| JAPANESE | ENGLISH |
This chapter explains LDAP configrations in Debian testing/unstable. We suppose you have knowledge of basic concepts of LDAP, while we will write documents about basic conceptts of LDAP.
First of all, check systems working by simple authentication.
# apt-get install slapd ldap-utils nscd
modulepath /usr/lib/ldap moduleload back_bdb database bdb allow bind_v2 replogfile /var/lib/ldap/replog index cn,sn,uid pres,eq suffix "dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp" rootdn "cn=admin,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp"
BASE "dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp" host hostname.tom.sfc.keio.ac.jp
$ ldapsearch -x "(cn=admin)" # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (cn=admin) # requesting: ALL # # admin, tom.sfc.keio.ac.jp dn: cn=admin,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
We recommend you to set appropriate access restrictions by hosts.allow and hosts.deny.
It's better not to use simple authentication, so we make the system SASL available. You should read following documents carefully.
Kerberos is somehow too troublesome, so we decided to use DIGEST-MD5.
# apt-get install sasl2-bin libsasl2-modules
START=yes MECHANISMS="pam"
# /etc/init.d/saslauthd start
sasl-regexp is the key.
You should make decision carefully what kind of passsword-hash system you choose.
If you plan to use a lot of authentication method with SASL and so forth --- e.g. when you want to integrate passwords for clients of APOP, CRAM-MD5 and DIGEST-MD5 --- you have to set CLEARTEXT as the password-hash method. However, if you choose CLEARTEXT, base64-encoded raw passwords will be stored in LDAP database and administrators may read raw passwords.
You may choose to store as encrypted password. In this way, choises of authentication methods will be restricted only to PLAIN or LOGIN. These methods require TLS for secure transaction between LDAP servers and clients. Supposing to use TLS, this documents reconfigure systems.
To decide which method of encryption you choose, you should consider apprications of LDAP what you plan to use. In this document, we use SHA which the qmail-ldap supports.
We will write something about Kerberos after some survey...
To use SASL, you have alternative method that you store passwords into /etc/sasldb2, while it's not "integration"! You have to make a workaround likle to write password management script to sync passwords to be used by alternative methods.
# sasl
sasl-realm TOM.SFC.KEIO.AC.JP
sasl-host hostname.tom.sfc.keio.ac.jp
sasl-regexp uid=admin,cn=TOM.SFC.KEIO.AC.JP,cn=.+ \
cn=admin,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp
sasl-regexp uid=(.*),cn=TOM.SFC.KEIO.AC.JP,cn=.+ \
uid=$1,ou=People,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp
sasl-secprops none
#password-hash {CLEARTEXT}
password-hash {SHA}
Add following lines to ldap.conf.
SASL_SECPROPS none SASL_REALM TOM.SFC.KEIO.AC.JP
# /etc/init.d/slapd restart $ ldapsearch -LLL -s base -b "" -x supportedSaslMechanisms dn: supportedSASLMechanisms: NTLM supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5
When you're planning to use DIGEST-MD5 by setting the password-hash method to CLEARTEXT, you should change the admin password to be used by SASL.
dn: cn=admin,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp changetype: modify replace: userPassword userPassword: password -
After setting the temporary password, you should add the new password to LDAP.
# saslpasswd2 -u TOM.SFC.KEIO.AC.JP -c admin # ldapmodify -U admin@TOM.SFC.KEIO.AC.JP -f admin_password.ldif # rm /etc/sasldb2
OK if you see following messages. Passords will be stored by base64-encoding.
$ ldapsearch -U admin "(cn=admin)" SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: admin@TOM.SFC.KEIO.AC.JP SASL SSF: 128 SASL installing layers # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (cn=admin) # requesting: ALL # # admin, tom.sfc.keio.ac.jp dn: cn=admin,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: password # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1
To write this section, we refered "Introdcutions to OpenLDAP" and other documents, LDAPv3, LDAP administrator-2.1 and SSL-Certificate-HOWTO.
http://www.linux.or.jp/JF/JFdocs/SSL-Certificates-HOWTO/x169.html
We decided to certificates and related files under /etc/ssl. You have to set the CN (Common Name) same as to the host entry of the ldap.conf file.
# cp /usr/lib/ssl/misc/CA.sh /usr/local/sbin/CA.sh # vi /usr/local/sbin/CA.sh DAYS="-days 7300" # 20 years CATOP=/etc/ssl # cd /etc/ssl # vi openssl.cnf You have to configure directories and default values. dir = ./ # /usr/local/sbin/CA.sh -newca # ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0
# openssl req -new -nodes -keyout private/hostnamekey.pem -out \
certs/hostnamereq.pem
# openssl ca -out certs/hostnamecert.pem -in \
certs/hostnamereq.pem
TLSCertificateFile /etc/ssl/certs/hostnamecert.pem TLSCertificateKeyFile /etc/ssl/private/hostnamekey.pem TLSCACertificateFile /etc/ssl/cacert.pem
TLS_CACERT /etc/ssl/cacert.pem
The slapd parameters configured to be written in the SLAPD_OPTIONS entry of the file /etc/default/slapd, while this default configuration didn't work well. (The -h option didn't work by the reasoon relates to quote.)
To avoid this trouble, we modified contents of init.d .
--- slapd.orig 2003-08-26 22:01:31.000000000 +0900
+++ slapd 2003-08-26 22:03:20.000000000 +0900
@@ -85,4 +85,5 @@
echo -n " slapd"
reason="`start-stop-daemon --start --quiet \
--pidfile \"$SLAPD_PIDFILE\" \
- --exec /usr/sbin/slapd -- $SLAPD_OPTIONS 2>&1`"
+ --exec /usr/sbin/slapd -- -h 'ldap:/// ldaps:///' $SLAPD_OPTIONS 2>&1`"
+# --exec /usr/sbin/slapd -- $SLAPD_OPTIONS 2>&1`"
}
# Start the slurpd daemon and capture the error message if any to
You can confirm system working well by followin commands. At the first line, -ZZ provides the confirmation that the StartTLS works well or not. The second line is the confirmation of "ldaps" (URL-style notation of TLS) method working.
# ldapsearch -H ldap://hostname.tom.sfc.keio.ac.jp/ -x -b "" -s \
base -LLL -ZZ supportedSASLMechanisms
# ldapsearch -H ldaps://hostname.tom.sfc.keio.ac.jp/ -x -b "" -s \
base -LLL supportedSASLMechanisms
Whe you use ldap-utils, you have to force to use TLS by the -ZZ option. Furthermore, you have to specify LOGIN and PLAIN as the SASL authentication method.
$ ldapsearch -ZZ -Y LOGIN "(uid=hoge)"
In theory, -Y LOGIN may be ommited if we place the file below in the home directory. However it didn't work.
SASL_MECH LOGIN
# apt-get install libpam-ldap libpam-cracklib
host hostname.tom.sfc.keio.ac.jp # The distinguished name of the search base. base dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp SASL_SECPROPS none SASL_REALM TOM.SFC.KEIO.AC.JP TLS_CACERT /etc/ssl/cacert.pem ssl start_tls ldap_version 3
pamはあまりにはまることが多いので, symlinkすることにしました...。
We made following symbolic links, because we experienced really \
to much trouble without these links.
