LDAP Authentication

Once you have a working LDAP server, you will need to install libraries on the client that will know how and when to contact it. On Ubuntu, this has been traditionally accomplished by installing the libnss-ldap package. This package will bring in other tools that will assist you in the configuration step. Install this package now:

sudo apt install libnss-ldap

You will be prompted for details of your LDAP server. If you make a mistake you can try again using:

sudo dpkg-reconfigure ldap-auth-config

The results of the dialog can be seen in /etc/ldap.conf. If your server requires options not covered in the menu edit this file accordingly.

Now configure the LDAP profile for NSS:

sudo auth-client-config -t nss -p lac_ldap

Configure the system to use LDAP for authentication:

sudo pam-auth-update

From the menu, choose LDAP and any other authentication mechanisms you need.

You should now be able to log in using LDAP-based credentials.

LDAP clients will need to refer to multiple servers if replication is in use. In /etc/ldap.conf you would have something like:

uri ldap://ldap01.example.com ldap://ldap02.example.com

The request will time out and the Consumer (ldap02) will attempt to be reached if the Provider (ldap01) becomes unresponsive.

If you are going to use LDAP to store Samba users you will need to configure the Samba server to authenticate using LDAP. See Samba and LDAP for details.

Note

An alternative to the libnss-ldap package is the libnss-ldapd package. This, however, will bring in the nscd package which is problably not wanted. Simply remove it afterwards.

User and Group Management

The ldap-utils package comes with enough utilities to manage the directory but the long string of options needed can make them a burden to use. The ldapscripts package contains wrapper scripts to these utilities that some people find easier to use.

Install the package:

sudo apt install ldapscripts

Then edit the file /etc/ldapscripts/ldapscripts.conf to arrive at something similar to the following:

SERVER=localhost
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
GIDSTART=10000
UIDSTART=10000
MIDSTART=10000

Now, create the ldapscripts.passwd file to allow rootDN access to the directory:

sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"
sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd

Note

Replace “secret” with the actual password for your database’s rootDN user.

The scripts are now ready to help manage your directory. Here are some examples of how to use them:

  • Create a new user:

    sudo ldapadduser george example
    

    This will create a user with uid george and set the user’s primary group (gid) to example

  • Change a user’s password:

    sudo ldapsetpasswd george
    Changing password for user uid=george,ou=People,dc=example,dc=com
    New Password: 
    New Password (verify): 
    
  • Delete a user:

    sudo ldapdeleteuser george
    
  • Add a group:

    sudo ldapaddgroup qa
    
  • Delete a group:

    sudo ldapdeletegroup qa
    
  • Add a user to a group:

    sudo ldapaddusertogroup george qa
    

    You should now see a memberUid attribute for the qa group with a value of george.

  • Remove a user from a group:

    sudo ldapdeleteuserfromgroup george qa
    

    The memberUid attribute should now be removed from the qa group.

  • The ldapmodifyuser script allows you to add, remove, or replace a user’s attributes. The script uses the same syntax as the ldapmodify utility. For example:

    sudo ldapmodifyuser george
    # About to modify the following entry :
    dn: uid=george,ou=People,dc=example,dc=com
    objectClass: account
    objectClass: posixAccount
    cn: george
    uid: george
    uidNumber: 1001
    gidNumber: 1001
    homeDirectory: /home/george
    loginShell: /bin/bash
    gecos: george
    description: User account
    userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=
    
    # Enter your modifications here, end with CTRL-D.
    dn: uid=george,ou=People,dc=example,dc=com
    replace: gecos
    gecos: George Carlin
    

    The user’s gecos should now be “George Carlin”.

