Escolar Documentos
Profissional Documentos
Cultura Documentos
Histrico de Verses
Verso 1.0 Data 02/09/2008 Autor Descrio Instalao LDAP
Pgina 2 de 22
Pgina 3 de 22
Pgina 4 de 22
# Load dynamic backend modules: # modulepath /usr/lib/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access
Pgina 5 de 22
# Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! access to attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLastS et by dn="cn=root,dc=lps,dc=ufrj,dc=br" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=root,dc=lps,dc=ufrj,dc=br" write by * read ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database suffix rootdn bdb "dc=lps,dc=ufrj,dc=br" "cn=root,dc=lps,dc=ufrj,dc=br"
# Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
Pgina 6 de 22
# Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM rootpw {SSHA}B+bRzBJC+Mx/ZXyLLy0JwlP1uAML9RRU #service ldap start Checking configuration files for slapd: bdb_db_open: DB_CONFIG for suffix dc=lps,dc=ufrj,dc=br has changed. Performing database recovery to activate new settings. bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered. config file testing succeeded [ OK ] Starting slapd: [ OK ]
# vi base.ldif dn: dc=lps,dc=ufrj,dc=br dc: lps objectClass: top objectClass: domain dn: ou=usuarios,dc=lps,dc=ufrj,dc=br ou: usuarios objectClass: top objectClass: organizationalUnit dn: ou=computadores,dc=lps,dc=ufrj,dc=br ou: computadores objectClass: top objectClass: organizationalUnit dn: ou=grupos,dc=lps,dc=ufrj,dc=br ou: grupos objectClass: top objectClass: organizationalUnit
Pgina 7 de 22
# Use SSL for LDAP # If set to 1, this option will use SSL for connection # (standard port for ldaps is 636) # If not defined, parameter is set to "0" ldapSSL="0" # How to verify the server's certificate (none, optional or require) # see "man Net::LDAP" in start_tls section for more details verify="require" # CA certificate # see "man Net::LDAP" in start_tls section for more details cafile="/etc/smbldap-tools/ca.pem" # certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem" # key certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key" # LDAP Suffix # Ex: suffix=dc=IDEALX,dc=ORG suffix="dc=lps,dc=ufrj,dc=br" # Where are stored Users # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for usersdn usersdn="ou=usuarios,${suffix}" # Where are stored Computers # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for computersdn computersdn="ou=computadores,${suffix}" # Where are stored Groups # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for groupsdn groupsdn="ou=grupos,${suffix}" # Where are stored Idmap entries (used if samba is a domain member server) # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for idmapdn idmapdn="ou=Idmap,${suffix}" # Where to store next uidNumber and gidNumber available for new users and groups # If not defined, entries are stored in sambaDomainName object. # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" # Default scope Used scope="sub"
Pgina 9 de 22
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) hash_encrypt="SSHA" # if hash_encrypt is set to CRYPT, you may set a salt format. # default is "%s", but many systems will generate MD5 hashed # passwords if you use "$1$%.8s". This parameter is optional! crypt_salt_format="%s" ############################################################################## # # Unix Accounts Configuration # ############################################################################## # Login defs # Default Login Shell # Ex: userLoginShell="/bin/bash" userLoginShell="/bin/bash" # Home directory # Ex: userHome="/home/%U" userHome="/home/%U" # Default mode used for user homeDirectory userHomeDirectoryMode="700" # Gecos userGecos="System User" # Default User (POSIX and Samba) GID defaultUserGid="513" # Default Computer (Samba) GID defaultComputerGid="515" # Skel dir skeletonDir="/etc/skel" # Default password validation time (time in days) Comment the next line if # you don't want password to be enable for defaultMaxPasswordAge days (be # careful to the sambaPwdMustChange attribute's value) defaultMaxPasswordAge="45" ############################################################################## # # SAMBA Configuration # ############################################################################## # The UNC path to home drives location (%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon home' # directive and/or disable roaming profiles # Ex: userSmbHome="\\PDC-SMB3\%U" userSmbHome="\\LPSUFRJ\%U"
Pgina 10 de 22
# The UNC path to profiles locations (%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon path' # directive and/or disable roaming profiles # Ex: userProfile="\\PDC-SMB3\profiles\%U" userProfile="\\LPSUFRJ\profiles\%U" # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: userHomeDrive="H:" userHomeDrive="H:" # The default user netlogon script name (%U username substitution) # if not used, will be automatically username.cmd # make sure script file is edited under dos # Ex: userScript="startup.cmd" # make sure script file is edited under dos userScript="logon.bat" # Domain appended to the users "mail"-attribute # when smbldap-useradd -M is used # Ex: mailDomain="idealx.com" mailDomain="lps.ufrj.br" ############################################################################## # # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) # ############################################################################## # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but # prefer Crypt::SmbHash library with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) # but prefer Crypt:: libraries with_slappasswd="0" slappasswd="/usr/sbin/slappasswd" # comment out the following line to get rid of the default banner # no_banner="1"
Pgina 11 de 22
