new entry "ou=Usuarios,dc=dominio,dc=com,dc=br"
adding new entry "ou=Grupos,dc=dominio,dc=com,dc=br"
adding new entry "ou=Computadores,dc=dominio,dc=com,dc=br"
Com isso, nossa base j esta inicializada, um simples ldapsearch -x mostra como
esta nossa base no ldap. =)
Ela esta da seguinte forma:
dc=dominio,dc=com,dc=br
|
`--- ou=Usuarios
|
`--- ou=Grupos
|
`--- ou=Computadores
4.3 - Migrando contas do sistema para o ldap
Utilizaremos o MigrationTools-45
tar zxvf MigrationTools.tgz
cd MigrationTools-45
Edite o arquivo migrate_common.ph e altere as seguintes linhas:
$NAMINGCONTEXT{'passwd'} = "ou=Usuarios";
$NAMINGCONTEXT{'group'} = "ou=Grupos";
$DEFAULT_MAIL_DOMAIN = "dominio.com.br";
$DEFAULT_BASE = "dc=dominio,dc=com,dc=br";
$DEFAULT_MAIL_HOST = "mail.dominio.com.br";
Salve e execute o seguinte comando para gerar o arquivo grupos.ldif que conter
todos os grupos do sistema.
./migrate_group.pl /etc/group /root/grupos.ldif
Com isso ser gerado o arquivo /root/grupos.ldif com as entradas necessrias,
execute o comando:
ldapadd -x -D cn=suporte,dc=dominio,dc=com,dc=br -W -f /root/grupos.ldif
Ele adicionar todos os grupos do sistema no ldap. =)
Agora iremos migrar os usurios para o ldap:
./migrate_passwd.pl /etc/passwd /root/usuarios.ldif
ldapadd -x -D cn=suporte,dc=dominio,dc=com,dc=br -W -f /
root/usuarios.ldif
Pronto, nossa base do sistema j esta ok, basta agora informarmos para o sistema
se autenticar no LDAP.
compat ldap
compat ldap
--with-quotas \
--with-acl-support
make
make install
Gere o arquivo /etc/samba/smb.conf com o seguinte contedo:
[global]
workgroup = dominio
netbios name = PDC
server string = PDC
security = user
encrypt passwords = yes
load printers = yes
log file = /var/log/samba/%m.log
max log size = 50
os level = 33
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
admin users = fernando.ribeiro
logon script = %U.bat
logon path = \\%L\profiles\%U
wins support = no
dns proxy = no
ldap passwd sync = yes
ldap delete dn = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=suporte,dc=dominio,dc=com,dc=br
ldap suffix = dc=dominio,dc=com,dc=br
ldap group suffix = ou=Grupos
ldap user suffix = ou=Usuarios
ldap machine suffix = ou=Computadores
idmap uid = 10000-15000
idmap gid = 10000-15000
nt acl support = yes
create mask = 600
directory mask = 0700
force directory mode = 0700
passwd chat = *New*password* %n\n *Retype*new*password* %
n\n*passwd:*all*authentication*tokens*updated*successfully*
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
dos charset = UTF-8
unix charset = UTF-8
cups server = 10.0.0.11
[homes]
[profiles]
path = /home/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = Yes
csc policy = disable
force user = %U
slaveDN="cn=suporte,dc=dominio,dc=com,dc=br"
slavePw="dominio"
masterDN="cn=suporte,dc=dominio,dc=com,dc=br"
masterPw="dominio"
Aps isso, necessrio copiar o arquivo smbldap_tools.pm para o diretrio /
usr/lib/perl5/5.8.4/i486-linux/
cp smbldap_tools.pm /usr/lib/perl5/5.8.4/i486-linux/
Neste ponto notamos a falta de alguns mdulos para perl, o qual instalaremos
agora:
tar zxvf Convert-ASN1-0.18.tar.gz
perl Makefile.PL
make
make test
make install
tar zxvf Authen-SASL-2.08.tar.gz
perl Makefile.PL
make
make test
make install
tar zxvf URI-1.33.tar.gz
perl Makefile.PL
make
make test
make install
tar zxvf Net_SSLeay.pm-1.25.tar.gz
perl Makefile.PL
make
make test
make install
tar zxvf IO-Socket-SSL-0.96.tar.gz
perl Makefile.PL
make
make test
make install
tar zxvf XML-SAX-Base-1.04.tar.gz
perl Makefile.PL
make
make test
make install
tar zxvf Crypt-SmbHash-0.02.tar.gz
perl Makefile.PL
make
make test
make install
Pronto, agora precisamos informar qual ser o prximo uid disponvel para ele
criar os usurios.
