EDG System Administration

I was about to begin making the switch to the new server when I thought I’d try out my own account. I just wanted to make sure that I could login and do everything. Glad I did. Turns out that users with uid numbers less than 500 couldn’t do anything. The problem was in /etc/pam.d/system-auth.

I changed the two places from uid >= 500 to uid >= 200. Now everything works fine.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 200 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 200 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Finally, I fixed the problem I was having with start_tls being in /etc/ldap.conf. Here’s what would happen:

I’d ssh as my test user and I’d get in fine. But then, I’d issue an ls command and it would hang. In the logs on the node I’d logged into (not the ldap server), I’d get these messages:

Oct 25 12:47:00 client ls: nss_ldap: could not search LDAP server - Server is unavailable
Oct 25 12:48:08 client ls: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...

What it was trying to do was lookup the uid for the uidnumber associated with the files it was listing. I just couldn’t figure out why it wasn’t working.

I then ran the following command as my test user:

[testuser1@client ~]$ ldapsearch -x -ZZ -d4
request done: ld 0x8c24068 msgid 1
TLS: could not load verify locations (file:`/etc/openldap/cacerts/slapd.pem',dir:`/etc/openldap/cacerts').
TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:122
TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:127
TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:279
ldap_start_tls: Connect error (-11)

This basically showed that I had a problem with my pem file, as in, it couldn’t be read. As soon as I changed permissions on this file to 644, everything worked fine.

Now I just have to check what sort of security risks I have with these settings.

I kept getting errors in my smbd.log file when I started samba. They looked like this:

[2007/10/19 13:55:38, 0] smbd/server.c:main(847)
  smbd version 3.0.23c-2.el5.2.0.2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
[2007/10/19 13:55:38, 0] services/services_db.c:svcctl_init_keys(420)
  init_services_keys: key lookup failed! (WERR_ACCESS_DENIED)
[2007/10/19 13:55:38, 0] smbd/server.c:main(960)
  ERROR: failed to setup guest info.

I fixed all these errors by adding this line to my /etc/samba/smb.conf file

       winbind nested groups = no

Now after creating a temporary root user in my ldap database, I can run the following:

[root@server samba]# net rpc rights list -U root
Password:
     SeMachineAccountPrivilege  Add machines to domain
      SeTakeOwnershipPrivilege  Take ownership of files or other objects
             SeBackupPrivilege  Back up files and directories
            SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
       SeDiskOperatorPrivilege  Manage disk shares

I was having a problem with the -Z option to ldapsearch. This option issues the StartTLS operation. To fix, I changed /etc/openldap/ldap.conf to:

URI             ldaps://server.example.com
BASE            dc=server,dc=example,dc=com
TLS_CACERT      /etc/openldap/cacerts/slapd.pem
TLS_REQCERT     demand

This was all wrong and screwed me up a lot. Ignore this entry.

I finally got ldap working for accounts both in ldap and /etc/passwd. Here is my /etc/dovecot.conf file, with all comments removed.

protocols = imaps pop3s
log_path = /var/log/dovecot.log
ssl_cert_file = /usr/share/ssl/certs/imapd.pem
ssl_key_file = /usr/share/ssl/certs/imapd.pem
login_dir = /var/run/dovecot/login
mmap_disable = yes
first_valid_uid = 200
protocol imap {
}
protocol pop3 {
}
protocol lda {
  postmaster_address = postmaster@example.com
}
auth default {
  mechanisms = plain
  passdb pam {
 }
passdb shadow {
}
passdb ldap {
  args = /etc/dovecot-ldap.conf
}
userdb passwd {
}
userdb ldap {
  args = /etc/dovecot-ldap.conf
}
   user = root
}
dict {
}
plugin {
}

For example,

[root@tester openldap]$ slappasswd -s test
{SSHA}Nq5hUWWzoq0WUEqnMAx/9YhmmSgMJbnQ

I can then use that SSHA line in my ldif file.

Must use the same certificate (.pem file) in both sendmail.mc and the dovecot config files. Otherwise, you’ll get an error when trying to send mail about having a certificate with a duplicate value. (Or something like that.)

The ldap learning curve continues…

I have just gotten sendmail working with ldap. Had a bunch of problems, but mail is coming in.

I have two machines, ldapserver and mailserver. The mailserver machine has to look up accounts on the ldapserver machine. I had to add a couple of things to ldapserver.

