Allowing Authentication - Building the LDAP Server

posted Nov 19, 2014, 4:16 PM by Joshua S [ updated Dec 7, 2014, 12:07 PM ]

This post demonstrates how to build an LDAP server using OpenLDAP and Samba. Ultimately, this server will be the "authorization and authentication" server, and we'll keep building it out from our earlier work in building the DNS server.

LDAP (Lightweight Directory Access Protocol) allows for central authorization (UserIDs and Passwords) and authorization (Security Groups), along with a number of other centralized management functions such as distribution lists. When integrated with Samba, it can be leveraged to support Windows shares under the SMB protocol.

This is the third project in the series and several others assume this is in place and integrated into the template (see the template projects) in order to work.

Most of these projects can be performed in any order, but if you follow the order outlined here it will all definitely work. I've found a number of guides to help me, but many have partial documentation, skip key steps, etc. The goal is to build out a guide with everything you need to complete each step, but let me know if I miss something or it isn't clear.

For each template and initial setup, I used an 8GB memory card. With the B+, the image you back up will be the full size of the card whether you expand the file system or not. For the actual projects, I use a mix of card sizes -- generally 32GB, but I like my templates and initial setup configs to be 8GB to reduce the storage size of my backups.

Supply List:

LDAP Admin – LDAP Admin is a free Windows LDAP client and administration tool for LDAP directory management.
MicroSD Card – A digital memory card, initially designed for media (think a camera) but which will serve as the hard drive for the RaspberryPi. All tutorials will focus on the 8GB size, but you can easily use this process for a larger format also. This should be pre-loaded with the template image created in the previous project (template step 01).
PuTTY – A free SSH client which is excellent for working at the command line. I know, I know, no one loves the Command Line any more, but the more you use the RaspberryPi the more you will quickly learn that CommandLine > GUI.
RaspberryPi B+ – The actual RaspberryPi hardware this will all be built around.
Win32 Disk Imager – A Free Open Source Software (FOSS) utility to write of image (.IMG) files to various flash card media (SD, MicroSD, etc.). Download the software from the website.

Project:

Write the backup file (AD-ProfessorX.img), created in the previous tutorial, to the SD Card and load it into the RaspberryPi.

Using PuTTY (or whatever SSH client you prefer) connect to the IP address of the RaspberryPi. You should know this from the previous step (192.168.84.158 in this example), but if you do not, follow the steps at the beginning of the first lesson which show how to use AngryIP scanner to locate the IP address.

Once connected, log onto the Pi using:

UserID: pi
Password: raspberry

Raspbian uses Advanced Package Tool (APT) to manage and install software. First, we need to update the tool using:

sudo apt-get -y update

Now let's update the software currently loaded. There are several ways to do this, but if we issue the dist-upgrade command it will intelligently add software, update packages, and remove unneeded packages.

sudo apt-get -y dist-upgrade

Finally, let's upgrade the Pi Kernel:

sudo rpi-update

Let's reboot now that the upgrades are complete:

sudo reboot

OK, good! Now that everything is updated, let's install OpenLDAP:

sudo apt-get -y install slapd ldap-utils

slapd – OpenLDAP, this is the base package to allow for authentication and authorization.
ldap-utils – These are the LDAP utilities used to interact and manage the LDAP installation.

During the installation process, configuration screens will appear and solicit input. The first screen prompts us for an Administrator Password. We are going to have to reset this password later when we perform a detailed configuration, so enter something here, but it doesn't matter what you choose -- you'll change it later and don't need to remember it now. You will be prompted to re-enter the password -- type the same password in that prompt and press enter.

Let's restart, then we can start working on configuration.

In order to setup the LDAP Server, we need to reconfigure the slapd package. In essence, it has you setup a basic configuration when it installs, but we need to edit more configurations than it initially presented. To do this, we'll issue the following command:

sudo dpkg-reconfigure slapd

The first step asks if we want to reconfigure the OpenLDAP server. We should select No.

Next, choose your domain name. This does not have to be a real domain, and is often something with a .lan or .home address. In this case, I'll use the same domain used in the previous lesson when configuring the DNS server.

Now, enter your organization name. This is a business name or something similar that is meaningful to a person who would read it.

We must now enter the Administrator password. Do not forget this, and choose a strong complex password as this will be the most powerful account in your LDAP installation. You will then be prompted to re-enter the same password.

We are now prompted to choose a database format. Note, the prompt points out that while both formats support the same configuration and use similar storage options, HDB supports subtree renames. We will choose HDB as it is the more flexible options.

We will then be prompted to determineif the database should be removed when slapd is purged -- select no.

The configuration process now wants to know if we should move the default database created when we first installed slapd. We won't use this database, so let's say yes.

Next, we need to decide if we want to enable LDAPv2. This is outdated and insecure -- unless there is a reason to enable it, we should accept the option to disable LDAPv2.

Our setup of slapd should be complete. We need to validate this by opening Ldapadmin and selecting the connection button.

Now select New connection in order to configure our connection to the RaspberryPi.

In the configuration, provide the name at the top -- this can be anything descriptive, but I'll use AcademicDabbling. The connection section needs to be updated with the host IP of 192.168.84.158 and the Base can be populated by clicking Fetch DNs button (after the IP is populated). Finally, in the account section, enter the admin account in the format in the image and the password you selected. Check if everything worked by clicking "Test connection" and if everything works then click OK.

Good work! Our OpenLDAP server is now fully configured. Next, we'll integrate the Samba structure into LDAP and complete our server setup. Let's start by installing Samba onto our RaspberryPi.

sudo apt-get -y install samba samba-common-bin smbldap-tools

samba – SMB/CIFS file, print, and login server for Unix.
samba-common-bin – Samba common supporting files.
smbldap-tools – Scripts to manage Unix and Samba accounts stored on LDAP.