# cd /etc
# cp -a pam.d pam.d.orig
# cp -a /usr/share/doc/libpam-ldap/examples/pam.d .
# mv pam.d pam.d.ldap
# ln -s pam.d.ldap pam.d
We configure sudo to activate LDAP, too.
#%PAM-1.0 auth sufficient pam_ldap.so auth required pam_unix.so
It's working. Many examples of the libpam-ldap require the file /lib/security/pam_pwdb.so, while in Debian we don't have this file. It looks like pam_unix.so is the same file... Anyway, it's working. We will make some survey on this issue.
# apt-get install libnss-ldap
# Your LDAP server. Must be resolvable without using LDAP. host hostname.tom.sfc.keio.ac.jp # The distinguished name of the search base. base dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp SASL_SECPROPS none SASL_REALM TOM.SFC.KEIO.AC.JP TLS_CACERT /etc/ssl/cacert.pem ssl start_tls ldap_version 3 nss_base_passwd ou=People,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp?one nss_base_shadow ou=People,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp?one nss_base_group ou=Group,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp?one
passwd: files ldap group: files ldap shadow: files ldap
It seems we can't migrated netgroup and automounter yet.
Add the following lines.
include /etc/ldap/schema/nis.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/qmail.schema include /etc/ldap/schema/authldap.schema
Place schemas same as below.
# vipw +:::::: Add this line
+::: Add this line
# apt-get install migrationtools # wget http://www.padl.com/download/MigrationTools.tgz
The current Debian version of the migrationtools have some additional code to adopt sn and other properties to UTF-8, while we have to set it OFF because it looks not working well.
You may use the newest version which is avilable from PADL.
# Default DNS domain $DEFAULT_MAIL_DOMAIN = "tom.sfc.keio.ac.jp"; # Default base $DEFAULT_BASE = "dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp"; $DEFAULT_MAIL_HOST = "mail.tom.sfc.keio.ac.jp"; # turn this on to support more general object clases # such as person. #$EXTENDED_SCHEMA = 0; $EXTENDED_SCHEMA = 1; $USE_UTF8=0
We used 'migration_all_nis_offline.sh' script for the migration. If you prefer, you can choose to migrate each files manually like ./migrate_passwd.pl passwd > passwd.ldif
You have to disable lines which you don't need in the file 'migration_all_nis_offline.sh', 'migration_all_offline.sh' We used only passwd, group and netgroup.
If we specify $EXTENDED_SCHEMA and execute migration_passwd.pl, "objectClass: inetOrgPerson" and "objectClass: account" will conflict because both of them are "structuralObject". Furthermore, we added mail and samba because we will use it afterwords.
You can get this modified version of migrate_passwd.pl fromdata/migrate_passwd.pl.
You can execute this script by typing as like the following line.
# ./migration_all_nis_offline.sh
At this point, you succeded to migrate data from NIS to LDAP. You can confirm by the following command.
# ldapsearch "(uid=Your uid)" password: Your password
You should confirm that /etc/exports works well before to execute following instructions.
NFS-Howto, Automount mini-Howto
# apt-get install autofs autofs-ldap
Add following line to the file.
include /etc/ldap/schema/automount.schema
Here we show our domain's auto.ldif for reference.
dn: ou=auto.home,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp ou: auto.home objectClass: top objectClass: organizationalUnit dn: cn=/,ou=auto.home,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp cn: / objectClass: automount automountInformation: -rw,intr,soft hostname:/exports/home/& dn: ou=auto.share,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp ou: auto.share objectClass: top objectClass: organizationalUnit dn: cn=project,ou=auto.share,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp cn: project objectClass: automount automountInformation: -rw,intr,soft hostname:/exports/project dn: cn=system,ou=auto.share,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp cn: system objectClass: automount automountInformation: -rw,intr,soft hostname:/exports/system
We have to following lines into auto.master. If possible, we want to include auto.master in LDAP database, but the debian startup script /etc/init.d/autofs only read /etc/auto.master.
/share ldap:hostname:ou=auto.share,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp \
rsize=16384,wsize=16384
/home ldap:hostname:ou=auto.home,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp \
rsize=16384,wsize=16384
We haven't succeeded to this settings, but here we show halfway steps. The autofs supports LDAP-based map, while it is supported only by Linux. We're using also FreeBSD/NetBSD/Solaris, so we wanna make amd available.
$ apt-get source am-utils exclude --without-ldap from debian/rules # apt-get build-dep am-utils $ dpkg-buildpacakge -us -uc
--- amd2ldif.orig 2003-08-12 22:45:13.000000000 +0900 +++ amd2ldif 2003-08-12 22:45:52.000000000 +0900 @@ -21,6 +21,7 @@ print "dn: cn=amdmap timestamp, $base\n"; printf "$tfmt", "cn", "amdmap timestamp"; printf "$tfmt", "objectClass", "amdMapTimestamp"; +printf "$tfmt", "amdMapName", $mapname; printf "$tfmt", "amdMapTimestamp", $time; print "\n";
# LDAP parameters ldap_base = dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp #ldap_cache_maxmem = 131072 #ldap_cache_seconds = 0 ldap_hostports = hostname:389 map_type = ldap
Our usage of ports for IMAP are 143 for only for TLS and 993 only for SSL. We provided POP service by port 995 SSL. If possible, we want to provide port 110 TLS POP service, but the current implementation of the courier-pop can't distinguish. While courier-imap apply REQUIRE_TLS only for port 143, courier-pop apply also for port 993 and it will not make TLS connection in practice. Is this bug?
To supoort search with the iso-2022-jp character encodings, we rebuilded the package (patch for 0.42.2)。
diff -ruN courier-0.42.2.orig/debian/rules courier-0.42.2/debian/rules
--- courier-0.42.2.orig/debian/rules 2003-09-09 03:28:13.000000000 +0900
+++ courier-0.42.2/debian/rules 2003-09-09 03:31:00.000000000 +0900
@@ -69,4 +69,5 @@
--enable-userdb \
--enable-syslog=1 \
--enable-unicode \
+ --enable-unicode=iso-2022-jp,utf-8,iso-8859-1 \
--disable-root-check
check:
$ apt-get source courier-imap $ patch -p1 < courier.diff $ dpkg-buildpackage -sgpg -rfakeroot
Install following packages.
courier-base,courier-authdaemon,courier-doc, courier-imap,courier-imap-ssl,courier-ldap courier-pop,courier-pop-ssl,courier-ssl
authmodulelist="authldap"
LDAP_SERVER localhost LDAP_PORT 389 LDAP_BASEDN dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp LDAP_BINDDN cn=admin,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp LDAP_BINDPW password LDAP_MAIL mail LDAP_DOMAIN tom.sfc.keio.ac.jp LDAP_HOMEDIR homeDirectory LDAP_CLEARPW userPassword LDAP_UID uidNumber LDAP_GID gidNumber LDAP_TLS 1
# chmod 400 authldaprc
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT \
THREAD=REFERENCES SORT QUOTA IDLE"
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN AUTH=LOGIN"
IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN AUTH=LOGIN"
IMAPDSTART=YES
# cd /etc/ssl/certs # openssl x509 -in hostnamecert.pem -out hostnamecert.crt # cat ../private/hostnamekey.pem hostnamecert.crt >mail.pem
TLS_CERTFILE=/etc/ssl/certs/mail.pem IMAP_TLS_REQUIRED=1
#POP3AUTH="CRAM-MD5 CRAM-SHA1" # CLEARTEXTのときのみ POP3AUTH="" POP3AUTH_TLS="LOGIN PLAIN" POP3DSTART=YES
TLS_CERTFILE=/etc/ssl/certs/mail.pem
To make inactive only courier-pop.
