Monthly Archives: mars 2012

Fastest debian mirror

Use netselect to determine your fastest debian mirror.

apt-get install netselect
netselect debian.advalem.net webb.ens-cachan.fr ftp.fr.debian.org ftp2.fr.debian.org ftp.u-picardie.fr ftp.u-strasbg.fr ftp.nerim.net debian.mirror.inra.fr debian.advalem.net ftp.ec-m.fr deb-mir1.naitways.net ftp.lip6.fr debian.ens-cachan.fr debian.mirrors.easynet.fr debian.cict.fr ftp.crihan.fr webb.ens.cachan.fr

Select list of mirrors not far from you.

Debian LDAP

1) LDAP server setup

Install LDAP

aptitude install ldap-server ldap-utils

Configure LDAP according to your own configuration

cn=naze,cn=mine,cn=nu

You also will have to indicate LDAP admin password ()
If needed you can configure it again:

dpkg-reconfigure slapd

Give some extra informations, adapt this file:

vi /usr/share/slapd/slapd.conf
rootdn "cn=admin,dc=naze,dc=mine,dc=nu"

Test it:

aptitude install ldap-utils
ldapsearch -H ldap://localhost -b "dc=naze,dc=mine,dc=nu" -D "cn=admin,dc=naze,dc=mine,dc=nu" -x -W

Test is successfull if after asking password it retunrs all LDAP content.
Having LDAP generating it’s own log, edit file /usr/share/slapd/slapd.conf

# Read slapd.conf(5) for possible values
loglevel        256

And modify /etc/rsyslog.conf

# modification
*.*;local4,auth,authpriv.none   -/var/log/syslog
# ajout
local4.*            -/var/log/slapd.log

In case you want to debug, start LDAP with

slapd -d -1

Log level can be 2, or 2048, read manual to get info.
In case you started LDAP in debug mode and you cannot start it noramlly again, you may have to restore db:

db_recover -v -h /var/lib/ldap

2) Migrate existing information (passwd & group) into LDAP

Install migraiton tools

aptitude install ldap-utils migrationtools

Modify config file

vi /etc/migrationtools/migrate_common.ph
$DEFAULT_MAIL_DOMAIN = “naze.mine.nu”;
$DEFAULT_BASE = “dc=naze,dc=mine,dc=nu”;
# do not take system users and groups
$IGNORE_UID_BELOW = 1000;
$IGNORE_GID_BELOW = 100;

We generate files that will be put in LDAP

cd /usr/share/migrationtools/
./migrate_base.pl > /root/main.ldif
./migrate_passwd.pl /etc/passwd /root/pwd.ldif
./migrate_passwd.pl /etc/group /root/grp.ldif

Integrate the information in LDAP

ldapadd -H ldap://localhost -Dcn=admin,dc=naze,dc=mine,dc=nu” -x -W -f /root/main.ldif
ldapadd -H ldap://localhost -Dcn=admin,dc=naze,dc=mine,dc=nu” -x -W -f /root/pwd.ldif
ldapadd -H ldap://localhost -Dcn=admin,dc=naze,dc=mine,dc=nu” -x -W -f /root/grp.ldif

If you get an error on first file, remove the top lines that define LDAP name since we already created it at LDAP setup.
If it still does not work, use graphical interface of phpldapadmin.

3) Authentification with other modules

Install stuff

apt-get -y install libnss-ldap libpam-ldap libpam-cracklib

Edit file:

/etc/nsswitch.conf
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Remane files:

mv /etc/pam_ldap.conf /etc/pam_ldap.conf.orig
mv /etc/libnss-ldap.conf /etc/libnss-ldap.conf.orig

Create file /etc/ldap_and_others.conf

# Create symlink to pam_ldap.conf and libnss-ldap.conf
uri ldap://127.0.0.1
ldap_version 3
# assuming users are in People ou
base ou=People,dc=naze,dc=mine,dc=nu
rootbinddn cn=admin,dc=naze,dc=mine,dc=nu
scope sub
pam_filter !(uid=root)
pam_check_host_attr no
#pam_password crypt
pam_password exop
# ID = On change le pwd unix et samba sans conserver l ancieN
exop_arguments id

Create symlinks

ln -sf /etc/ldap_and_others.conf /etc/pam_ldap.conf
ln -sf /etc/ldap_and_others.conf /etc/libnss-ldap.conf

