Migrando servidores Linux para autenticação LDAP

Dedico esse artigo a minha filha Hayla, que vai nascer, e a minha esposa que sempre me apoiou. O objetivo do mesmo é migrar servidores Linux para usar a autenticação LDAP. De certa forma esse artigo seria um complemento de um artigo anterior postado por mim que agiliza a busca em base LDAP. "Seja Livre Use Linux"!

[ Hits: 55.680 ]

Por: Alessandro Carvalho da Fonseca (darth_acf) em 13/11/2008 | Blog: https://orcid.org/0000-0003-3489-878X


Autenticação de sistemas Linux em base LDAP



Instalar o módulo libnss-ldap:

# apt-get install libnss-ldap

Tela-1: Informe o endereço do servidor OpenLDAP (LDAP server Uniform Resource Identifier):

ldap://127.0.0.1/

Tela-2: Informe o DN da base (Distinguished name of the search base):

dc=hayla,dc=com,dc=br

Tela-3: Escolha a versão do protocolo a ser utilizado (LDAP version to use):

3

Tela-4: Informe o DN do administrador da base (LDAP account for root)

: cn=admin,dc=hayla,dc=com,dc=br

Tela-5: Informa a senha do administrador (LDAp root account password):

SENHA_AQUI

Tela-6: É mostrado uma tela de avisando que para o NSS funcionar com o LDAP são necessárias maiores configurações:

OK

Alterar o seguinte arquivo:

# vim /etc/nsswitch.conf

# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.


passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Instalar o módulo libpam-ldap:

# apt-get install libpam-ldap

Tela-1: Make local root Database admin

Yes

Tela-2: Does the LDAP database require login?

NO

Tela-3: LDAp acount for root:

cn=admin,dc=hayla,dc=com,dc=br

Tela-4: LDAP root account password:

SENHA_AQUI

Alterar os seguinte arquivos:

# vim /etc/pam.d/commmon-account

# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#

account sufficient      pam_ldap.so
account required        pam_unix.so

# vim /etc/pam.d/common-auth

# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure try_first_pass

# vim /etc/pam.d/common-password

# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
#used to change user passwords. The default is pam_unix

# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.


password   sufficient   pam_unix.so nullok obscure min=4 max=8 md5
password   required     pam_ldap.so try_first_pass

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5

# vim /etc/pam.d/common-session

# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#

session required        pam_mkhomedir.so skel=/etc/skel umask=002
session sufficient      pam_ldap.so
session required        pam_unix.so

# vim /etc/pam_ldap.conf

###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure to configure this file
#
# @(#)$Id: ldap.conf,v 1.36 2005/03/23 08:29:59 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1

# The distinguished name of the search base.

base dc=hayla,dc=com,dc=br

# Another way to specify your LDAP server is to provide an
uri ldap://127.0.0.1/
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)

ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/pam_ldap.secret (mode 600)

rootbinddn cn=admin,dc=hayla,dc=com,dc=br

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# If you are using XAD, you can set pam_password
# to racf, ad, or exop. Make sure that you have
# SSL enabled.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.

pam_password crypt

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=padl,dc=com?one
#nss_base_shadow ou=People,dc=padl,dc=com?one
#nss_base_group ou=Group,dc=padl,dc=com?one
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5

# vim /etc/libnss-ldap.conf

###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure libnss-ldap to configure this file.
#
@(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).

host 127.0.0.1

# The distinguished name of the search base.
base dc=hayla,dc=com,dc=br

# Another way to specify your LDAP server is to provide an
uri ldap://127.0.0.1/
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)

ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
# Please do not put double quotes around it as they
# would be included literally.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/libnss-ldap.secret (mode 600)
# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
# of an editor to create the file.

rootbinddn cn=admin,dc=hayla,dc=com,dc=br

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy:
#  hard_open: reconnect to DSA with exponential backoff if
#             opening connection failed
#  hard_init: reconnect to DSA with exponential backoff if
#             initializing connection failed
#  hard:      alias for hard_open
#  soft:      return immediately on server failure
#bind_policy hard