# update-rc.d -f courier-pop remove
Apply following patches.
qmail-ldap-1.03-20030801b.patch.gz smtp-auth-20030801.patch qmail-date-localtime.patch
# apt-get install qmail-src # cd /usr/src/qmail-src # tar xvzf qmail_1.03.orig.tar.gz # cd qmail-1.03 # zcat ../qmail-ldap-1.03-20030801b.patch.gz |patch -p1 # patch -p1 < ../smtp-auth-20030801.patch Makefile.rejを見てfailしたのを直す Check Makefile.rej and fix failed lines. # patch -p1 < ../qmail-data-localtime.patch
The next step is to patches for Debian. We recommend you to do so even if you're not using debian, because it includes a lot of effective patches,
# zcat ../qmail_1.03-27.diff.gz | patch -p1
conflictしたのを直す。qmail-smtpd.rejは全て無視して良い(qmail-ldapが同じ対応を違うコードで行っているようだ)
Fix conflicted lines. You can ignore qmail-smtpd.rej (because \
qmail-ldap have same functions by another code.)
# chmod 755 debina/rules
Make Makefile and qmail-ldap.h suitable for the target enviroment.
LDAPFLAGS=-DQLDAP_CLUSTER -DEXTERNAL_TODO -DDASH_EXT -DDATA_COMPRESS \
-DALTQUEUE -DDATACOMPRESS
SMTPAUTH=-DUSE_SMTPAUTH -DUSE_OLD_GREETING -DUSE_NEW_GREETING
SMTPAUTHOBJS=base64.o
SMTPAUTHINCLUDES=base64.h
LDAPLIBS=-L/usr/lib -lldap -llber
LDAPINCLUDES=-I/usr/include
ZLIB=-lz
TLS=-DTLS_REMOTE -DTLS_SMTPD
TLSINCLUDES=-I/usr/include
TLSLIBS=-L/usr/lib -lssl -lcrypto
OPENSSLBIN=/usr/bin/openssl
SHADOWLIBS=-lcrypt
DEBUG=-DDEBUG
#define UID_MAX 5000000 #define GID_MIN 80
Add auth_imap and so on to debianize-binary-tree.
case `basename $1` in
elq|pinq|qail|qlist2|digest|auth_imap|auth_pop|auth_smtp) echo usr/bin;;
datemail|predate|qmail-home|qsmhook|sendmail|pbsadd|pbscheck|pbsdbd|qmail-ldaplookup|qmail-quotawarn|qmail-reply|qma
il-todo) echo usr/sbin;;
Add documents, QLDAPINSTALL and others to debian/docs.
Modify debian/rules to include qmail.schema in /etc/ldap/schema and /usr/share/doc/qmail
We made an experimental patch which includes above steps.
You have to install ucspi-tcp which qmail requires.
# apt-get install ucspi-tcp-src # /usr/src/ucspi-tcp-src # build-ucspi-tcp
# cat >ldapserver hostname.tom.sfc.keio.ac.jp # cat >ldapbasedn dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp # cat >ldapobjectclass qmailUser # cat >ldaplogin cn=admin,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp # cat >ldappassword password # chmod 600 ldappassword
To configure TLS, please refer to TLS.readme. Here we use certificate file which we created for the configuration of courier.
# ln -s /etc/ssl/certs/mail.pem /var/qmail/control/cert.pem
127.0.0.1:allow,RELAYCLIENT="" xxx.xxx.xxx.:allow,RELAYCLIENT="" :allow
# tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
Configure only qmail and qmail-smtp because we leave POP service to courier.
It looks svtools is only available in unstable. If you're using testing, you should configure apt PIN.
PLEASE READ THE DOCUMENT OF daemontools BEFORE INSTALLATION! Escpecially, if you don't know how to quit services and misconfigure, qmail may reboot periodically or reproduce too much processes
Change owner and permission of the ldappassword file to make it accessbile by qmail.
# chown qmaild:qmail ldappassword # chmod 640 ldappassword
# apt-get install daemontools-installer # cd /usr/src/daemontools-installer # build-daemontools # apt-get install svtools qmail-sv qmail-sv-smtp
# tai64nlocal < /service/qmail/log/main/current
The following configurations are for SMTP-AUTH under daemontools. Add /usr/bin/auth_smtp and /bin/true as arguments for qmail-smtpd.
#!/bin/sh exec 2>&1 exec envdir ./env sh -c ' exec /usr/bin/softlimit -m $MEMORYLIMIT \ /usr/bin/envuidgid qmaild \ /usr/bin/tcpserver -UHRDv -x /etc/tcp.smtp.cdb $IP smtp \ /usr/sbin/qmail-smtpd /usr/bin/auth_smtp /bin/true '
If you use POP, modify /usr/bin/checkpassword into /usr/bin/auth_pop.
#!/bin/sh exec 2>&1 exec envdir ./env sh -c ' exec /usr/bin/envuidgid qmaild \ /usr/bin/tcpserver -HRDv -x /etc/tcp.pop3.cdb $IP pop-3 \ /usr/sbin/qmail-popup `hostname -f` \ /usr/bin/auth_pop \ /usr/sbin/qmail-pop3d Maildir '
# echo "LOGの番号" >> /service/qmail-smtp/env/LOGLEVEL
If you got erros like auth_smtp: unable to dlopen /usr/lib/sasl2/libntlm.so.2: libcrypto.so.0.9.7: failed to map segment from shared object: Cannot allocate memory in files /var/log/auth.log or qmail-smtp/log/main/current, this error means qmail-smtp requires more memory. It's because ldap and qmail-scanner descirbed later consumes a larget amount of memory.
If you got this error, you should descrese memory as decribed below. Decrese memory amount stepwise and find the marginal amount which makes no errors.
# echo "8000000" > /service/qmail-smtp/env/MEMORYLIMIT
To use pbs4q + ipv6 patch
$ cp ../pbs4q_su.c ../pbs4qimap.c ../Makefile . $ make # make install
Add pbs4q for authlib of courier.
# cd /usr/lib/courier/authlib # ln -s /usr/local/bin/pbs4q1 . # ln -s /usr/local/bin/pbs4qimap .
Add each to the end of AUTHMODULES of imapd and pop3d.
AUTHMODULES="authdaemon pbs4qimap" AUTHMODULES_ORIG="authdaemon pbs4qimap"
AUTHMODULES="authdaemon pbs4q1" AUTHMODULES_ORIG="authdaemon pbs4q1"
authdaemon pbs4q1 pbs4qimap
Apply following patches to qmail-smtpd/run.
