Solved

Linux LDAP server, need basic tutorial

Posted on 2015-02-10
14
180 Views
Last Modified: 2015-09-19
I need to set up a LDAP server on Linux. Whenever I post a question about LDAP on any forum I typically get a one-liner that I don't understand. My follow-up posts generally go unanswered which leads me to believe the respondant never actually used LDAP.

SO! I need some basic guidance on setup up LDAP from someone's whose actually done it, please! My immediate objective is to configure an LDAP address book for the roundCube webmail client, but I'm hopeful this exercise will be applicable generally.

I am running Slackware64 14.1, kernel 3.10.17 on one host and have another running Slackware 13.37.0, kernel 2.6.37.6-smp.

The Slackware 14.1 host has Samba4, but my understanding is that Samba4 has LDAP, but that it might not be suited for normal LDAP use(https://wiki.samba.org/index.php/FAQ#Why_is_the_LDAP_backend_.28used_so_successfully_in_classic_Samba_domains.29_not_supported_with_the_AD_DC.3F). If I can't use the 14.1 host I can use the 13.37.0 host which doesn't have Samba4.

I basically understand what LDAP is for, but am pretty clueless about getting it setup. Most web postings I've found feel like I've been dropped into the "middle of the book" assuming lots of prior knowledge.

What do I need to do to get started?
0
Comment
Question by:jmarkfoley
  • 8
  • 5
14 Comments
 
LVL 32

Expert Comment

by:Kamran Arshad
Comment Utility
Hi,

Follow the below steps and let us know where you stuck;

http://trac.roundcube.net/wiki/Howto_Config/Ldap
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Kamran Arshad: thanks for your response. The first place I'm stuck is at the beginning. Can I use OpenLDAP, or Samba4's own LDAP on my Samba4 server or not? Things I've read say that Samba4 supplies its own LDAP and not to use "external" LDAP servers: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Installation, "Samba has its own LDAP and Kerberos implementation, using external LDAP and Kerberos server is not recommended."

I don't know if this means Samba's LDAP will work for this exercise, or that I shouldn't actually use it. From this link, I get the feeling that I shouldn't https://wiki.samba.org/index.php/FAQ#Why_is_the_LDAP_backend_.28used_so_successfully_in_classic_Samba_domains.29_not_supported_with_the_AD_DC.3F.

So, your advice? Do you know if I can use Samba4's LDAP? If not, perhaps I should use the host with Samba 3.

btw - I can do some LDAP authentication tests on the Samba4 host:
$ host -t SRV _ldap._tcp.HPRS.LOCAL.
_ldap._tcp.HPRS.LOCAL has SRV record 0 100 389 mail.hprs.local.

$ host -t SRV _kerberos._udp.HPRS.LOCAL.
_kerberos._udp.HPRS.LOCAL has SRV record 0 100 88 mail.hprs.local.

Open in new window

0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Hmmm, it appears that I'm back to my usual "follow-up posts" syndrome. Perhaps it was a mistake mentioning roundCube. I'm looking for someone experienced with LDAP on Linux to help me.

Let's fall-back to basics and try again ...

I have a Samba4 Linux server we'll call s4.somedomain.com, and a Samba3 Linux server we'll call s3.anotherdomain.com. How would I go about just plain authenticating from s3 to s4 using LDAP given that LDAP things work normally?
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
Comment Utility
To make a crude example, the LDAP a cabinet or a tree.  Somewhat analogous to a Database server with a database that includes a certain set of information from the get go.
There is the basic set dealing with user authentication/user information.
Once You install LDAP (which ever flavor you want, openLDAP, samba4/LDAP or you have the MS AD) The configuration part of the LDAP server is done.
What you are looking for is to add additional structure (branches/limbs or shelves) to facilitate and deal with your requirements.
Different applications have different structures that they need to work.
At this stage when you have the different sets of data (elements) that the new application needs, the schema of your LDAP directory needs to be adjusted to deal with the application's requirements.
Since I've followed some of your prior posts, you are in need to adjust the records in your LDAP implementation (SAMBA4/LDAP AD DC) to include MS exchange schema structure.
What you are after is adding the additional tables to the database (LDAP Schema) that will contain the additional information.

The information dealing with schema modification when searched for will likely discuss/reference openLDAP since it's been around longer that the one you use samba4/LDAP, it does not mean that you have to use openLDAP to implement the structural changes to your LDAP schema.


Back to the link/and your question about. You can use the link, skipping over the openldap reference but adjusting your samba4/ldap configurations to match.
I.e. the suggestion is to load slapd ldap-utils, php-ldap.  The LDAP-utils and php5-ldap are fairly standard, though their package names on slackware might be different.
my suggestion, is you see the commands the use ldapsearch, etc. all you need to do is confirm that you have these commands on your system.
which or apropos or straight run ldapsearch --help  to make sure it is available on your system.

