System DesignThe primary goal of this implementation of openldap services is to allow centralized authentication cross all the platforms. Centralized file storage, i.e NFS and samba share, is not implemented for the consideration that there is no great demand for instant file sharing and profile roaming in the lab.
The ldap directory is intended to store all the user and group information needed in the directory so that centralized user information and authentication can be achieved. Though build-in pam-ldap and nss-ldap modules, Linux and Unix systems can be configured to authenticate by ldap server that contains posix standard account information. Windows systems are authenticated, in this case, by a samba domain controller that collecting to a ldap server containing samba format accounts. In addition to user accounts, personal information such as phone number and email addresses are also stored in the directory for inquiry.
Several methods can be implemented to improve the availability of the ldap service. One of them is to have one or more replicated servers that would greatly improve the fail over performance of the ldap service. Moreover, with multiple servers, authentication requests can be balanced among multiple ldap servers which would enhance the ability of coping heavy loads in case users expand or computer clusters are implemented. As an empirical rule, one samba domain controller is adequate for 30-150 windows client1. This is about the expected size of the windows machines on the network, therefore one or two samba domain controllers are enough for the current use. More back up servers can be put into service when users expand. User and Group ManagementSmbldap-tools are a series of scripts that greatly simplifies the management of both samba and linux accounts. In the lab, samba ldap tools are used to manage the accounts.
Install and configure smbldap-toolsThe source package or rpm can be downloaded from http://download.gna.org/smbldap-tools/packages/
Before installation, several dependencies needs to be installed first. Some of the packages are not in the centos repository at present, the Dag Wieers repo needs to be added. yum install perl-Digest-SHA1 perl-LDAP perl-IO-Socket-SSL After installing the dependencies, install the rpm for smbldap-tools, the scripts will be stored at /user/sbincat > /etc/yum.repos.d/DAG.repo << EOF [dag] name=DAG Repository baseurl = http://apt.sw.be/redhat/el\$releasever/en/\$basearch/dag gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt gpgcheck=1 enabled=0 EOF yum --enablerepo=dag install perl-Crypt-SmbHash perl-Unicode-MapUTF8 The configuration files of smbldap tools are located at /etc/smbldap-tools. There are too files smbldap.conf and smbldap_bind.conf, the smbldap.conf file is straitforward with lots of the explainations. The config file needs the local SID of the samba server, which can be find by the command net getlocalsid. The sample smbldap.conf file is attatched at the end of this page. In the smbldap_bind.conf specifies the bind dn and password to the ldap directory. The password is in flat text, therefore the file must not be world readable. chomod 600 smbldap_bind.conf Populate the directory using smbldap-populatesmbldap-populate is the tool that automatically add the essential database structure and entries in the directory.
The options are:
In the example, the first uidNumber and gidNumber to allocate are both set to 2000 smbldap-populate -u 2000 -g 2000 The successful output will be: Populating LDAP directory for domain BLUEPRINT-NT (S-1-5-21-2350600800-1211524104-2223236613)
Add user and group using smbldap-useradd and smbldap-groupadd
smbldap-useradd is the scripts for adding users, the parameters available is as follow:
smbldap-groupadd will add a group to the ldap directory, the following is its parameters:
The two script are often combined together to add a new user and assign it to a group. Here we present several scenario that the command can be used: Add a linux userTo add a linux user named user1 to the directory:
smbldap-groupadd user1 smbldap-useradd -g "user1" -m user1 smbldap-passwd user1 Add a windows userTo add a windows user named user2, who belongs to the default group (513, system user) and doesn't have a login shell and a home directory /dev/null to the directory:
smbldap-useradd -a -m -s /bin/false -d /dev/null -F "" -P user2 To add a user named user 3 who is both a windows and linux user: smbldap-groupadd user3 smbldap-useradd -a -g "user3" -m -P user3 Add a system userTo add a system user named nagios, which belongs to the group nagios and does not have a login shell and home directory:
smbldap-groupadd nagios smbldap-useradd -s /bin/false -g "nagios" nagios Add a windows machineA windows machine can be added into the directory for it to join the domain:
smbldap-useradd -w computer1
|
option | definition | example |
-c | set the user gecos | -c "admin user" |
-d | set the home directory | -d /var/user |
-u | set a uid value | -u 1003 |
-g | set a gid value | -g 1003 |
-G | add the new account to one or several supplementary groups (comma-separated) | -G 512,550 |
-G -512,550 | ||
-G +512,550 | ||
-s | set the login shell | -s /bin/ksh |
-N | set the canonical name of the user | |
-S | set the surname of the user | |
-P | ends by invoking smbldap-passwd to set the user's password | |
-a | add sambaSAMAccount objectclass | |
-e | set an expiration date for the password (format: YYYY-MM-DD HH:MM:SS) | |
-A | user can change password ? 0 if no, 1 if yes | -A 1 |
-B | user must change password at first session ? 0 if no, 1 if yes | -B 1 |
-C | set the samba home share | -C \\PDC\homes |
-C "" | ||
-D | set a letter associated with the home share | -D H: |
-D "" | ||
-E | set DOS script to execute on login | -E common.bat |
-E "" | ||
-F | set the profile directory | -F \\PDC\profiles\user |
-F "" | ||
-H | set the samba account control bits like'[NDHTUMWSLKI]' | -H [X] |
-I | disable a user account | -I 1 |
-J | enable a user | -J 1 |
-M | local mailAddress (comma seperated) | -M testuser,aliasuser |
-T | forward mail address (comma seperated) | -T testuser@domain.org |
There is another script called smbldap-info that could let normal user to update their infomation, with the following options:
option | definition | example |
-f | set the full name's user | -f MyName |
-r | set the room number | -r 99 |
-w | set the work phone number | -w 111111111 |
-h | set the home phone number | -h 222222222 |
-o | set other information (in gecos definition) | -o "second stage" |
-s | set the default bash | -s /bin/ksh |