Import new LDAP users/groups

System Design

The primary goal of this implementation of openldap services is to allow centralized authentication cross all the platforms. Centralized file storage, i.e NFS and samba share, is not implemented for the consideration that there is no great demand for instant file sharing and profile roaming in the lab.

The ldap directory is intended to store all the user and group information needed in the directory so that centralized user information and authentication can be achieved. Though build-in pam-ldap and nss-ldap modules, Linux and Unix systems can be configured to authenticate by ldap server that contains posix standard account information. Windows systems are authenticated, in this case, by a samba domain controller that collecting to a ldap server containing samba format accounts. In addition to user accounts, personal information such as phone number and email addresses are also stored in the directory for inquiry.

Based on the above considerations, the following directory structure is implemented. The design is simple yet serves the current needs. The structure can be scaled for further use.


Several methods can be implemented to improve the availability of the ldap service. One of them is to have one or more replicated servers that would greatly improve the fail over performance of the ldap service. Moreover, with multiple servers, authentication requests can be balanced among multiple ldap servers which would enhance the ability of coping heavy loads in case users expand or computer clusters are implemented. As an empirical rule, one samba domain controller is adequate for 30-150 windows client1. This is about the expected size of the windows machines on the network, therefore one or two samba domain controllers are enough for the current use. More back up servers can be put into service when users expand.

User and Group Management

Smbldap-tools are a series of scripts that greatly simplifies the management of both samba and linux accounts. In the lab, samba ldap tools are used to manage the accounts.

Install and configure smbldap-tools

The source package or rpm can be downloaded from http://download.gna.org/smbldap-tools/packages/  
Before installation, several dependencies needs to be installed first. Some of the packages are not in the centos repository at present, the Dag Wieers repo needs to be added.

yum install perl-Digest-SHA1 perl-LDAP perl-IO-Socket-SSL

cat > /etc/yum.repos.d/DAG.repo << EOF
[dag]
name=DAG Repository
baseurl = http://apt.sw.be/redhat/el\$releasever/en/\$basearch/dag
gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
gpgcheck=1
enabled=0
EOF

yum --enablerepo=dag install perl-Crypt-SmbHash perl-Unicode-MapUTF8

After installing the dependencies, install the rpm for smbldap-tools, the scripts will be stored at /user/sbin

The configuration files of smbldap tools are located at /etc/smbldap-tools. There are too files smbldap.conf and smbldap_bind.conf, the smbldap.conf file is straitforward with lots of the explainations. The config file needs the local SID of the samba server, which can be find by the command net getlocalsid. The sample smbldap.conf file is attatched at the end of this page. In the smbldap_bind.conf specifies the bind dn and password to the ldap directory. The password is in flat text, therefore the file must not be world readable.

chomod 600 smbldap_bind.conf

Populate the directory using smbldap-populate

smbldap-populate is the tool that automatically add the essential database structure and entries in the directory.

The options are:

option definition default value
-u uidNumber first uidNumber to allocate 1000
-g gidNumber first gidNumber to allocate 1000
-a user administrator login name Administrator
-b user guest login name nobody
-e file export a init file  
-i file import a init file  

In the example, the first uidNumber and gidNumber to allocate are both set to 2000

smbldap-populate -u 2000 -g 2000

The successful output will be:
Populating LDAP directory for domain BLUEPRINT-NT (S-1-5-21-2350600800-1211524104-2223236613)
(using builtin directory structure)

adding new entry: dc=blueprint,dc=org
adding new entry: ou=Users,dc=blueprint,dc=org
adding new entry: ou=Groups,dc=blueprint,dc=org
adding new entry: ou=Computers,dc=blueprint,dc=org
adding new entry: uid=root,ou=Users,dc=blueprint,dc=org
adding new entry: uid=nobody,ou=Users,dc=blueprint,dc=org
adding new entry: cn=Domain Admins,ou=Groups,dc=blueprint,dc=org
adding new entry: cn=Domain Users,ou=Groups,dc=blueprint,dc=org
adding new entry: cn=Domain Guests,ou=Groups,dc=blueprint,dc=org
adding new entry: cn=Domain Computers,ou=Groups,dc=blueprint,dc=org
adding new entry: cn=Administrators,ou=Groups,dc=blueprint,dc=org
adding new entry: cn=Account Operators,ou=Groups,dc=blueprint,dc=org
adding new entry: cn=Print Operators,ou=Groups,dc=blueprint,dc=org
adding new entry: cn=Backup Operators,ou=Groups,dc=blueprint,dc=org
adding new entry: cn=Replicators,ou=Groups,dc=blueprint,dc=org
adding new entry: sambaDomainName=IDEALX-NT,dc=blueprint,dc=org


After adding there will be prompt asking for the new root password, enter the password for root so that the root can login though ldap.