# Connection policy:
#  persist:   DSA connections are kept open (default)
#  oneshot:   DSA connections destroyed after request
#nss_connect_policy persist

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Use paged rseults
#nss_paged_results yes

# Pagesize: when paged results enable, used to set the
# pagesize to a custom value
#pagesize 1000

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# Use backlinks for answering initgroups()
#nss_initgroups backlink

# Enable support for RFC2307bis (distinguished names in group
# members)
#nss_schema rfc2307bis

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd        ou=People,dc=padl,dc=com?one
#nss_base_shadow        ou=People,dc=padl,dc=com?one
#nss_base_group         ou=Group,dc=padl,dc=com?one
#nss_base_hosts         ou=Hosts,dc=padl,dc=com?one
#nss_base_services      ou=Services,dc=padl,dc=com?one
#nss_base_networks      ou=Networks,dc=padl,dc=com?one
#nss_base_protocols     ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc           ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers        ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases       ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute      rfc2307attribute        mapped_attribute
#nss_map_objectclass    rfc2307objectclass      mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# For pre-RFC2307bis automount schema
#nss_map_objectclass automountMap nisMap
#nss_map_attribute automountMapName nisMapName
#nss_map_objectclass automount nisObject
#nss_map_attribute automountKey cn
#nss_map_attribute automountInformation nisMapEntry

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

Criação de arquivo de log para o ldap:

Editar o arquivo /etc/syslog.conf e inserir a linha:

local4.*         /var/log/ldap.log

Página anterior     Próxima página

Páginas do artigo
   1. Procedimentos iniciais
   2. Autenticação de sistemas Linux em base LDAP
   3. SAMBA com LDAP
   4. Configurações do smbldap-tools
Outros artigos deste autor

O espaço e a segurança cibernética

Leitura recomendada

Samba - Configurado como PDC

Migrando perfis de usuário AD para o seu servidor Samba em 2 etapas

Samba: Integração com ClamAV e outras coisas úteis

Política de segurança com o Samba

Adicionando facilidades ao Samba

  
Comentários
[1] Comentário enviado por ErhnamDjinm em 14/11/2008 - 08:14h

Só uma observação... A grande maioria dos tutoriais colocam a configuração do PAM como opcional, mas na verdade, quando se configura o Samba com LDAP, é um procedimento obrigatório, senão o samba não entende a senha armazenada pelo LDAP e os usuários não conseguem autenticar.

[2] Comentário enviado por ranzes em 14/11/2008 - 14:33h

Não concordo com a sua colocação amigo , de onde você tirou que é obrigatório ter o módulo PAM para que o samba se comunique corretamente com LDAP?
Eu tenho aqui Slackware 12 com LDAP Samba e mais um monte de serviços rodando tudo 100% e sequer tenho PAM em algum dos servidores.
Para seu conhecimento o samba automaticamente quando uma vez configurado corretamente, ele busca no ldap o atributo: sambaNTPassword corretamente criptografado pelo utilitário smbldap-tools para autenticar.

[3] Comentário enviado por ErhnamDjinm em 14/11/2008 - 19:00h

Eu ví em um tutorial que no momento está fora do ar, era no Wiki do Gentoo. Realmente, o Slack é excessão porque não usa PAM.
Mas já configurei no Debian e no Gentoo, e em ambos só consegui autenticar nas estações Windows depois de configurar o PAM. Se você souber oque estou fazendo de errado por favor me explique, eu realmente tentei fazer sem PAM.