--- run.old 2003-09-15 02:53:50.000000000 +0900
+++ run 2003-09-15 02:53:27.000000000 +0900
@@ -4,5 +4,5 @@
exec /usr/bin/softlimit -m $MEMORYLIMIT \
/usr/bin/envuidgid qmaild \
/usr/bin/tcpserver -UHRDv -x /etc/tcp.smtp.cdb $IP smtp \
- /usr/sbin/qmail-smtpd /usr/bin/auth_smtp /bin/true
+ /usr/local/bin/pbs4q2_smtp /usr/sbin/qmail-smtpd /usr/bin/auth_smtp \
/bin/true
'
$ crontab -e # run pbs4qclean_su every hour 0 * * * * /usr/local/bin/pbs4qclean_su
Do not foruget to execute # svc -dx /service/qmail-smtpd
# apt-get install maildrop perl-suid unzip sharutils clamav \
clamav-freshclam
Time::HiRes is avaiable with perl-5.8.0
Qmail-Scanner: Content-Sacnner for Qmail
We found 1.20rc3, so installed it from the source.
# qmail-scanner-1.20rc3 ./configure --bindir /usr/local/sbin \
--domain tom.sfc.keio.ac.jp --log-details syslog
# make
# make install
# contrib/test_installation -doit
Add QMAILQUEUE
# echo "/usr/local/sbni/qmail-scanner-queue.pl" > \
/service/qmail-smtp/env/QMAILQUEUE
http://www.italpro.net/mb/soft/qmhandle.html
# install -o root -g qmail -m 755 qmHandle /usr/local/bin
To support clients which only support smtps (Winbiff2, etc), we activate smtps. To confiugre couriertls, we refer to the document IPv6 + TLS + SMTP-AUTH + POP3S + IMAPS by qmail
You should copy configuration of qmail-smtp-sv to basic configration. Copy contents of /etc/sv/qmail-smtp into /etc/sv/qmail-smtps. Be carefull for the permission of the file. /etc/sv/qmail-smtps/log/main is a symbolic link to /var/log/sv/qmail-smtps.
#!/bin/sh
exec 2>&1
exec envdir ./env sh -c '
exec /usr/bin/softlimit -m $MEMORYLIMIT \
/usr/bin/envuidgid qmaild \
/usr/bin/tcpserver -UHRDv -x /etc/tcp.smtp.cdb $IP smtps \
/usr/bin/couriertls -server -tcpd \
/usr/local/bin/pbs4q2_smtp /usr/sbin/qmail-smtpd /usr/bin/auth_smtp \
/bin/true
'
# touch /etc/sv/qmail-smtps/env/ALLOWPLAIN # echo > /etc/sv/qmail-smtps/env/TLS_CERTFILE /var/qmail/control/cert.pem # echo > /etc/sv/qmail-smtps/env/TLS_PROTOCOL SSL3 # echo > /etc/sv/qmail-smtps/env/TLS_STARTTLS_PROTOCOL TLS1 # echo > /etc/sv/qmail-smtps/env/TLS_VERIFYPEER NONE
This chapter describes samba with ldap. Refer document at Miracle Linux.
Download smbldap-tools from IDEALX Contributions to the Samba project.
# wget http://www.idealx.org/prj/samba/dist/smbldap-tools-0.7.tgz # tar xvzf smbldap-tools-0.7.tgz # cd smbldap-tools-0.7 # tar xvzf mkntpwd.tar.gz # cd mkntpwd # make # make install # cd ../ # cp *.pl /usr/local/sbin/ # cp *.pm /etc/perl/
According to INSTALL document, we have to change permission of smbldap_conf.pm to 753. However, we must write passwd on smbldap_conf.pm. Note: I dislike this permission of smbldap_conf.pm.
$UID_START = 0; $GID_START = 0; $suffix = "dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp"; $usersou = q(People); $groupsou = q(Group); $binddn = "cn=admin,$suffix"; $bindpasswd = "password"; $_userLoginShell = q(/usr/local/bin/tcsh); $_userHomePrefix = q(/home/); $_defaultUserGid = 80; $_userHomeDrive = q(U:);
#access to attribute=userPassword,lmPassword,ntPassword
by dn="cn=admin,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp" write
by anonymous auth
by self write
by * none
# /usr/local/sbin/smbldap-passwd.pl
It's success if you can change passwd.
# /usr/local/sbin/smdldap-populate.pl
Get source of samba-ja.
$ apt-get source samba-ja $ patch -p0 < rules.diff $ cd samba-ja-2.2.8aja1.0+0 $ debchange -v 2.2.8aja1.0-1.HOGE.1 $ dpkg-buildpackage -sgpg -rfakeroot
--- rules.orig 2003-09-09 21:48:24.000000000 +0900
+++ rules 2003-09-09 21:39:22.000000000 +0900
@@ -60,1 +60,1 @@
fi
# [ -f source/Makefile ] || (cd source && ./configure --with-fhs \
--prefix=/usr --exec-prefix=/usr --with-netatalk --with-smbmount \
--with-pam --with-syslog --with-sambabook --with-utmp)
- [ -f source/Makefile ] || (cd source && ./configure \
--host=$(DEB_HOST_GNU_TYPE)-gnu --build=$(DEB_BUILD_GNU_TYPE)-gnu \
--with-fhs --prefix=/usr --sysconfdir=/etc --with-privatedir=/etc/samba \
--with-lockdir=/var/state/samba --localstatedir=/var --with-netatalk \
--with-smbmount --with-pam --with-syslog --with-sambabook --with-utmp \
--with-readline --with-pam_smbpass --with-i18n-swat)
+ [ -f source/Makefile ] || (cd source && ./configure \
--host=$(DEB_HOST_GNU_TYPE)-gnu --build=$(DEB_BUILD_GNU_TYPE)-gnu \
--with-fhs --prefix=/usr --sysconfdir=/etc --with-privatedir=/etc/samba \
--with-lockdir=/var/state/samba --localstatedir=/var --with-netatalk \
--with-smbmount --with-pam --with-syslog --with-sambabook --with-utmp \
--with-readline --with-pam_smbpass --with-i18n-swat --with-ldapsam)
touch configure-stamp
Smb.conf is so long, so this section give topics related to ldap only.
ldap admin dn = cn=admin,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp #ldap filter = (&(uid=%u)(objectclass=sambaAccount)) ldap port = 389 ldap server = hostname.tom.sfc.keio.ac.jp ldap ssl = on ldap suffix = dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp
The password of admin DN is stored at /etc/samba/secrets.tdb.
# smbpasswd -w password
It's OK if samba directory can mount.