  • A nice feature of ldapscripts is the template system. Templates allow you to customize the attributes of user, group, and machine objects. For example, to enable the user template edit /etc/ldapscripts/ldapscripts.conf changing:

    UTEMPLATE="/etc/ldapscripts/ldapadduser.template"
    

    There are sample templates in the /usr/share/doc/ldapscripts/examples directory. Copy or rename the ldapadduser.template.sample file to /etc/ldapscripts/ldapadduser.template:

    sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \
    /etc/ldapscripts/ldapadduser.template
    

    Edit the new template to add the desired attributes. The following will create new users with an objectClass of inetOrgPerson:

    dn: uid=<user>,<usuffix>,<suffix>
    objectClass: inetOrgPerson
    objectClass: posixAccount
    cn: <user>
    sn: <ask>
    uid: <user>
    uidNumber: <uid>
    gidNumber: <gid>
    homeDirectory: <home>
    loginShell: <shell>
    gecos: <user>
    description: User account
    title: Employee
    

    Notice the <ask> option used for the sn attribute. This will make ldapadduser prompt you for its value.

There are utilities in the package that were not covered here. Here is a complete list:

ldaprenamemachine
ldapadduser
ldapdeleteuserfromgroup
ldapfinger
ldapid
ldapgid
ldapmodifyuser
ldaprenameuser
lsldap
ldapaddusertogroup
ldapsetpasswd
ldapinit
ldapaddgroup
ldapdeletegroup
ldapmodifygroup
ldapdeletemachine
ldaprenamegroup
ldapaddmachine
ldapmodifymachine
ldapsetprimarygroup
ldapdeleteuser

Backup and Restore

Now we have ldap running just the way we want, it is time to ensure we can save all of our work and restore it as needed.

What we need is a way to backup the ldap database(s), specifically the backend (cn=config) and frontend (dc=example,dc=com). If we are going to backup those databases into, say, /export/backup, we could use slapcat as shown in the following script, called /usr/local/bin/ldapbackup:

#!/bin/bash

BACKUP_PATH=/export/backup
SLAPCAT=/usr/sbin/slapcat

nice ${SLAPCAT} -n 0 > ${BACKUP_PATH}/config.ldif
nice ${SLAPCAT} -n 1 > ${BACKUP_PATH}/example.com.ldif
nice ${SLAPCAT} -n 2 > ${BACKUP_PATH}/access.ldif
chmod 640 ${BACKUP_PATH}/*.ldif

Note

These files are uncompressed text files containing everything in your ldap databases including the tree layout, usernames, and every password. So, you might want to consider making /export/backup an encrypted partition and even having the script encrypt those files as it creates them. Ideally you should do both, but that depends on your security requirements.

Then, it is just a matter of having a cron script to run this program as often as we feel comfortable with. For many, once a day suffices. For others, more often is required. Here is an example of a cron script called /etc/cron.d/ldapbackup that is run every night at 22:45h:

MAILTO=backup-emails@domain.com
45 22 * * *  root    /usr/local/bin/ldapbackup

Now the files are created, they should be copied to a backup server.

Assuming we did a fresh reinstall of ldap, the restore process could be something like this:

sudo systemctl stop slapd.service
sudo mkdir /var/lib/ldap/accesslog
sudo slapadd -F /etc/ldap/slapd.d -n 0 -l /export/backup/config.ldif
sudo slapadd -F /etc/ldap/slapd.d -n 1 -l /export/backup/domain.com.ldif
sudo slapadd -F /etc/ldap/slapd.d -n 2 -l /export/backup/access.ldif
sudo chown -R openldap:openldap /etc/ldap/slapd.d/
sudo chown -R openldap:openldap /var/lib/ldap/
sudo systemctl start slapd.service

Resources

  • The primary resource is the upstream documentation: www.openldap.org

  • There are many man pages that come with the slapd package. Here are some important ones, especially considering the material presented in this guide:

    slapd
    slapd-config
    slapd.access
    slapo-syncprov
    
  • Other man pages:

    auth-client-config
    pam-auth-update
    
  • Zytrax’s LDAP for Rocket Scientists; a less pedantic but comprehensive treatment of LDAP

  • A Ubuntu community OpenLDAP wiki page has a collection of notes

  • O’Reilly’s LDAP System Administration (textbook; 2003)

  • Packt’s Mastering OpenLDAP (textbook; 2007)

Samba and LDAP

This section covers the integration of Samba with LDAP. The Samba server’s role will be that of a “standalone” server and the LDAP directory will provide the authentication layer in addition to containing the user, group, and machine account information that Samba requires in order to function (in any of its 3 possible roles). The pre-requisite is an OpenLDAP server configured with a directory that can accept authentication requests. See OpenLDAP Server for details on fulfilling this requirement. Once this section is completed, you will need to decide what specifically you want Samba to do for you and then configure it accordingly.

This guide will assume that the LDAP and Samba services are running on the same server and therefore use SASL EXTERNAL authentication whenever changing something under cn=config. If that is not your scenario, you will have to run those ldap commands on the LDAP server.

Software Installation

There are two packages needed when integrating Samba with LDAP: samba and smbldap-tools.

Strictly speaking, the smbldap-tools package isn’t needed, but unless you have some other way to manage the various Samba entities (users, groups, computers) in an LDAP context then you should install it.

Install these packages now:

sudo apt install samba smbldap-tools

LDAP Configuration

We will now configure the LDAP server so that it can accomodate Samba data. We will perform three tasks in this section:

Import a schema

Index some entries

Add objects

Samba schema

In order for OpenLDAP to be used as a backend for Samba, logically, the DIT will need to use attributes that can properly describe Samba data. Such attributes can be obtained by introducing a Samba LDAP schema. Let’s do this now.

Note

For more information on schemas and their installation see Modifying the slapd Configuration Database.

The schema is found in the now-installed samba package and is already in the ldif format. We can import it with one simple command:

zcat /usr/share/doc/samba/examples/LDAP/samba.ldif.gz | sudo ldapadd -Q -Y EXTERNAL -H ldapi:///

To query and view this new schema:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'

Samba indices

Now that slapd knows about the Samba attributes, we can set up some indices based on them. Indexing entries is a way to improve performance when a client performs a filtered search on the DIT.

Create the file samba_indices.ldif with the following contents:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: objectClass eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid,cn eq,sub
olcDbIndex: memberUid eq,sub
olcDbIndex: member,uniqueMember eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub,eq

Using the ldapmodify utility load the new indices:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif

If all went well you should see the new indices using ldapsearch:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H \
ldapi:/// -b cn=config olcDatabase={1}mdb olcDbIndex

Adding Samba LDAP objects

Next, configure the smbldap-tools package to match your environment. The package comes with a configuration helper script called smbldap-config. Before running it, though, you should decide on two important configuration settings in /etc/samba/smb.conf:

  • netbios name: how this server will be known. The default value is derived from the server’s hostname, but truncated at 15 characters.

  • workgroup: the workgroup name for this server, or, if you later decide to make it a domain controller, this will be the domain.

It’s important to make these choices now because smbldap-config will use them to generate the config that will be later stored in the LDAP directory. If you run smbldap-config now and later change these values in /etc/samba/smb.conf there will be an inconsistency.

Once you are happy with netbios name and workgroup, proceed to generat the smbldap-tools configuration by running the configuration script which will ask you some questions:

sudo smbldap-config

Some of the more important ones:

  • workgroup name: has to match what you will configure in /etc/samba/smb.conf later on.

  • ldap suffix: has to match the ldap suffix you chose when you configured the LDAP server.

  • other ldap suffixes: they are all relative to ldap suffix above. For example, for ldap user suffix you should use ou=People.

  • ldap master bind dn and bind password: use the rootDN credentials.

The smbldap-populate script will then add the LDAP objects required for Samba. It is a good idea to first make a backup of your DIT using slapcat:

sudo slapcat -l backup.ldif

Once you have a backup proceed to populate your directory. It will ask you for a password for the “domain root” user, which is also the “root” user stored in LDAP:

sudo smbldap-populate -g 10000 -u 10000 -r 10000

The -g, -u and -r parameters tell smbldap-tools where to start the numeric uid and gid allocation for the LDAP users. You should pick a range start that does not overlap with your local /etc/passwd users.

You can create a LDIF file containing the new Samba objects by executing sudo smbldap-populate -e samba.ldif. This allows you to look over the changes making sure everything is correct. If it is, rerun the script without the ‘-e’ switch. Alternatively, you can take the LDIF file and import its data per usual.