Para isso, inserimos a seguinte entrada no ldap:
Salve as seguintes informaes em um arquivo chamado nextuid.ldif
dn: cn=NextFreeUnixId,dc=dominio,dc=com,dc=br
objectClass: inetOrgPerson
objectClass: sambaUnixIdPool
uidNumber: 1000
gidNumber: 1000
cn: NextFreeUnixId
sn: NextFreeUnixId
E inclua no LDAP com:
ldapadd -x -D cn=suporte,dc=dominio,dc=com,dc=br -W -f nextuid.ldif
Aps isso, j podemos popular a base com as entradas necessrias para o windows.
Utilize:
smbldap-populate
Se algumas entradas nao forem includas, porque elas j esto no LDAP, pode
ignor-las.
Pronto, nosso samba+ldap j esta parcialmente funcionando, basta somente
administr-lo, para isso usaremos o phpldapadmin
6.0 - Apache+php
tar jxvf httpd-2.0.52.tar.bz2
cd httpd-2.0.52
./configure --enable-so
make
make install
tar zxvf php-4.3.9.tar.gz
env CPPFLAGS="-I/usr/local/include"
./configure \
--with-ldap \
--libexecdir=/usr/libexec/apache/ \
--with-apxs2=/usr/local/apache2/bin/apxs
make
make install
Inclua no /usr/local/apache2/conf/httpd.conf as seguintes linhas:
LoadModule php4_module modules/libphp4.so
AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps
e
/usr/local/apache2/bin/apachectl start
para inicializar o apache.
6.1 phpLDAPAdmin
tar zxvf phpldapadmin-0.9.4b.tar.gz
mv phpldapadmin-0.9.4b /usr/local/apache2/htdocs/ldap
cd /usr/local/apache2/htdocs/ldap
cp config.php.example config.php
Edite o config.php de acordo com as necessidade.
V em seu browser e acesse http://host/ldap
Agora voce pode administrar sua base ldap mais facilmente.
OBS.: Terei que modificar essa ferramenta s minhas necessidades.
7.0 Incluir TLS ao OpenLDAP
mkdir
-p /usr/local/ssl
cd
/usr/local/ssl
mkdir
certs
mkdir
private
chmod 700 private
echo
'01' > serial
touch
index.txt
Antes de gerar o certificado, eu tive que incluir uma entrada no DNS para o
ldap, porque ele estava reclamando o hostname, ai bastou somente incluir
ldap.dominio.com.br no dns e estava resolvido.
Gere o arquivo CA.conf com o seguinte contedo:
[ ca ]
default_ca
= local_ca
[ local_ca ]
dir = /usr/local/ssl
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 3650
default_days = 3650
default_md = md5
default_bits = 1024
encrypt_key = yes
policy = local_ca_policy
x509_extensions = local_ca_extensions
unique_subject = no
[ local_ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied
[ local_ca_extensions ]
subjectAltName = DNS:sol.dominio.com.br
basicConstraints = CA:false
nsCertType = server
[ req ]
default_bits = 2048
default_keyfile = /usr/local/ssl/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = dominio
x509_extensions = x509_cert
[ dominio ]
countryName = BR
stateOrProvinceName = Distrito Federal
localityName = Brasilia
emailAddress = root@dominio.com.br
organizationName = dominio Tecnologia LTDA
organizationalUnitName = Sede
commonName = ldap.dominio.com.br
[ x509_cert ]
nsCertType = server
basicConstraints = CA:true
E o arquivo LocalServer.conf com o seguinte contedo:
[ req ]
prompt = no
distinguished_name = dominio
[ dominio ]
countryName = BR
stateOrProvinceName = Distrito Federal
localityName = Brasilia
emailAddress= root@dominio.com.br
organizationName = dominio Tecnologia LTDA
organizationalUnitName = Sede
commonName = ldap.dominio.com.br
A basta executar os seguinte comandos:
export OPENSSL_CONF=/usr/local/ssl/CA.conf
openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 3650
export OPENSSL_CONF=/usr/local/ssl/LocalServer.conf