Add user and group using smbldap-useradd and smbldap-groupadd

smbldap-useradd is the scripts for adding users, the parameters available is as follow:

option definition example default value
-a create a Windows account. Otherwise, only a Posix account is created    
-w create a Windows Workstation account    
-i create an interdomain trust account. See section 4.4 for more details    
-u set a uid value -u 1003 first uid available
-g set a gid value -g 1003 first gid available
-G add the new account to one or several supplementary groups (comma-separated) -G 512,550  
-d set the home directory -d /var/user $userHomePrefix/user
-s set the login shell -s /bin/ksh $userLoginShell
-c set the user gecos -c "admin user" $userGecos
-m creates user's home directory and copies /etc/skel into it    
-k set the skeleton dir (with -m) -k /etc/skel2 $skeletonDir
-P ends by invoking smbldap-passwd to set the user's password    
-A user can change password ? 0 if no, 1 if yes -A 1  
-B user must change password at first session ? 0 if no, 1 if yes -B 1  
-C set the samba home share -C \\PDC\homes $userSmbHome
-D set a letter associated with the home share -D H: $userHomeDrive
-E set DOS script to execute on login -E common.bat $userScript
-F set the profile directory -F \\PDC\profiles\user $userProfile
-H set the samba account control bits like'[NDHTUMWSLKI]' -H [X]  
-N set the canonical name of the user    
-S set the surname of the user    
-M local mailAddress (comma seperated) -M testuser,aliasuser  
-T forward mail address (comma seperated) -T testuser@domain.org  

smbldap-groupadd will add a group to the ldap directory, the following is its parameters:

option definition example
-a add automatic group mapping entry  
-g gid set the gidNumer for this group to gid -g 1002
-o gidNumber is not unique  
-r group-rid set the rid of the group to group-rid -r 1002
-s group-sid set the sid of the group to group-sid -s S-1-5-21-3703471949-3718591838-2324585696-1002
-t group-type set the sambaGroupType to group-type -t 2
-p print the gidNumber to stdout  

The two script are often combined together to add a new user and assign it to a group.  Here we present several scenario that the command can be used:

Add a linux user

To add a linux user named user1 to the directory:

smbldap-groupadd user1
smbldap-useradd -g "user1" -m user1
smbldap-passwd user1

Add a windows user

To add a windows user named user2, who belongs to the default group (513, system user) and doesn't have a login shell and a home directory /dev/null  to the directory:

smbldap-useradd -a -m -s /bin/false -d /dev/null -F "" -P user2

To add a user named user 3 who is both a windows and linux user:

smbldap-groupadd user3
smbldap-useradd -a -g "user3" -m -P user3

Add a system user

To add a system user named nagios, which belongs to the group nagios and does not have a login shell and home directory:

smbldap-groupadd nagios
smbldap-useradd -s /bin/false -g "nagios" nagios

Add a windows machine

A windows machine can be added into the directory for it to join the domain:

smbldap-useradd -w computer1


Change password

 
Password can be changed using the normal linux passwd command.
 
passwd

Modify users and groups using smbldap-usermod and smbldap-info

smbldap-usermod is the command for root to modify the an entry in the directory. The available options are:

option definition example
-c set the user gecos -c "admin user"
-d set the home directory -d /var/user
-u set a uid value -u 1003
-g set a gid value -g 1003
-G add the new account to one or several supplementary groups (comma-separated) -G 512,550


-G -512,550


-G +512,550
-s set the login shell -s /bin/ksh
-N set the canonical name of the user  
-S set the surname of the user  
-P ends by invoking smbldap-passwd to set the user's password  
-a add sambaSAMAccount objectclass  
-e set an expiration date for the password (format: YYYY-MM-DD HH:MM:SS)  
-A user can change password ? 0 if no, 1 if yes -A 1
-B user must change password at first session ? 0 if no, 1 if yes -B 1
-C set the samba home share -C \\PDC\homes


-C ""
-D set a letter associated with the home share -D H:


-D ""
-E set DOS script to execute on login -E common.bat


-E ""
-F set the profile directory -F \\PDC\profiles\user


-F ""
-H set the samba account control bits like'[NDHTUMWSLKI]' -H [X]
-I disable a user account -I 1
-J enable a user -J 1
-M local mailAddress (comma seperated) -M testuser,aliasuser
-T forward mail address (comma seperated) -T testuser@domain.org

There is another script called smbldap-info that could let normal user to update their infomation, with the following options:

option definition example
-f set the full name's user -f MyName
-r set the room number -r 99
-w set the work phone number -w 111111111
-h set the home phone number -h 222222222
-o set other information (in gecos definition) -o "second stage"
-s set the default bash -s /bin/ksh

Delete users and groups using smbldap-userdel

The options are:
option definition
-r remove home directory
-R remove home directory interactively

Delete a user from the directory

smbldap-userdel -R user1

Delete a group from the directory

smbldap-userdel group1
 
Comments