Talk:HOWTO LDAP SAMBA PDC Security Upgrade

From Gentoo Linux Wiki

Jump to: navigation, search

Contents

[edit] Use an account that is not the root DN

[edit] Introduction

Always using the rootdn is generaly a very bad idea. So, for that reason we will add some accounts with proper ACL's set to do the job in the future.
Most of the information found in this section was taken from the IDEALX website. See Resources.

[edit] Modifying the LDAP database

[edit] Intro

We will be adding some 'Security Accounts' in the database. A overview of the OU of your ldap server could look like:

Code: LDAP layout
- dc=example,dc=net | |- ou=People,dc=example,dc=net | |- uid=pooky,ou=People,dc=example,dc=net | \- uid=... | |- ou=Hosts,dc=example,dc=net | |- uid=pcName$,ou=Hosts,dc=example,dc=net | \- uid=...$ | |- ou=Groups,dc=example,dc=net | |- cn=Domain Admins,ou=Groups,dc=example,dc=net | \- cn=... | \-sambaDomainName=YOUR_DOMAIN
Note: This layout is only a reference.. it may be different from what you are using, if you plan on using a similar layout, don't forget to update both smb.conf and /etc/ldap.conf

[edit] Adding accounts

We will be adding an additional ou called DSA.

Code: LDAP layout
- dc=example,dc=net | |- ou=DSA,dc=example,dc=net | |- cn=samba,ou=DSA,dc=example,dc=net # To use in samba | |- cn=smbldap-tools,ou=DSA,dc=example,dc=net # To use in smbldap-tools | \- cn=nssldap,ou=DSA,dc=example,dc=net # To use with nss_ldap (/etc/ldap.conf) ...

You can do this manually by using some phpldapadmin-like or ldap-admin program, but we are gonna create them with some ldif magic. Here you can find a example LDIF that could be used to create the above structure.

Code: dsa-accounts.ldif
dn: ou=DSA,dc=example,dc=net objectClass: top objectClass: organizationalUnit ou: DSA description: security accounts for LDAP clients dn: cn=samba,ou=DSA,dc=example,dc=net objectClass: organizationalRole objectClass: top objectClass: simpleSecurityObject userPassword: sambasecretpwd cn: samba dn: cn=nssldap,ou=DSA,dc=example,dc=net objectClass: organizationalRole objectClass: top objectClass: simpleSecurityObject userPassword: nssldapsecretpwd cn: nssldap dn: cn=smbldap-tools,ou=DSA,dc=example,dc=net objectclass: organizationalRole objectClass: top objectClass: simpleSecurityObject userPassword: smbldapsecretpwd cn: smbldap-tools

If you are not fond of those plain text passwords being in there, you can use the slappasswd tool to create proper passwords. See slappasswd (8C)

Next, add these accounts to the ldap database (shut down database first) 

slapadd -l dsa-accounts.ldif

[edit] Setting slapd ACL's

Default, these newly added users can do nothing. Unless you have some unsafe ACLs. We will need to tell the ldap database what these accounts can alter. And what they can not. Open the slapd.conf file and set these ACL's.

Code: slapd.conf
## ------------------ ACL ---------------- access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=samba,ou=DSA,dc=example,dc=net" write by dn="cn=smbldap-tools,ou=DSA,dc=dc=example,dc=net" write by dn="cn=nssldap,ou=DSA,dc=dc=example,dc=net" write by self write by anonymous auth by * none # some attributes need to be readable anonymously so that 'id user' can answer correctly access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid by dn="cn=samba,ou=DSA,dc=dc=example,dc=net" write by dn="cn=smbldap-tools,ou=DSA,dc=dc=example,dc=net" write by * read # somme attributes can be writable by users themselves access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname by dn="cn=samba,ou=DSA,dc=example,dc=net" write by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write by self write by * read # some attributes need to be writable for samba access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime, \ sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath, \ sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations, \ sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount, \ sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList, \ sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid, sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption, \ sambaIntegerOption,sambaStringOption,sambaStringListoption,modifyTimestamp, \ shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire,shadowLastChange ## Not sure you can use the backslash in the slapd.conf file, otherwise, put them on 1 line by dn="cn=samba,ou=DSA,dc=example,dc=net" write by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write by self read by * none # samba need to be able to create the samba domain account access to dn.base="dc=example,dc=net" by dn="cn=samba,ou=DSA,dc=example,dc=net" write by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write by * none # samba need to be able to create new users account access to dn="ou=People,dc=example,dc=net" by dn="cn=samba,ou=DSA,dc=example,dc=net" write by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write by * none # samba need to be able to create new groups account access to dn="ou=Groups,dc=example,dc=net" by dn="cn=samba,ou=DSA,dc=example,dc=net" write by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write by * none # samba need to be able to create new computers account access to dn="ou=Hosts,dc=example,dc=net" by dn="cn=samba,ou=DSA,dc=example,dc=net" write by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write by * none # this can be omitted but we leave it: there could be other branch # in the directory access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none

Now the ldap server knows what the added accounts are allowed to do.

[edit] Modify Samba Configuration

You should now change the "ldap admin dn" to use the new username.

File: /etc/samba/smb.conf
ldap admin dn = cn=samba,ou=DSA,dc=example,dc=net

And then update the password stored in the secrets.tdb file 

smbpasswd -w <plain_password>

[edit] Modify smbldap-tools Configuration

Code: /etc/smbldap/smbldap_bind.conf
slaveDN="cn=smbldap-tools,ou=DSA,dc=example,dc=net" slavePw="<plain_password>" masterDN="cn=smbldap-tools,ou=DSA,dc=example,dc=net" masterPw="<plain_password>"

[edit] Modify nss_ldap Configuration

Add the following to the /etc/ldap.conf file

File: /etc/nsswitch.conf
rootbinddn cn=nssldap,ou=DSA,dc=example,dc=net # The following are other settings that correspond to use # the organisational structure used earlier on. nss_base_passwd ou=People,dc=example,dc=net nss_base_shadow ou=People,dc=example,dc=net nss_base_group ou=Groups,dc=example,dc=net nss_base_hosts ou=Hosts,dc=example,dc=net

Now store the plain text in a file called /etc/ldap.secret and make it secure. 

echo "<plain_password>" > /etc/ldap.secret
chmod 600 /etc/ldap.secret

[edit] Resources

[edit] Feedback

As always "Requesting for Feedback"
--
Po0ky 20:43, 29 December 2005 (GMT)

Retrieved from "http://gentoo-wiki.com/Talk:HOWTO_LDAP_SAMBA_PDC_Security_Upgrade"
Personal tools