You already have the LDAP server (samba4/LDAP) setup an operational.
The example/reference to the roundtree (rcabook-setup.sh) is a script to modify your LDAP schema to include the hierarchy/structure that roundree address book needs.

Your tree structure is
               . (root)
            local  (if you were inclined)
            hprs  (additional structure, test, meaning you would have records for requests with the base of dc=HPRS,dc=local and dc=test,dc=local) in this type of handling, the REALM in winbind or the use of test\username versus HPRS\username will differentiate the source of the data ........ not sure you would be able to use (winbind in this type of scenario i.e. you have two different  organizations under the same roof, served by your samba4/LDAP samba can support different shares based on different realms/user authentication, not sure whether ....... getting or have I gotten way of track)

such that you need to adjust scripts before using them to make sure that you do not create structures such as localhost in the example when you do not need it.
Your references should always have "dc=HPRS,DC=local" as the base of any schema changes you make. along the same lines, your rootdn is likely "cn=admin,dc=HPRS,DC=local" user admin on HPRS.local

what is the results of your current setup if you run
ldapsearch -xLLL -H ldap://localhost:389 -D "cn=admin,dc=HPRS,dc=local" -w <yourpassword> -b "dc=HPRS,dc=local"
this should (if I am not mistaken in the instructions) display the current elements that exist in your setup all the organizational units/groups that you may have created as well as users.

besides adding structures, you also need to define the elements/objects within that includes in your case email address. Have to find/look at the exchange LDIF to ............

I hope this helps make it clearer (versus cloudier)
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
I think the answer is yes, you can configure S3 to use the LDAP on S4

i.e. you would configure likely slapd.conf with the information about the LDAP server on s4 and how to connect to it. ......
You could make s3 with openldap a replica of the Samba4/LDAP AD DC.
i.e. if firewalled, s4 will need to allow 389 and/or 636 (secure) in
The main purpose of user authentication is there, the issue is only with setting up the access.
As the schema is modified those app/resource will need to have the base of their LDAP access adjusted to reflect the correct structure of data.
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Sorry, did my threatened SBS2008ectomy over the weekend and still cleaning up the blood. Will get to this asap as I think I'm going to need it to suppress user howling.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
good luck.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Sorry for the delay, at the tail end of SBS -> Samba4 conversion. Will try to get back to this in the next few days.
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Sorry for the looooong delay. Now getting back into this as a priority. This is possibly the last mystery I have to solve on my Samba AD/DC

Arnold: Ran your suggested command:

ldapsearch -xLLL -H ldap://localhost:389 -D "cn=admin,dc=HPRS,dc=local" -w <yourpassword> -b "dc=HPRS,dc=local"

I substituted what I believe is my cn (cn=Administrator) and that user's password. Got the following:

ldap_bind: Invalid credentials (49)
        additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE

Adminstrator is configured as the AD/DC administrator:
$ samba-tool group listmembers "Domain Admins"
ldb_wrap open of secrets.ldb
Administrator

$ samba-tool group listmembers "Administrators"
ldb_wrap open of secrets.ldb
Enterprise Admins
Administrator
Domain Admins

Open in new window

This has kind of been my story with LDAP. Can't get past square-one.

Suggestions on how to move forward?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
If you just run as root?
ldapsearch -xLLL -H ldap://localhost:389  -b "dc=HPRS,dc=local"

What happens?

ldapsearch -xLLL -H ldap://localhost:389 -W -b "dc=HPRS,dc=local"

The samba 4/LDAP integration scheme might .......
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
That command didn't work gives:

$ ldapsearch -xLLL -H ldap://localhost:389  -b "dc=HPRS,dc=local"
Operations error (1)
Additional information: 00002020: Operation unavailable without authentication

but this did:

ldapsearch -xLLL -H ldap://localhost:389 -D "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local"

Apparently Administrator "lives" in CN=Users
0
 
LVL 1

Accepted Solution

by:
jmarkfoley earned 0 total points
Comment Utility
Got some additional help from the SambaList. The following variation on your (Arnold's) suggested command worked:
ldapsearch -xLLL -H ldap://localhost:389 -D "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local"

Open in new window

Apparently the "CN=Users" bit is needed.

I can run this from the AD/DC or from other LAN computers not joined to the DC. I guess this confirms that LDAP is working.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Yes, missed that. ...
-W - prompt for password (more secure) as password not displayed as part of the process list.....
-w password - password provided
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
Comment Utility
Arnold's command confirmed that my LDAP is working OK. My comment has the correct syntax of the command.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now