Pgina 12 de 22
# Configuracoes para o LDAP passdb backend = ldapsam:ldap://127.0.0.1 ldap passwd sync = yes ldap delete dn = Yes ldap admin dn = cn=root,dc=lps,dc=ufrj,dc=br ldap suffix = dc=lps,dc=ufrj,dc=br ldap machine suffix = ou=computadores ldap user suffix = ou=usuarios ldap group suffix = ou=grupos ldap idmap suffix = sambaDomainName=LPSUFRJ idmap backend = ldap:ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 admin users = Administrator @"Domain Admins" # Permitir que usuarios do grupo "Administradores do Dominio" possam ingressar maquinas # WinXP/Win2000 ao dominio samba # to the domain enable privileges = yes # Scrips utilizados para Gerenciar Usuarios da M$ # adiconar/remover Usuarios add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" # adiconar/remover Grupos add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" # Scripts para adiconar/remover Usuarios nos Grupos add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" # Script para definir o grupo primario do usuario set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" # Script par adicionar maquina Win NT/XP ingressar no Dominio add machine script = /usr/sbin/smbldap-useradd -W "%u" # Otimizacoes recomendadas em smb ports = 445 139 name resolve order = lmhosts host wins bcast utmp = Yes time server = Yes template shell = /bin/false winbind use default domain = no map acl inherit = Yes strict locking = Yes # Como o cliente ira' se comunicar com o servidor socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# --------------------------- Filesystem Options --------------------------# # The following options can be uncommented if the filesystem supports
Pgina 13 de 22
# Extended Attributes and they are enabled (usually by the mount option # user_xattr). Thess options will let the admin store the DOS attributes # in an EA and make samba not mess with the permission bits. # # Note: these options can also be set just per share, setting them in global # makes them the default for all shares ; ; ; ; ; map archive = no map hidden = no map read only = no map system = no store dos attributes = yes
#============================ Share Definitions ============================= [homes] comment = Home Directories browseable = no writable = yes valid users = %S ; valid users = MYDOMAIN\%S [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes # Un-comment the following and create the netlogon directory for Domain Logons [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon/scripts guest ok = yes writable = no share modes = no # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory [Profiles] path = /var/lib/samba/profiles browseable = no guest ok = yes # A publicly accessible directory, but read only, except for people in # the "staff" group ; [public] ; comment = Public Stuff ; path = /home/samba ; public = yes ; writable = yes
Pgina 14 de 22
; ;
Pgina 15 de 22
#cat /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis Pgina 16 de 22
db files nisplus nis files ldap files ldap files ldap db files nisplus nis dns files dns
# Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus
Pgina 17 de 22
d) Atualizando os dados de um usurio [root@miami etc]# smbldap-userinfo malves Changing the user information for malves Enter the new value, or press ENTER for the default User Shell [/bin/bash]: Full Name [Marcos Alves]: Room Number []: Work Phone []: Home Phone []: Other []: LDAP updated e) Mostrando os dados do usurio # smbldap-usershow malves dn: uid=malves,ou=Usuarios,dc=lps,dc=ufrj,dc=br objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,in etLocalMailRecipient uid: malves uidNumber: 1123 gidNumber: 513 homeDirectory: /home/malves sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: malves sambaSID: S-1-5-21-3041103067-508309359-3073237874-3246 sambaLogonScript: logon.bat sambaProfilePath: \\LPSUFRJ\profiles\malves sambaHomePath: \\LPSUFRJ\malves sambaPrimaryGroupSID: S-1-5-21-3041103067-508309359-3073237874-513 sambaHomeDrive: H: mailLocalAddress: malves mail: malves@lps.ufrj.br sambaLMPassword: 853CA1CD2A92A81D25AD3B83FA6627C7 sambaAcctFlags: [U] sambaNTPassword: F6E7FA906A0E97AF28D99556ABCFDF3C sambaPwdLastSet: 1220370854 sambaPwdMustChange: 1224258854 userPassword: {SSHA}//+QUqI5FZP/zWVukct0FSM5r59MYlhw shadowLastChange: 14124 shadowMax: 45 gecos: Marcos Alves,,,, cn: Marcos Alves sn: Alves givenName: Marcos loginShell: /bin/bash
Pgina 18 de 22
f) Testando o cliente no Samba/LDAP [root@miami etc]# smbclient -L //LPS/home/malves --user=malves Password: Domain=[LPSUFRJ] OS=[Unix] Server=[Samba 3.0.28-1.el5_2.1] Sharename Type Comment -----------------netlogon Disk Network Logon Service IPC$ IPC IPC Service (PDC Server Version 3.0.28-1.el5_2.1) malves Disk Home Directories Domain=[LPSUFRJ] OS=[Unix] Server=[Samba 3.0.28-1.el5_2.1] Server --------LPS Comment ------PDC Server Version 3.0.28-1.el5_2.1
Workgroup Master --------------GRUPO ITACA LPS2 GRENOBLE LPSUFRJ LPS WORKGROUP MONACO smbclient -L LPS -U% Domain=[LPSUFRJ] OS=[Unix] Server=[Samba 3.0.28-1.el5_2.1] Sharename Type Comment -----------------netlogon Disk Network Logon Service IPC$ IPC IPC Service (PDC Server Version 3.0.28-1.el5_2.1) Domain=[LPSUFRJ] OS=[Unix] Server=[Samba 3.0.28-1.el5_2.1] Server --------LPS Comment ------PDC Server Version 3.0.28-1.el5_2.1
Workgroup Master --------------GRUPO ITACA LPS2 GRENOBLE LPSUFRJ LPS WORKGROUP MONACO
Pgina 19 de 22
2)
4)
echo -e "Digite o usuario: " read usuario smbldap-passwd $usuario sleep 2 ;; echo -e "Digite o nome do grupo: " read grupo smbldap-groupadd -a $grupo sleep 2 ;; echo -e "Digite o nome do grupo a ser removido: " read grupo smbldap-groupdel $grupo sleep 2 ;; echo "Ate logo ......." exit ;; echo "Somente sao validas opcoes 1, 2, 3, 4 e 5 " sleep 2 ;;
5)
6)
7)
*)
Pgina 21 de 22
Pgina 22 de 22