Your LDAP directory now has the necessary information to authenticate Samba users.

Samba Configuration

There are multiple ways to configure Samba. For details on some common configurations see ???. To configure Samba to use LDAP, edit its configuration file /etc/samba/smb.conf commenting out the default passdb backend parameter and adding some ldap-related ones. Make sure to use the same values you used when running smbldap-populate:

#  passdb backend = tdbsam
   workgroup = EXAMPLE

# LDAP Settings
   passdb backend = ldapsam:ldap://hostname
   ldap suffix = dc=example,dc=com
   ldap user suffix = ou=People
   ldap group suffix = ou=Groups
   ldap machine suffix = ou=Computers
   ldap idmap suffix = ou=Idmap
   ldap admin dn = cn=admin,dc=example,dc=com
   # or off if TLS/SSL is not configured
   ldap ssl = start tls
   ldap passwd sync = yes

Change the values to match your environment.

Note

The smb.conf as shipped by the package is quite long and has many configuration examples. An easy way to visualize it without any comments is to run testparm -s.

Now inform Samba about the rootDN user’s password (the one set during the installation of the slapd package):

sudo smbpasswd -W

As a final step to have your LDAP users be able to connect to samba and authenticate, we need these users to also show up in the system as “unix” users. One way to do this is to use libnss-ldap. Detailed instructions can be found in the LDAP Authentication section, but we only need the NSS part.

Install libnss-ldap

sudo apt install libnss-ldap

There is no need to use the LDAP rootDN login credentials, so you can skip that step.

Configure the LDAP profile for NSS:

sudo auth-client-config -t nss -p lac_ldap

Restart the Samba services:

sudo systemctl restart smbd.service nmbd.service

To quickly test the setup, see if getent can list the Samba groups:

getent group

...
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:

If you have existing LDAP users that you want to include in your new LDAP-backed Samba they will, of course, also need to be given some of the extra Samba specific attributes. The smbpasswd utility can do this for you:

sudo smbpasswd -a username

You will prompted to enter a password. It will be considered as the new password for that user. Making it the same as before is reasonable. Note that this command cannot be used to create a new user from scratch in LDAP (unless you are using ldapsam:trusted and ldapsam:editposix, not covered in this guide).

To manage user, group, and machine accounts use the utilities provided by the smbldap-tools package. Here are some examples:

  • To add a new user with a home directory:

    sudo smbldap-useradd -a -P -m username
    

    The -a option adds the Samba attributes, and the -P option calls the smbldap-passwd utility after the user is created allowing you to enter a password for the user. Finally, -m creates a local home directory. Test with the getent command:

    getent passwd username
    

    If you don’t get a response, then your libnss-ldap configuration is incorrect.

  • To remove a user:

    sudo smbldap-userdel username
    

    In the above command, use the -r option to remove the user’s home directory.

  • To add a group:

    sudo smbldap-groupadd -a groupname
    

    As for smbldap-useradd, the -a adds the Samba attributes.

  • To make an existing user a member of a group:

    sudo smbldap-groupmod -m username groupname
    

    The -m option can add more than one user at a time by listing them in comma-separated format.

  • To remove a user from a group:

    sudo smbldap-groupmod -x username groupname
    
  • To add a Samba machine account:

    sudo smbldap-useradd -t 0 -w username
    

    Replace username with the name of the workstation. The -t 0 option creates the machine account without a delay, while the -w option specifies the user as a machine account. Also, note the add machine script parameter in /etc/samba/smb.conf was changed to use smbldap-useradd.

There are utilities in the smbldap-tools package that were not covered here. Here is a complete list:

smbldap-groupadd
smbldap-groupdel
smbldap-groupmod
smbldap-groupshow
smbldap-passwd
smbldap-populate
smbldap-useradd
smbldap-userdel
smbldap-userinfo
smbldap-userlist
smbldap-usermod
smbldap-usershow

Resources

Last updated 5 months ago. Help improve this document in the forum.