[4] Comentário enviado por walber em 14/11/2008 - 19:16h

Estou tendo esse problema durante a execução do: smbldap-populate


failed to add entry: objectclass: value #4 invalid per syntax at /usr/sbin/smbldap-populate line 495, <GEN1> line 7.
adding new entry: uid=nobody,ou=Usuarios,dc=ldap,dc=com,dc=br
failed to add entry: objectclass: value #4 invalid per syntax at /usr/sbin/smbldap-populate line 495, <GEN1> line 8.
adding new entry: cn=Domain Admins,ou=Grupos,dc=ldap,dc=com,dc=br
failed to add entry: objectclass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 495, <GEN1> line 9.
adding new entry: cn=Domain Users,ou=Grupos,dc=ldap,dc=com,dc=br
failed to add entry: objectclass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 495, <GEN1> line 10.
adding new entry: cn=Domain Guests,ou=Grupos,dc=ldap,dc=com,dc=br
failed to add entry: objectclass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 495, <GEN1> line 11.
adding new entry: cn=Domain Computers,ou=Grupos,dc=ldap,dc=com,dc=br
failed to add entry: objectclass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 495, <GEN1> line 12.
adding new entry: cn=Administrators,ou=Grupos,dc=ldap,dc=com,dc=br
failed to add entry: objectclass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 495, <GEN1> line 16.
adding new entry: cn=Account Operators,ou=Grupos,dc=ldap,dc=com,dc=br
failed to add entry: objectclass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 495, <GEN1> line 18.
adding new entry: cn=Print Operators,ou=Grupos,dc=ldap,dc=com,dc=br
failed to add entry: objectclass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 495, <GEN1> line 19.
adding new entry: cn=Backup Operators,ou=Grupos,dc=ldap,dc=com,dc=br
failed to add entry: objectclass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 495, <GEN1> line 20.
adding new entry: cn=Replicators,ou=Grupos,dc=ldap,dc=com,dc=br
failed to add entry: objectclass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 495, <GEN1> line 21.
adding new entry: sambaDomainName=ldap,dc=ldap,dc=com,dc=br
failed to add entry: invalid DN at /usr/sbin/smbldap-populate line 495, <GEN1> line 21.

Please provide a password for the domain root:
/usr/sbin/smbldap-passwd: user root doesn't exist


Pode me ajudar?

No mais ocorreu tudo certo, desde já agradeço.

[5] Comentário enviado por darth_acf em 14/11/2008 - 22:02h

Antes de executar o comando verifique:

1. se o samba (445/tcp open microsoft-ds,
139/tcp open netbios-ssn

e o ldap estao startados (139/tcp open netbios-ssn)

Para isso execute o comando :
netstat -nlt ou se preferir
apt-get install nmap

Fenix:~# nmap localhost


Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-11-14 20:47 AMST
Interesting ports on localhost (127.0.0.1):
Not shown: 1670 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds


2. Reveja os passos:
Criar o arquivo /etc/samba/user.ldif:

dn: ou=Usuarios,dc=hayla,dc=com,dc=br
ObjectClass: top
ObjectClass: OrganizationalUnit
ou: Usuarios

Criar o arquivo /etc/samba/computers.ldif:

dn: ou=Computadores,dc=hayla,dc=com,dc=br
ObjectClass: top
ObjectClass: OrganizationalUnit
ou: Computadores

Criar o arquivo /etc/samba/groups.ldif:

dn: ou=Grupos,dc=hayla,dc=com,dc=br
ObjectClass: top
ObjectClass: OrganizationalUnit
ou: Grupos


2.1.1 Reveja os arquivos
smbldap_bind.conf e smbldap.conf
e teste novamente
o comando smbldap-populate

[6] Comentário enviado por walber em 17/11/2008 - 08:10h

ok, obrigado irei testar hj, e posto aqui.

[7] Comentário enviado por walber em 17/11/2008 - 18:25h

Puts darth_acf revi todos os passos e num rolou continua o mesmo problema, eu até logo no ldap, cria OUs, mais na hora de criar users da pau, o pode ser, pois segui a risca seu tuto.

[8] Comentário enviado por dailson em 18/11/2008 - 13:40h

Qual é o endereço do seu artigo anterior que vc falou no cabeçalho do artigo??