# smbmount //NETBIOS NAME/user /mnt -o \
username=user,password=password
Todo
unix password sync = yes
passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
passwd chat = *New* %n\n *Retype* %n\n *success*
add user script = /usr/local/sbin/smbldap-useradd.pl %u
delete user script = /usr/local/sbin/smbldap-userdel.pl %u
os level = 64
domain master = yes
prefered master = yes
local master = yes
domain admin group = " @"Domain Admin" "
wins support = yes
domain logons = yes
[netlogon]
comment = Network Logon Service
path = /var/samba/netlogon
# guest ok = yes
# writable = no
# share modes = no
admin users = Administrator
write list = Administrator
[Profiles]
path = /var/samba/profiles
writeable = yes
browseable = no
create mode = 0600
directory mode = 0700
# guest ok = yes
Refer http://ie.samba.org/samba/ftp/beta/WHATSNEW-samba-3.0.0beta3.txt
Note: this is not work!!
Many attributes have been modified from samba-3.0. I should survey about samba-3.0.
passdb backend = ldapsam:ldap://localhost ldap admin dn = "cn=admin,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp" ldap ssl = off ldap suffix = "dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp" ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap filter = "(&(uid=*%u*)(objectclass=sambaSamAccount))"
LDAP authentication module for Apache 2.x
Refer /etc/apache2/README.
Apache configuration divides into many files on Debian.
Apache2.conf includes all configuration.
/etc/apache2/mods-enabled/*.load /etc/apache2/mods-enebled/*.conf /etc/apache2/sites-enabled/* /etc/apache2/conf.d/* /etc/apache2/ports.conf /etc/apache2/httpd.conf
LoadModule hoge_fuga.so
Download source code from http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.tar.gz.
# apt-get install apache2-dev
# cd /usr/local/src/modauthldap_apache2 # ./configure --with-ldap-dir=/usr --with-apxs=/usr/bin/apxs2 # make
# cd /usr/local/scr/modauthldap_apache2
# cp .lib/mod_auth_ldap.so \
/usr/lib/apache2/modules/mod_auth_ldap_muquit.so
LoadModule auth_ldap_module \
/usr/lib/apache2/modules/mod_auth_ldap_muquit.so
<Directory /hoge/fuga>
AuthName "Required Password"
AuthType Basic
<IfModule mod_auth_ldap.c>
LDAP_Server kencho.tom.sfc.keio.ac.jp
LDAP_Port 389
Base_DN "dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp"
UID_Attr uid
LDAP_StartTLS On
</IfModule>
require valid-user
</Directory>
% ln -s /etc/mods-available/ssl.* /etc/mods-enables/
<IfModule mod_ssl.c>
SSLSessionCache shm:/var/log/apache2/ssl_scache(128000)
SSLMutex file:/var/log/apache2/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
ErrorLog /var/log/apache2/ssl.log
LogLevel info
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfModule>
<VirtualHost 133.27.175.5:443>
SSLEngine on
SSLCertificateKeyFile /etc/ssl/private/kenchokey.pem
SSLCertificateFile /etc/ssl/certs/kenchocert.crt
SSLCACertificateFile /etc/ssl/cacert.pem
SSLCARevocationFile /etc/ssl/crl/kencho-ca.crl
...
</VirtualHost>
<VirtualHost 133.27.175.5:80>
...
<Directory /share/project/0/WWW/htdocs/mrtg>
SSLRequireSSL
</Directory>
<Directory /share/project/0/WWW/htdocs/wiki>
SSLRequireSSL
</Directory>
...
</VirtualHost>
HTTPS access log is written to /var/log/apache2/ssl.log.
This chapter shows about building up client environment on some Operating Systems.
Copy server certification, saved as /etc/ssl/cacert.pem, for using TLS.
# apt-get install ldap-utils libsasl2-modules openssl
BASE dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp HOST hostname.tom.sfc.keio.ac.jp SASL_SECPROPS none SASL_REALM TOM.SFC.KEIO.AC.JP TLS_CACERT /etc/ssl/cacert.pem
Examine your configration by following 5 steps. If you don't pass them, check your server and client setting. 1st: Simple authorization 2nd: SASL Support 3rd: Authorization using SASL (If you examine as root, you have to specify your name by -U option) 4th: Authorization with TLS(in ldap schema) 5th: Authorization with SSL(in ldaps schema)
$ ldapsearch -x "(cn=admin)"
$ ldapsearch -LLL -s base -b "" -x supportedSaslMechanisms
$ ldapsearch -Y LOGIN "(cn=admin)"
$ ldapsearch -H ldap://hostname.tom.sfc.keio.ac.jp/ -x -b "" -s \
base -LLL -ZZ supportedSASLMechanisms
$ ldapsearch -H ldaps://hostname.tom.sfc.keio.ac.jp/ -x -b "" -s \
base -LLL supportedSASLMechanisms
% apt-get install libpam-ldap libpam-cracklib libpam-pwdfile
host hostname.tom.sfc.keio.ac.jp # The distinguished name of the search base. base dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp SASL_SECPROPS none SASL_REALM TOM.SFC.KEIO.AC.JP TLS_CACERT /etc/ssl/cacert.pem ssl start_tls ldap_version 3
If you want to use some password encoding schemes, don't specify pam_password in pam_ldap.
Storing pam configration in /etc/pam.d can make many troubles. I recomend you to sotre them in other directory and link it to /etc/pam.d. % cd /etc % cp -a pam.d pam.d.orig % cp -a /usr/share/doc/libpam-ldap/examples/pam.d . % mv pam.d pam.d.ldap % ln -s pam.d.ldap pam.d
Write following lines in /etc/pam.d/sudo to run sudo with LDAP authentication.
#%PAM-1.0 auth sufficient pam_ldap.so auth required pam_unix.so
% apt-get install libnss-ldap nscd
You can configurate it with debconf. If you want to write it by your hand, put following lines into /etc/libnss_ldap.conf.
# Your LDAP server. Must be resolvable without using LDAP. host hostname.tom.sfc.keio.ac.jp # The distinguished name of the search base. base dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp SASL_SECPROPS none SASL_REALM TOM.SFC.KEIO.AC.JP TLS_CACERT /etc/ssl/cacert.pem ssl start_tls ldap_version 3 nss_base_passwd ou=People,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp?one nss_base_shadow ou=People,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp?one nss_base_group ou=Group,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp?one
Leave nis configration for fail safe. If you don't use nis, you can skip it.
passwd: files ldap nis group: files ldap nis shadow: files ldap nis
Edit /etc/password and /etc/group like nis configration.
# vipw +:::::: # vi /etc/group +:::
まず, kernelをautofsv4に対応するようにcompileしておくこと。
Enable your kernel to use autfsv4.
# apt-get install autofs autofs-ldap
/share ldap hostname:ou=auto.share,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp /home ldap hostname:ou=auto.home,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp
# /etc/init.d/autofs restart
amd can't use LDAP. If you want use amd, you have to set up nis server.
# apt-get install am-utils
Say no for all of debconf asking, then set
/home amd.home /share amd.share in other kinds of maps.
Following configrations will be generated.
AM_UTILS_USE_NIS='false' AM_UTILS_MAP_OTHERS='/home amd.home /share amd.share'
[global] auto_dir = /amd log_file = syslog log_options = all,noinfo,nostats,nomap restart_mounts = yes unmount_on_exit = yes vendor = Debian
ldap-utils on woody does't support TLS and SASL2. Rebuild deb package to suport them.