Configure pam files

mv /etc/pam.d/common-account /etc/pam.d/common-account.orig
mv /etc/pam.d/common-auth /etc/pam.d/common-auth.orig
mv /etc/pam.d/common-password /etc/pam.d/common-password.orig
mv /etc/pam.d/common-session /etc/pam.d/common-session.orig

Create the following files

vi /etc/pam.d/common-account
account         required        pam_unix.so
account         sufficient      pam_localuser.so
account         sufficient      pam_ldap.so
account         required        pam_deny.so
vi /etc/pam.d/common-auth
auth            required        pam_env.so
auth            sufficient      pam_unix.so likeauth nullok
auth            sufficient      pam_ldap.so use_first_pass
auth            required        pam_deny.so
vi /etc/pam.d/common-password
password        sufficient      pam_unix.so nullok use_authtok md5 shadow
password        sufficient      pam_ldap.so use_first_pass
password        required        pam_deny.so
vi /etc/pam.d/common-session
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0066
session         required        pam_limits.so
session         required        pam_unix.so

Make a copy of theses files in case pam-xxx-update override them

cp /etc/pam.d/common-account /etc/pam.d/common-account.for.ldap
cp /etc/pam.d/common-account /etc/pam.d/common-auth.for.ldap
cp /etc/pam.d/common-account /etc/pam.d/common-password.for.ldap
cp /etc/pam.d/common-account /etc/pam.d/common-session.for.ldap

Take that into account:

service nscd restart

4) Samba case

Integrate samba shema

aptitude install samba-doc
gunzip -c /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
vi /usr/share/slapd.conf
# add this line
include         /etc/ldap/schema/samba.schema

Squeeze LDAP samba special case: the above added line is not enough

# vi /etc/ldap/ss.conf
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
slaptest -f /etc/ldap/ss.conf -F /etc/ldap/slapd.d/
chown openldap:openldap /etc/ldap/schema/ -R
chown openldap:openldap /etc/ldap/slapd.d/ -R

Now samba schema will be taken into account, check it is there

# ls -l /etc/ldap/slapd.d/cn=config/cn=schema
total 56
-rw------- 1 openldap openldap 15545 Mar  6 22:50 cn={0}core.ldif
-rw------- 1 openldap openldap 11379 Mar  6 22:50 cn={1}cosine.ldif
-rw------- 1 openldap openldap  6509 Mar  6 22:50 cn={2}nis.ldif
-rw------- 1 openldap openldap  2873 Mar  6 22:50 cn={3}inetorgperson.ldif
-rw------- 1 openldap openldap 14752 Mar  8 11:37 cn={4}samba.ldif

Take into account changes

service slapd restart

Adapt samba configuration, file /etc/smb.conf

[Global]
# change it according to your conf
workgroup = naze.mine.nu
# change it according to your conf
netbios name = vradis
server string = Samba-LDAP PDC Server
domain master = Yes
local master = Yes
domain logons = Yes
os level = 40
#passwd program = /usr/sbin/smbldap-passwd ?u %u
ldap ssl = off
ldap passwd sync = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
# change it according to your conf
ldap admin dn = cn=admin,dc=naze,dc=mine,dc=nu
# change it according to your conf
ldap suffix = dc=naze,dc=mine,dc=nu
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Machines
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
logon path = %Lprofile%U
logon drive = P:
logon home = %L%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
case sensitive = No
default case = lower
preserve case = yes
short preserve case = Yes
#character set = iso8859-1
#domain admin group = @admin
dns proxy = No
wins support = Yes
# change it according to your conf
hosts allow = 192.168.45. 127. 10.0.45. 172.16.45.
winbind use default domain = Yes
nt acl support = Yes
msdfs root = Yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
unix charset = iso-8859-15
display charset = iso-8859-15
dos charset = 850


[netlogon]
path = /home/samba/netlogon
writable = No
browseable = No
write list = Administrateur

[profile]
path = /home/samba/profile
browseable = No
writeable = Yes
profile acls = yes
create mask = 0700
directory mask = 0700

[homes]
comment = Repertoire Personnel
browseable = No
writeable = Yes

Create directories

mkdir /home/samba/netlogon
mkdir /home/samba/profiles && chmod 777 /home/samba/profiles

Check samba config file smb.conf

# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[profile]"
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC

Reload samba

service samba restart

Samba needs to know LDAP admin password

# smbpasswd -w <ldapadminpassword>
Setting stored password for "cn=admin,dc=naze,dc=mine,dc=nu" in secrets.tdb

Now we have to configure smbldap-tools

# /etc/smbldap-tools/smbldap_bind.conf
masterDN="cn=admin,dc=naze,dc=mine,dc=nu"
masterPw="<ldapadminpassword>"
slaveDN="cn=admin,dc=naze,dc=mine,dc=nu"
slavePw="<ldapadminpassword>"

We do not want to have the ldap password system readable

chmod 600 /etc/smbldap-tools/smbldap_bind.conf

Get domaine SID

# net getlocalsid
SID for domain VRADIS is: S-1-5-21-3065304056-2675436535-3286168104x

Edit file /etc/smbldap-tools/smbldap.conf and add this SID. Sometimes it is expected to specify sambaDomain entry

SID="S-1-5-21-3065304056-2675436535-3286168104"
# sambaDomain="naze.mine.nu"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify="require"
### Change according to your config
suffix="dc=naze,dc=mine,dc=nu"
usersdn="ou=People,${suffix}"
computersdn="ou=Machines,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
# sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"

userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
#Nom d'affichage - utiliser smbldap-useradd -c
userGecos="User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
#Les mots de passe expirent dans 10ans
defaultMaxPasswordAge="3650"

with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

Now we populate LDAP with samba informations, give the root system password

# smbldap-populate
Populating LDAP directory for domain naze.mine.nu (S-1-5-21-3065304056-2675436535-3286168104)
(using builtin directory structure)
entry dc=naze,dc=mine,dc=nu already exist.
entry ou=People,dc=naze,dc=mine,dc=nu already exist.
adding new entry: ou=Groups,dc=naze,dc=mine,dc=nu
adding new entry: ou=Machines,dc=naze,dc=mine,dc=nu
adding new entry: ou=Idmap,dc=naze,dc=mine,dc=nu
entry sambaDomainName=naze.mine.nu,dc=naze,dc=mine,dc=nu already exist. Updating it...
adding new entry: uid=root,ou=People,dc=naze,dc=mine,dc=nu
entry uid=nobody,ou=People,dc=naze,dc=mine,dc=nu already exist.
adding new entry: cn=Domain Admins,ou=Groups,dc=naze,dc=mine,dc=nu
adding new entry: cn=Domain Users,ou=Groups,dc=naze,dc=mine,dc=nu
adding new entry: cn=Domain Guests,ou=Groups,dc=naze,dc=mine,dc=nu
adding new entry: cn=Domain Computers,ou=Groups,dc=naze,dc=mine,dc=nu
adding new entry: cn=Administrators,ou=Groups,dc=naze,dc=mine,dc=nu
adding new entry: cn=Account Operators,ou=Groups,dc=naze,dc=mine,dc=nu
adding new entry: cn=Print Operators,ou=Groups,dc=naze,dc=mine,dc=nu
adding new entry: cn=Backup Operators,ou=Groups,dc=naze,dc=mine,dc=nu
adding new entry: cn=Replicators,ou=Groups,dc=naze,dc=mine,dc=nu

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:

Add a user into LDAP

smbldap-useradd -a -c "jdoe" -m -P jdoe

Delete a user

smbldap-usedel -r jdoe

Change password

smbldap-passwd jdoe

If you get a warning message like:
Use of qw(…) as parentheses is deprecated at /usr/share/perl5/smbldap_tools.pm line 1423
edit this file and add parentheses like this:

1423 for my $sig_name (qw(ALRM INT HUP QUIT TERM TSTP TTIN TTOU))

If you get an error message like:
Failed to execute: /usr/sbin/smbldap-passwd.cmd: No such file or directory at /usr/sbin/smbldap-useradd line 665.
make a symling:

ln -s /usr/sbin/smbldap-passwd /usr/sbin/smbldap-passwd.cmd

5) Other appz using LDAP

Squid 3 setup to user LDAP:

auth_param basic program /usr/lib/squid3/squid_ldap_auth -b ou=People,dc=naze,dc=mine,dc=nu -f "uid=%s" -h 127.0.0.1
auth_param basic children 5
auth_param basic realm Web-Proxy VNET2 (ldap)
auth_param basic credentialsttl 1 hour
...
# adapt acl according to your conf
acl USERS proxy_auth REQUIRED

Openvpn

openvpn-auth-ldap