[9] Comentário enviado por darth_acf em 19/11/2008 - 09:53h

e esse o link dailson
http://www.vivaolinux.com.br/etc/ldap.conf-darth_acf

[10] Comentário enviado por darth_acf em 19/11/2008 - 10:05h

walber voce esta usando
o comando smbldap-useradd -a -m usuariox para criar usuario?



rode um nmap ou netstat -nlt e mostra o resultado para nos!!

[11] Comentário enviado por tiagotavares em 30/12/2008 - 19:56h

Tá, criamos todos aqueles arquivos .ldif. E agora? Não temos colocar essas entradas na base? Ou eu não entendi a parada direito?
Tipo, não teriamos que usar o comando #ldapadd -x -D -W -f user.ldif/computers.ldif/groups.ldif para que sejam criados as OU's Usuários, Computadores e Grupos?

Um abraço!

[12] Comentário enviado por darth_acf em 31/12/2008 - 09:22h

exatamente antes de prosseguir precisa povoar a base
no caso
slapadd -l computers.ldif
e assim por diante

qualquer duvida estou a disposição

[13] Comentário enviado por paulo.r.rj em 21/01/2009 - 12:04h

Boa tarde, tenho uma duvido sobre a configuração do sistema ldap + sampa, na empresa eu que presto serviço já esta configurado o servidor, temos maquinas de xeros com autenticação via ldap, sendo usuário e senha, no micro o openldaoo formato da autenticação é cn=usuario,ou=pasta,o=base depois senha, na xerox temos que prencher todos estes dado fica complicado para o usuário, tenho envista que o erro esta no configuração do ldap, será que tem agum modelo de script

[14] Comentário enviado por gssilva em 04/05/2010 - 20:34h

Muito bom cara...

Pessoal, os módulos do PAM para LDAP somente são obrigatórios se serviços locais forem usá-lo para autenticação de usuários que somente existem na base de dados. O Samba não precisa do PAM para autenticar usuários da base LDAP, ele vai buscar direto nela o que precisa! Quanto aos ldif' s, é preciso configurar o arquivo que os clientes LDAP usam para fazer pesquisas na base, que, em Debian e derivados é /etc/ldap/ldap.conf.

[15] Comentário enviado por abgiacobe em 18/11/2011 - 11:21h

Alessandro, Eu tenho um servidor PDC e mais 10 servidores Linux Debian V5 que são servidores de arquivos atualmente eu tenho o samba configurado neles , mas gostaria que esses servidores autenticassem pelo LDAP do PDC. Por que cada vez que preciso criar um usuário acabo tendo que criar no PDC e em cada servidor colocando a mesma senha isso me impede de criar um política de senhas tornando a minha rede uma droga. Me da um help por favor por que não faço idéia de como isso é configurado.

Outro serviço que tenho nesses servidores Linux é o SVN que gostaria que autenticasse pelo LDAP também não sei se para isso basta só colocar o servidor para autenticar com LDAP ou se vou ter que fazer isso no servidor e no SVN também.

Ajuda aí por favor!!!!!!

[16] Comentário enviado por darth_acf em 28/11/2011 - 14:43h

ola amigo, manda seu email que irei repassar para vcs uns tutoriais para auxilia-lo na migração

[17] Comentário enviado por marcosbuganeme em 23/03/2012 - 14:56h

Olá amigo, o tópico foi criado a muito anos atrás, mas vejo que ainda responde nele.
Estou querendo montar um sistema no ubuntu que rode SAMBA + APACHE + SQUID que autentique os usuários com o LDAP, poderia me dar uma mãozinha em bons materiais?
Vejo que você têm um vasto conhecimento na área, acho que fica mais fácil aprender com quem sabe na prática.
email para contato: [email protected]
Obrigado, aguardo uma resposta.

[18] Comentário enviado por stefanols em 08/03/2013 - 12:47h

Pô bicho, e os direitos autorais dos co-autores? :( kkkk. Abraço Alessandro.


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts