Alexey Leonchik

Устанавливаем ldap и составляем конфиги

/usr/local/openldap/slapd.conf

slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include     /usr/local/etc/openldap/schema/core.schema
 
include     /usr/local/etc/openldap/schema/cosine.schema
include     /usr/local/etc/openldap/schema/inetorgperson.schema
include     /usr/local/etc/openldap/schema/misc.schema
include     /usr/local/etc/openldap/schema/nis.schema
include     /usr/local/etc/openldap/schema/openldap.schema
 
# Define global ACLs to disable default read access.
 
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral   ldap://root.openldap.org
 
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
 
# Load dynamic backend modules:
modulepath  /usr/local/libexec/openldap
moduleload  back_bdb
# moduleload    back_hdb
# moduleload    back_ldap
 
# Sample security restrictions
#   Require integrity protection (prevent hijacking)
#   Require 112-bit (3DES or better) encryption for updates
#   Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
 
# Sample access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#   Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#   by self write
#   by users read
#   by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
 
access to attrs=userPassword
    by self write
    by anonymous auth
    by * none
 
access to *
    by self write
    by anonymous read
    by * none
 
#######################################################################
# BDB database definitions
#######################################################################
 
database    bdb
suffix      "dc=kommunar,dc=alx"
rootdn      "cn=root,dc=kommunar,dc=alx"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw  111111
 
loglevel    256
 
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/db/openldap-data
# Indices to maintain
index   objectClass eq
index   cn          eq

Организуем структуру

/usr/local/openldap/base.ldif

base.ldif

dn: dc=kommunar,dc=alx
objectClass: dcObject
objectClass: organization
objectClass: top
dc: kommunar
o: kommunar
 
dn: ou=users,dc=kommunar,dc=alx
objectClass: top
objectClass: organizationalUnit
ou: users
 
dn: ou=groups,dc=kommunar,dc=alx
objectClass: top
objectClass: organizationalUnit
ou: groups
 
 
dn: ou=computers,dc=kommunar,dc=alx
objectClass: top
objectClass: organizationalUnit
ou: computers

Добавим

ldapadd -x -D "cn=root,dc=kommunar,dc=alx" -w 111111 -f base.ldif

Посмотрим

ldapsearch -LLL -x -b 'dc=kommunar,dc=alx' '*'
 
dn: dc=kommunar,dc=alx
objectClass: dcObject
objectClass: organization
objectClass: top
dc: kommunar
o: kommunar
 
dn: ou=users,dc=kommunar,dc=alx
objectClass: top
objectClass: organizationalUnit
ou: users
 
dn: ou=groups,dc=kommunar,dc=alx
objectClass: top
objectClass: organizationalUnit
ou: groups
 
dn: ou=computers,dc=kommunar,dc=alx
objectClass: top
objectClass: organizationalUnit
ou: computers

Установим nss_ldap и сконфигурим

nss_ldap.conf

# @(#)$Id: ldap.conf,v 2.49 2009/04/25 01:53:15 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
 
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a 
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1
 
# The distinguished name of the search base.
base dc=kommunar,dc=alx
 
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/   
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
 
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
 
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com
### binddn cn=root,dc=kommunar,dc=alx
 
# The credentials to bind with. 
# Optional: default is no credential.
#bindpw secret
 
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /usr/local/etc/nss_ldap.secret (mode 600)
#rootbinddn cn=manager,dc=padl,dc=com
 
# The port.
# Optional: default is 389.
#port 389
 
# The search scope.
#scope sub
#scope one
#scope base
scope one
 
# Search timelimit in seconds (0 for indefinite; default 0)
#timelimit 0
timelimit 30
 
# Bind/connect timelimit (0 for indefinite; default 30)
#bind_timelimit 30
bind_timelimit 10
 
# Reconnect policy:
#  hard_open: reconnect to DSA with exponential backoff if
#             opening connection failed
#  hard_init: reconnect to DSA with exponential backoff if
#             initializing connection failed
#  hard:      alias for hard_open
#  soft:      return immediately on server failure
#bind_policy hard
bind_policy soft
 
# Connection policy:
#  persist:   DSA connections are kept open (default)
#  oneshot:   DSA connections destroyed after request
#nss_connect_policy persist
 
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
 
# Use paged rseults
#nss_paged_results yes
 
# Pagesize: when paged results enable, used to set the
# pagesize to a custom value
#pagesize 1000
 
# Filter to AND with uid=%s
#pam_filter objectclass=account
 
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
 
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
 
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
 
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
 
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
 
# Group member attribute
#pam_member_attribute uniquemember
 
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
 
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
 
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
 
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
#pam_password crypt
 
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
 
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
 
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
 
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
 
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
 
# Use backlinks for answering initgroups()
#nss_initgroups backlink
 
# Enable support for RFC2307bis (distinguished names in group
# members)
#nss_schema rfc2307bis
 
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX      base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd   ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd    ou=People,dc=padl,dc=com?one
#nss_base_shadow    ou=People,dc=padl,dc=com?one
nss_base_shadow     ou=users,dc=kommunar,dc=comalx?one
nss_base_passwd     ou=users,dc=kommunar,dc=alx?one
nss_base_passwd     ou=computers,dc=kommunar,dc=alx?one
#nss_base_hosts     ou=Hosts,dc=padl,dc=com?one
#nss_base_group     ou=Group,dc=padl,dc=com?one
nss_base_group      ou=groups,dc=kommunar,dc=alx?one
#nss_base_services  ou=Services,dc=padl,dc=com?one
#nss_base_networks  ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc       ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers    ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks  ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases   ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup  ou=Netgroup,dc=padl,dc=com?one
 
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute  rfc2307attribute    mapped_attribute
#nss_map_objectclass    rfc2307objectclass  mapped_objectclass
 
# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member
 
# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad
 
# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
 
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
 
# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
 
# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
 
# For pre-RFC2307bis automount schema
#nss_map_objectclass automountMap nisMap
#nss_map_attribute automountMapName nisMapName
#nss_map_objectclass automount nisObject
#nss_map_attribute automountKey cn
#nss_map_attribute automountInformation nisMapEntry
 
# Netscape SDK LDAPS
#ssl on
 
# Netscape SDK SSL options
#sslpath /etc/ssl/certs
 
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
 
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /usr/local/etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
 
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
 
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
 
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
 
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
 
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
 
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

nsswitch.conf

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.6.1 2010/12/21 17:09:25 kensmith Exp $
#
### group: compat
group: files ldap
### group_compat: nis
hosts: files dns
networks: files
### passwd: compat
passwd: files ldap
shadow: files ldap
### passwd_compat: nis
shells: files
### services: compat
### services_compat: nis
### protocols: files
### rpc: files

Установим и сконфигуряем ldapscripts

cd /usr/ports/net/ldapscripts
make install

ldapscripts.conf

#  Copyright (C) 2005 GanaКl LAPLANCHE - Linagora
#  Copyright (C) 2006-2011 GanaКl LAPLANCHE
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.
 
# LDAP server
SERVER="ldap://localhost"
 
# Suffixes
SUFFIX="dc=kommunar,dc=alx" # Global suffix
GSUFFIX="ou=groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=users"         # Users ou (just under $SUFFIX)
MSUFFIX="ou=computers"      # Machines ou (just under $SUFFIX)
 
# Authentication type
# If empty, use simple authentication
# Else, use the value as an SASL authentication mechanism
SASLAUTH=""
#SASLAUTH="GSSAPI"
 
# Simple authentication parameters
# The following BIND* parameters are ignored if SASLAUTH is set
BINDDN="cn=root,dc=kommunar,dc=alx"
# The following file contains the raw password of the BINDDN
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
### BINDPWDFILE="/usr/local/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
BINDPWD="111111"
 
# Start with these IDs *if no entry found in LDAP*
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID
 
# Group membership management
# ObjectCLass used for groups
# Possible values : posixGroup, groupOfNames, groupOfUniqueNames (case-sensitive !)
# Warning : when using groupOf*, be sure to be compliant with RFC 2307bis (AUXILIARY posixGroup).
# Also, do not mix posixGroup and groupOf* entries up in you directory as, within RFC 2307bis,
# the former is a subset of the latter. The ldapscripts wouldn't cope well with this configuration.
GCLASS="posixGroup"   # Leave "posixGroup" here if not sure !
# When using  groupOfNames or groupOfUniqueNames, creating a group requires an initial
# member. Specify it below, you will be able to remove it once groups are populated.
#GDUMMYMEMBER="uid=dummy,$USUFFIX,$SUFFIX"
 
# User properties
USHELL="/usr/sbin/nologin"
UHOMES="/home/%u"     # You may use %u for username here
CREATEHOMES="no"      # Create home directories and set rights ?
HOMESKEL="/etc/skel"  # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
HOMEPERMS="700"       # Default permissions for home directories
 
# User passwords generation
# Command-line used to generate a password for added users.
# You may use %u for username here ; special value "<ask>" will ask for a password interactively
# WARNING    !!!! This is evaluated, everything specified here will be run !
# WARNING(2) !!!! Some systems (Linux) use a blocking /dev/random (waiting for enough entropy).
#                 In this case, consider using /dev/urandom instead.
### PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="pwgen"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
PASSWORDGEN="echo 123456" 
#PASSWORDGEN="<ask>"
 
# User passwords recording
# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
# (useful when performing a massive creation / net rpc vampire)
# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
RECORDPASSWORDS="yes"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
 
# Where to log
LOGFILE="/var/log/ldapscripts.log"
 
# Temporary folder
TMPDIR="/tmp"
 
# Various binaries used within the scripts
# Warning : they also use uuencode, date, grep, sed, cut, which... 
# Please check they are installed before using these scripts
# Note that many of them should come with your OS
 
# OpenLDAP client commands
LDAPSEARCHBIN="/usr/local/bin/ldapsearch"
LDAPADDBIN="/usr/local/bin/ldapadd"
LDAPDELETEBIN="/usr/local/bin/ldapdelete"
LDAPMODIFYBIN="/usr/local/bin/ldapmodify"
LDAPMODRDNBIN="/usr/local/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/local/bin/ldappasswd"
 
# Character set conversion : $ICONVCHAR <-> UTF-8
# Comment ICONVBIN to disable UTF-8 conversion
# ICONVBIN="/usr/local/bin/iconv"
#ICONVCHAR="ISO-8859-15"
 
# Base64 decoding
# Comment UUDECODEBIN to disable Base64 decoding
UUDECODEBIN="/usr/bin/uudecode"
 
# Getent command to use - choose the ones used
# on your system. Leave blank or comment for auto-guess.
# GNU/Linux
#GETENTPWCMD="getent passwd"
#GETENTGRCMD="getent group"
# FreeBSD
#GETENTPWCMD="pw usershow"
#GETENTGRCMD="pw groupshow"
# Auto
GETENTPWCMD=""
GETENTGRCMD=""
 
# You can specify custom LDIF templates here
# Leave empty to use default templates
# See *.template.sample for default templates
#GTEMPLATE="/path/to/ldapaddgroup.template"
#UTEMPLATE="/path/to/ldapadduser.template"
#MTEMPLATE="/path/to/ldapaddmachine.template"
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""

srv.kommunar.alx@~#>smbpasswd -w 111111
Setting stored password for "cn=root,dc=kommunar,dc=alx" in secrets.tdb