With Samba installed, we now need to copy the Samba schema from the Samba examples folder into the OpenLDAP configuration folder. Essentially, this allows OpenLDAP to understand the new Samba object types. Use these commands.

sudo cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz /etc/ldap/schema
sudo gunzip /etc/ldap/schema/samba.schema.gz

To import the configurations, we need to create a file for OpenLDAP. We'll create the samba.conf file implicitly in our home directory (where we are right now) by using nano, our text editor.

sudo nano samba.conf

Edit the file and add the following lines. A sample file is included attached below.

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema

We will now create a temporary directory to hold our files while we work.

mkdir /tmp/slapd.d

Next we'll use the OpenLDAP slaptest utility to read our config file and write it to our temporary directory as a config directory.

slaptest -f samba.conf -F /tmp/slapd.d/

Navigate to the schema directory within our config directory. Copy it into the OpenLDAP schema directories, and change the owner and group permissions of the ldif file to openldap.

cd /tmp/slapd.d/cn\=config/cn\=schema/
sudo cp cn\=\{4\}samba.ldif /etc/ldap/slapd.d/cn\=config/cn\=schema/
sudo chown openldap:openldap /etc/ldap/slapd.d/cn\=config/cn\=schema/cn\=\{4\}samba.ldif

Restart the Samba service.

sudo service slapd restart

Now let's clean up our working files with these commands.

cd ~
rm samba.conf
sudo rm -r /tmp/slapd.d

Good job! OpenLDAP is now configured to work with Samba. Now we need to configure Samba to work with OpenLDAP. We'll use files from the smbldap-tools we installed earlier to keep this deployment simple. We'll start by moving the default Samba configuration and copying over a template for an LDAP integrated deployment.

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
sudo cp /usr/share/doc/smbldap-tools/examples/smb.conf.example /etc/samba/smb.conf

Let's use nano to open the /etc/samba/smb.conf file and change these settings. A copy of the full config file, with applied changes, is attached below. A couple notes. First, this deployment is not encrypting traffic using SSL/TLS. This simplifies the setup, but there will be a future Dabble to enable this functionality. Second, the first, fourth, and fifth setting reference AcademicDabbling settings -- you will want to populate these with your own settings.

workgroup = ACADEMIC-DABBLING
passdb backend = ldapsam:"ldap://localhost/"
ldap ssl = off
ldap admin dn = cn=admin,dc=academicdabbling,dc=com
ldap suffix = dc=academicdabbling,dc=com

With the config file updated, we need to restart Samba and bind it to OpenLDAP. This is done using the smbpasswd command and providing the password we used for the admin account we created when setting up OpenLDAP. With that complete, we'll restart Samba again and it will connect to LDAP and create a Samba object for the domain.

sudo service samba restart
sudo smbpasswd -W
sudo service samba restart

With this accomplished, we can log on to our domain again using LDAP Admin, and we should see an integrated Samba installation.

OK, now that we know Samba and OpenLDAP are integrated with each other, let's copy a couple of template configuration files into place to actually deploy Samba within OpenLDAP. We'll use the following commands to copy a file, copy a compressed file, and decompress the file we've copied.

sudo cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/
sudo cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/
sudo gunzip /etc/smbldap-tools/smbldap.conf.gz

With the files copied, we need to configure our "bind" configuration. Essentially the bind is what links Samba and OpenLDAP together. We need to configure the /etc/smbldap-tools/smbldap_bind.conf file so the slaveDN and masterDN fields to be our LDAP admin, and need to include the OpenLDAP admin password in the configuration file. A completed file, with passwords redacted, is included at the end of this for reference.

slaveDN="cn=admin,dc=ducky-pond,dc=lan"
slavePw="<Password>"
masterDN="cn=admin,dc=ducky-pond,dc=lan"
masterPw="<Password>"

Let's now update the /etc/smbldap-tools/smbldap.conf file, using nano, to link it also. A copy of the configured file is attached below for reference. The SID can either be gathered from the LDAP Admin tool (as demonstrated) or by issuing the sudo net getlocalsid command on the RaspberryPi. Let's populate the following values:

SID="S-1-5-21-784227383-4071461505-2784196558"
sambaDomain="ACADEMIC-DABBLING"
slaveLDAP="localhost"
masterLDAP="localhost"
ldapTLS="0"
suffix="dc=academicdabbling,dc=com"

OK, our links should be all set, now all we need to do is populate the Samba objects inside the OpenLDAP directory. During this process, you will be prompted to provide the password to the domain root -- this should be both a different password from the one we used for the OpenLDAP administrator, and a long complex password. You will need this password to join a computer to this domain. Use the command:

sudo smbldap-populate

Now, let's log onto LDAP Admin to make sure our directory has been updated. It should look a little something like the below image with root, nobody, and a series of Organizational Units (OUs) -- they look like folders -- defined.

With the server built out, the next Dabble will be to add the LDAP and Samba functionality to our template. This Pi will also need that configuration done, and instructions can be found here to walk through the process. Note, to log onto accounts using Samba, you will need to use the format of Domain\UserID -- in this case it would be ACADEMIC-DABBLING\USER_ID.

Power off the RaspberryPi and pull out the MicroSD card. Insert it into your computer's card reader and run Win32 Disk Imager. Create a new image file you name as your backup for the ProfessorX image and select the "Read" button. Note, several more components will be added to the ProfessorX image before it is complete.