# apt-get build-dep ldap-utils # apt-get source ldap-utils # apt-get install libsasl2-dev libssl-dev
--- debian/rules.orig Mon Sep 15 02:26:13 2003
+++ debian/rules Mon Sep 15 02:26:19 2003
@@ -15,7 +15,7 @@
--enable-multimaster --enable-phonetic --enable-rlookups \
--enable-wrappers --enable-dynamic --disable-dnssrv \
--enable-ldap --enable-ldbm --enable-shell --enable-sql \
- --enable-slurpd --enable-shared --without-tls \
+ --enable-slurpd --enable-shared --with-tls \
--prefix=/usr --localstatedir=/var/lib \
--sysconfdir=/etc --libexecdir='$${prefix}'/sbin \
--mandir='$${prefix}'/share/man --with-subdir=ldap
# dpkg -i ../ldap-utils* ../libldap2* # apt-get install sasl-bin libsasl-modules-plain
Examine your configration. Specify -Y PLAIN instead of specifying -Y LOGIN in 3rd test, because -Y LOGIN option is not supported.
Make NFS client configration.
# apt-get install portmap # rpcinfo -p nfsserver # mount -t nfsserver:/mountpoint /mnt
Bring source code from testing/unstable and build deb package, because autofs-ldap on woody has bug. I can't find package on http://www.apt-get.org.
# apt-get install devscripts # apt-get build-dep autofs # debuild
Make same configration written in testing/unstable.
See testing/unstable configration.
http://www.freebsd.org/releases/5.1R/annouce.html http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
You can use NSS in 5.1 or higher.
Copy server certification, saved as /etc/ssl/cacert.pem, for using TLS.
Upgrade ports and install following programs. Enable SASLAUTHD in cyrus-sasl configration.
# cd /usr/ports/security/openssl # make -DOPENSSL_OVER_WRITE install # cd /usr/ports/net/openldap21-client # make -DWITH_SASL install
BASE dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp HOST hostname.tom.sfc.keio.ac.jp SASL_SECPROPS none SASL_REALM TOM.SFC.KEIO.AC.JP TLS_CACERT /etc/ssl/cacert.pem
Examine your configration. See Debian testing/unstable.
# cd /usr/ports/security/pam_ldap # make install # cd /usr/local/etc # cp ldap.conf.dist ldap.conf
Write pam and nss configration in /usr/local/etc/ldap.conf.
host hostname.tom.sfc.keio.ac.jp base dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp ldap_version 3 pam_filter objectclass=posixAccount nss_base_passwd ou=People,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp?one nss_base_shadow ou=People,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp?one nss_base_group ou=Group,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp?one ssl start_tls tls_cacertfile /etc/ssl/cacert.pem sasl_secprops none sasl_realm TOM.SFC.KEIO.AC.JP
# vipw +::::::::: # vi /etc/group +:*::
I've written pam configration files for FreeBSD-5.1. pam.d.tar.gz, pam.d.diff。
diff -ruN pam.d.orig/ftp pam.d/ftp --- pam.d.orig/ftp Fri Sep 12 02:37:37 2003 +++ pam.d/ftp Fri Sep 12 02:36:36 2003 @@ -10,10 +10,12 @@ auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn #auth sufficient pam_ssh.so no_warn try_first_pass +auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so +account sufficient pam_ldap.so account required pam_unix.so # session diff -ruN pam.d.orig/gdm pam.d/gdm --- pam.d.orig/gdm Fri Sep 12 02:37:37 2003 +++ pam.d/gdm Fri Sep 12 02:39:21 2003 @@ -8,10 +8,12 @@ auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass +auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so +account sufficient pam_ldap.so account required pam_unix.so # session diff -ruN pam.d.orig/imap pam.d/imap --- pam.d.orig/imap Fri Sep 12 02:37:37 2003 +++ pam.d/imap Fri Sep 12 02:39:42 2003 @@ -8,4 +8,5 @@ #auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass +auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass diff -ruN pam.d.orig/kde pam.d/kde --- pam.d.orig/kde Fri Sep 12 02:37:37 2003 +++ pam.d/kde Fri Sep 12 02:35:44 2003 @@ -8,12 +8,15 @@ auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass +auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so +account sufficient pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so +session sufficient pam_ldap.so session required pam_permit.so diff -ruN pam.d.orig/login pam.d/login --- pam.d.orig/login Fri Sep 12 02:37:37 2003 +++ pam.d/login Sat Sep 13 00:43:39 2003 @@ -11,12 +11,14 @@ auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass +auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account required pam_securetty.so +account sufficient pam_ldap.so account required pam_unix.so # session @@ -25,4 +27,5 @@ # password #password sufficient pam_krb5.so no_warn try_first_pass -password required pam_unix.so no_warn try_first_pass +password sufficient pam_ldap.so no_warn try_first_pass +password sufficient pam_unix.so no_warn try_first_pass diff -ruN pam.d.orig/other pam.d/other --- pam.d.orig/other Fri Sep 12 02:37:37 2003 +++ pam.d/other Fri Sep 12 02:41:55 2003 @@ -10,10 +10,12 @@ auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass +auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so +account sufficient pam_ldap.so account required pam_login_access.so account required pam_unix.so diff -ruN pam.d.orig/passwd pam.d/passwd --- pam.d.orig/passwd Fri Sep 12 02:37:37 2003 +++ pam.d/passwd Fri Sep 12 21:58:32 2003 @@ -8,4 +8,5 @@ # password #password requisite pam_passwdqc.so enforce=users +password required pam_ldap.so password required pam_unix.so no_warn try_first_pass nullok diff -ruN pam.d.orig/pop3 pam.d/pop3 --- pam.d.orig/pop3 Fri Sep 12 02:37:37 2003 +++ pam.d/pop3 Fri Sep 12 02:43:15 2003 @@ -8,4 +8,5 @@ #auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass +auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass diff -ruN pam.d.orig/rexecd pam.d/rexecd --- pam.d.orig/rexecd Fri Sep 12 02:37:37 2003 +++ pam.d/rexecd Fri Sep 12 02:44:07 2003 @@ -6,10 +6,12 @@ # auth auth required pam_nologin.so no_warn +auth sufficient pam_ldap.so no_warn auth required pam_unix.so no_warn use_first_pass # account account required pam_ftpusers.so no_warn disallow +account sufficient pam_ldap.so no_warn account required pam_unix.so no_warn # session diff -ruN pam.d.orig/rsh pam.d/rsh --- pam.d.orig/rsh Fri Sep 12 02:37:37 2003 +++ pam.d/rsh Fri Sep 12 02:45:37 2003 @@ -9,6 +9,7 @@ auth required pam_rhosts.so no_warn # account +account sufficient pam_ldap.so account required pam_unix.so # session diff -ruN pam.d.orig/sshd pam.d/sshd --- pam.d.orig/sshd Fri Sep 12 02:37:37 2003 +++ pam.d/sshd Sat Sep 13 00:37:43 2003 @@ -10,10 +10,12 @@ auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass +auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so +account sufficient pam_ldap.so account required pam_login_access.so account required pam_unix.so @@ -23,4 +25,5 @@ # password #password sufficient pam_krb5.so no_warn try_first_pass +password required pam_ldap.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass diff -ruN pam.d.orig/su pam.d/su --- pam.d.orig/su Fri Sep 12 02:37:37 2003 +++ pam.d/su Sat Sep 13 00:37:59 2003 @@ -12,10 +12,12 @@ auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self #auth required pam_ssh.so no_warn try_first_pass +auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so +account sufficient pam_ldap.so account required pam_unix.so # session diff -ruN pam.d.orig/telnetd pam.d/telnetd --- pam.d.orig/telnetd Fri Sep 12 02:37:37 2003 +++ pam.d/telnetd Fri Sep 12 21:58:10 2003 @@ -10,11 +10,13 @@ auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass +auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so +account sufficient pam_ldap.so account required pam_unix.so # session @@ -23,4 +25,5 @@ # password #password sufficient pam_krb5.so no_warn try_first_pass +password required pam_ldap.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass diff -ruN pam.d.orig/xdm pam.d/xdm --- pam.d.orig/xdm Fri Sep 12 02:37:37 2003 +++ pam.d/xdm Fri Sep 12 02:50:38 2003 @@ -8,6 +8,7 @@ auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass +auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account @@ -16,4 +17,5 @@ # session #session required pam_ssh.so want_agent +session sufficient pam_ldap.so want_agent session required pam_permit.so
# cd /usr/ports/net/nss_ldap # make install
pamの設定をsymbolic linkする。 Link pam configration to /etc/ldap.conf, because nsswitch configration should be written in there.
# ln -s /usr/local/etc/ldap.conf /etc/
Put following lines into /etc/nssswitch.conf.
passwd: files ldap nis group: files ldap nis shadow: files ldap nis hosts: files dns
Edit /etc/password and /etc/group like nis configration.
nis_client_enable="YES" nisdomainname="hogehoge" amd_enable="YES" amd_flag="-a /.amd_mnt -l syslog /home amd.home /share amd.share"
# cat `cat /var/run/amd.pid`
Login and cd to your home directory. If you fail, check amd status by amq.
# amq -ms
Use pam and NIS because FreeBSD4.x does't have NSS.
Write '-I$(top_srcdir)/sasldb' in INCLUDES line of cyrus-sasl2/work/lib/Makefile for successful compilation.(2003/09/12)
# cd /usr/ports/security/pam_ldap # make install # ln -s /usr/local/lib/pam_ldap.so /usr/lib/ # cd /usr/local/etc # cp ldap.conf.dist ldap.conf
Put following lines into /usr/local/etc/ldap.conf.
host hostname.tom.sfc.keio.ac.jp base dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp ldap_version 3 pam_filter objectclass=posixAccount ssl start_tls tls_cacertfile /etc/ssl/cacert.pem sasl_secprops none sasl_realm TOM.SFC.KEIO.AC.JP
# vipw +::::::::: # vi /etc/group +:*::
PAM uses /etc/pam.conf as configration file in FreeBSD-4.x
I've written pam.conf, please see it. (pam.conf, pam.conf.diff)。
# Configuration file for Pluggable Authentication Modules (PAM). # # This file controls the authentication methods that login and other # utilities use. See pam(8) for a description of its format. # # $FreeBSD: src/etc/pam.conf,v 1.6.2.18 2003/02/15 17:20:27 des Exp $ # # service-name module-type control-flag module-path arguments # # module-type: # auth: prompt for a password to authenticate that the user is # who they say they are, and set any credentials. # account: non-authentication based authorization, based on time, # resources, etc. # session: housekeeping before and/or after login. # password: update authentication tokens. # # control-flag: How libpam handles success or failure of the module. # required: success is required, and on failure all remaining # modules are run. # requisite: success is required, and on failure no remaining # modules are run. # sufficient: success is sufficient, and if no previous required # module failed, no remaining modules are run. # optional: ignored unless the other modules return PAM_IGNORE. # # arguments: # Passed to the module; module-specific plus some generic ones: # debug: syslog debug info. # no_warn: return no warning messages to the application. # use_first_pass: try authentication using password from the # preceding auth module. # try_first_pass: first try authentication using password from # the preceding auth module, and if that fails # prompt for a new password. # use_mapped_pass: convert cleartext password to a crypto key. # expose_account: allow printing more info about the user when # prompting. # # Each final entry must say "required" -- otherwise, things don't # work quite right. If you delete a final entry, be sure to change # "sufficient" to "required" in the entry before it. # If the user can authenticate with S/Key, that's sufficient; allow clear # password. Try kerberos, then try plain unix password. login auth sufficient pam_skey.so login auth sufficient pam_opie.so no_fake_prompts #login auth requisite pam_opieaccess.so login auth requisite pam_cleartext_pass_ok.so #login auth sufficient pam_kerberosIV.so try_first_pass #login auth sufficient pam_krb5.so try_first_pass login auth sufficient pam_ldap.so try_first_pass login auth required pam_unix.so try_first_pass login account sufficient pam_ldap.so login account required pam_unix.so login password required pam_permit.so login session required pam_permit.so # Same requirement for ftpd as login ftpd auth sufficient pam_skey.so ftpd auth sufficient pam_opie.so no_fake_prompts #ftpd auth requisite pam_opieaccess.so ftpd auth requisite pam_cleartext_pass_ok.so #ftpd auth sufficient pam_kerberosIV.so try_first_pass #ftpd auth sufficient pam_krb5.so try_first_pass ftpd auth sufficient pam_ldap.so try_first_pass ftpd auth required pam_unix.so try_first_pass # OpenSSH with PAM support requires similar modules. The session one is # a bit strange, though... sshd auth sufficient pam_skey.so sshd auth sufficient pam_opie.so no_fake_prompts #sshd auth requisite pam_opieaccess.so #sshd auth sufficient pam_kerberosIV.so try_first_pass #sshd auth sufficient pam_krb5.so try_first_pass sshd auth sufficient pam_ldap.so try_first_pass sshd auth required pam_unix.so try_first_pass sshd account required pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so # "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login' telnetd auth sufficient pam_ldap.so try_first_pass telnetd auth required pam_unix.so try_first_pass # Don't break startx xserver auth required pam_permit.so # XDM is difficult; it fails or moans unless there are modules for each # of the four management groups; auth, account, session and password. xdm auth required pam_unix.so #xdm auth sufficient pam_kerberosIV.so try_first_pass #xdm auth sufficient pam_krb5.so try_first_pass xdm auth sufficient pam_ldap.so try_first_pass xdm account required pam_unix.so try_first_pass xdm session required pam_deny.so xdm password required pam_deny.so # GDM (GNOME Display Manager) gdm auth required pam_unix.so #gdm auth sufficient pam_kerberosIV.so try_first_pass #gdm auth sufficient pam_krb5.so try_first_pass gdm auth sufficient pam_ldap.so try_first_pass gdm account required pam_unix.so try_first_pass gdm session required pam_permit.so gdm password required pam_deny.so # Mail services imap auth sufficient pam_ldap.so try_first_pass imap auth required pam_unix.so try_first_pass pop3 auth sufficient pam_ldap.so try_first_pass pop3 auth required pam_unix.so try_first_pass # If we don't match anything else, default to using getpwnam(). other auth sufficient pam_skey.so other auth sufficient pam_ldap.so try_first_pass other auth required pam_unix.so try_first_pass other account required pam_unix.so try_first_pass
--- pam.conf.orig Wed Jan 1 11:19:00 2003 +++ pam.conf Wed Jan 1 11:21:37 2003 @@ -49,7 +49,9 @@ login auth requisite pam_cleartext_pass_ok.so #login auth sufficient pam_kerberosIV.so try_first_pass #login auth sufficient pam_krb5.so try_first_pass +login auth sufficient pam_ldap.so try_first_pass login auth required pam_unix.so try_first_pass +login account sufficient pam_ldap.so login account required pam_unix.so login password required pam_permit.so login session required pam_permit.so @@ -61,6 +63,7 @@ ftpd auth requisite pam_cleartext_pass_ok.so #ftpd auth sufficient pam_kerberosIV.so try_first_pass #ftpd auth sufficient pam_krb5.so try_first_pass +ftpd auth sufficient pam_ldap.so try_first_pass ftpd auth required pam_unix.so try_first_pass # OpenSSH with PAM support requires similar modules. The session one is @@ -70,12 +73,14 @@ #sshd auth requisite pam_opieaccess.so #sshd auth sufficient pam_kerberosIV.so try_first_pass #sshd auth sufficient pam_krb5.so try_first_pass +sshd auth sufficient pam_ldap.so try_first_pass sshd auth required pam_unix.so try_first_pass sshd account required pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so # "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login' +telnetd auth sufficient pam_ldap.so try_first_pass telnetd auth required pam_unix.so try_first_pass # Don't break startx @@ -86,6 +91,7 @@ xdm auth required pam_unix.so #xdm auth sufficient pam_kerberosIV.so try_first_pass #xdm auth sufficient pam_krb5.so try_first_pass +xdm auth sufficient pam_ldap.so try_first_pass xdm account required pam_unix.so try_first_pass xdm session required pam_deny.so xdm password required pam_deny.so @@ -94,15 +100,19 @@ gdm auth required pam_unix.so #gdm auth sufficient pam_kerberosIV.so try_first_pass #gdm auth sufficient pam_krb5.so try_first_pass +gdm auth sufficient pam_ldap.so try_first_pass gdm account required pam_unix.so try_first_pass gdm session required pam_permit.so gdm password required pam_deny.so # Mail services +imap auth sufficient pam_ldap.so try_first_pass imap auth required pam_unix.so try_first_pass +pop3 auth sufficient pam_ldap.so try_first_pass pop3 auth required pam_unix.so try_first_pass # If we don't match anything else, default to using getpwnam(). other auth sufficient pam_skey.so +other auth sufficient pam_ldap.so try_first_pass other auth required pam_unix.so try_first_pass other account required pam_unix.so try_first_pass
If you want to use amd, see FreeBSD-5.1 configration.
This chapter shows client side configurations. Our basic priciple is the following:
Refer http://www.gohome.org/wl/doc/wl_toc.html
;; pop
(setq elmo-pop3-default-server "hostname")
(setq elmo-pop3-default-user "username")
(setq elmo-pop3-default-authenticate-type 'user)
;; pop over ssl
(setq elmo-pop3-default-stream-type 'ssl)
(setq elmo-pop3-default-port 995)
;; imap
(setq elmo-imap4-default-server "hostname")
(setq elmo-imap4-default-user "username")
(setq elmo-imap4-default-authenticate-type 'login)
;; imap over ssl
(setq elmo-imap4-default-port 993)
(setq elmo-imap4-default-stream-type 'ssl)
;; imap over tls
;(setq elmo-imap4-default-port 143)
;(setq elmo-imap4-default-stream-type 'starttls)
;; smtp
(setq wl-smtp-posting-server "hostname")
;; smtp over tls
(setq wl-smtp-connection-type 'starttls)
;; pop-before-smtp
;(setq wl-draft-send-mail-function \
'wl-draft-send-mail-with-pop-before-smtp)
;; smtp-auth
;(setq wl-smtp-posting-user "username")
;(setq wl-smtp-authenticate-type "login")
;; nntp
(setq wl-nntp-default-server "hostname")
(setq wl-nntp-default-user "username")
;; ldap
(setq wl-use-ldap 't)
(setq wl-ldap-server "hostname")
(setq wl-ldap-port 389)
(setq wl-ldap-base "base DN")
Refer http://www.mew.org/release/info/.
POP3S,IMAPS,SMTPS,SMTP-AUTH,APOP,POP before SMTP, no LDAP
SMTPS (port -> 25??), no SMTP with TLS, LDAP, SMTP-AUTH
We can use SSL (port 25) and SMTP-AUTH.
SSL/TLS, SMTP-AUTH Authentication: CLEARTEXT, PLAIN, LOGIN, CRAM-MD5, DIGEST-MD5, ANONYMOUSE IMAP,IMAPS,POP3,POP3S,APOP
We cannot use SMTP??
<Fumihiro Kato <@tom.sfc.keio.ac.jp>: Sorry, no mailbox here by that name. (#5.1.1)
You should do either the following things before starting new work.
# tar czf ldap.tgz /var/lib/ldap
# slapcat > backup.ldap
If you would like to restore backup, you need to
# rm /var/lib/ldap/* # tar xvzf ldap.tgz -C /var/lib/ # /etc/init.d/slapd restart
# rm /var/lib/ldap/* # slapadd -l backup.ldap # /etc/init.d/slapd restart
We create a SSL certificate valid for a year, so we have to reissue certificat.
# openssl ca -revoke certs/hostnamecert.pem
# openssl ca -gencrl -config /etc/ssl/openssl.cnf -out \
crl/hostname-ca.crl
# openssl ca -out certs/hostnamecert.pem -in \
certs/hostnamereq.pem
After you finished to resign, you reissue certificate for mail and others.
Slapd server creates databases with index keys for quick search while you configure for 'index' on slapd.conf. Note: it spends much time on creating database if you configure a lot of 'index'.
index cn,sn,uid,uidNumber,gidNumber,qmailUID,qmailGID,homeDirectory,mail \
pres,eq
index objectClass eq
After you modify slapd.conf, you have to do 'slapindex' command for recreating databases.
Refer wstunnel manual at Orangesoft.
We can send email using Becky2! with the following configuration.
replog /var/lib/ldap/replog replica host=slave.tom.sfc.keio.ac.jp:389 updatedn "cn=admin,dc=tom,dc=sfc,dc=keio,dc=ac,dc=jp" updateref "ldap://master.tom.sfc.keio.ac.jp/"
# openssl req -new -nodes -keyout private/hostnamekey.pem -out \
certs/hostnamereq.pem
# openssl ca -out certs/hostnamecert.pem -in \
certs/hostnamereq.pem
Active Directory is "Kerberos V5 + LDAP". samba3.0 have the objective to be alternative of Active Directory.