# mail, people, ldapserver.uchicago.edu
dn: uid=mail,ou=people,dc=ldapserver,dc=uchicago,dc=edu
uid: mail
cn: mail
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: {crypt}*
loginShell: /sbin/nologin
uidNumber: 8
gidNumber: 12
homeDirectory: /var/spool/mail
gecos: mail

# smmsp, people, ldapserver.uchicago.edu
dn: uid=smmsp,ou=people,dc=ldapserver,dc=uchicago,dc=edu
uid: smmsp
cn: smmsp user for sendmail
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: {crypt}*
uidNumber: 51
gidNumber: 51
homeDirectory: /dev/null
gecos: smmsp user for sendmail

# sendmail, people, ldapserver.uchicago.edu
dn: uid=sendmail,ou=people,dc=ldapserver,dc=uchicago,dc=edu
uid: sendmail
cn: Mail Transfer Agent
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: {crypt}*
loginShell: /bin/tcsh
uidNumber: 101
gidNumber: 2
homeDirectory: /var/adm
gecos: Mail Transfer Agent

I got this information from our current /etc/passwd file. I’m not sure if I needed all of these accounts, but to be sure, I put them all in.

I also had to create an ou called sendmail. I put it in the ou called dsa that was created for secure accounts.

# sendmail, dsa, ldapserver.uchicago.edu
dn: ou=sendmail,ou=dsa,dc=ldapserver,dc=uchicago,dc=edu
objectClass: organizationalUnit
ou: sendmail

I also had to add some more info to the user account.

dn: uid=testuser1,ou=people,dc=ldapserver,dc=uchicago,dc=edu
changetype: modify
add: objectClass
objectClass: inetLocalMailRecipient
-
add: mailLocalAddress
mailLocalAddress: testuser1@mailserver.uchicago.edu
-
add: mailRoutingAddress
mailRoutingAddress: testuser1@mailserver.uchicago.edu

Finally, I had to uncomment this line in /etc/openldap/slapd.conf.

allow bind_v2

This is because sendmail does use version 2 binds.

Those are all the changes I made on ldapserver.

On the mailserver, most of the changes were in /etc/mail/sendmail.mc. Here are the lines I added:

dnl # LDAP Settings
dnl # basic definition of access_db using LDAP
FEATURE(`access_db',`LDAP')dnl
dnl # To use sendmail's default LDAP search parameters for aliases
define(`ALIAS_FILE',`ldap:')dnl
LDAPROUTE_DOMAIN(`mailserver.uchicago.edu')dnl
FEATURE(`ldap_routing')dnl
define(`confLDAP_DEFAULT_SPEC',`-h ldapserver.uchicago.edu')dnl

After I created the new sendmail.cf from this and restarted sendmail, I could receive mail to my user testuser1.

Now, I have to figure out how to configure dovecot to be able to authenticate to read mail.

This is just a note for future reference. At some point, I’m going to want to make some webpages visible only to users in our ldap database. This is an example .htaccess file to do this:

Order allow,deny
Allow from 192.168.23
AuthType Basic
AuthName "Site Access"
LDAP_Server ldapserver.uchicago.edu
UID_Attr uid
Base_DN "ou=people,dc=ldapserver,dc=uchicago,dc=edu"
require valid-user
satisfy any

or here’s another example I found

AuthType Basic
AuthName "Restricted Access"
                                                                                     
AuthLDAPURL ldap://ldapserver.uchicago.edu/ou=people,dc=ldapserver,dc=uchicago,dc=edu?uid?one
AuthLDAPCompareDNOnServer on

Order deny,allow
Deny from all
Allow from 127.0.0.1 10.10.10. 111.111.111.111
                                                                            
satisfy any

I’m not yet sure how to make sure the authentication goes over a secure connection, but I don’t think that will be too hard.

After thinking a long time about our setup, and playing around with Win2003 server, I figured out that I was making things harder on myself than they should be. My goal is to have a single ldap server that handles all of our user authentication. This ldap server will be running openldap on a redhat linux machine. I’ve already figured out how to set up ldap, that info is in other posts.

My current setup uses a win2000 server along with a linux machine to set up all the disks. I was thinking that I should get another win server to replace the one I currently use. But on this new one, I’d put a TB worth of disks. I’d then set up active directory to use the openldap server for authentication. The problem is, I couldn’t find any information on doing this. All the pages I found were for using the active directory machine as the ldap server. I’m not familiar enough with windows to be comforable with that setup. I don’t know what to back up, what files are important, etc. So, I’d rather have the ldap server on a linux machine where I can easily dump all the info in the database for a backup.

I also was not liking win2003 server at all. Like Vista, it seems to want to control access to many things and make it hard to turn this access control off. After becoming frustrated because I couldn’t surf to a website to download a driver, I decided to not use it, if possible.

I had the solution the entire time, but didn’t realize it. pGINA does exactly this. It lets me set the openldap server in linux and then mount windows disks without any problems. This is exactly what I want it to do. Now, I just have to mount the linux disks as well, but since this will authenticate against the ldap server which is running on the same machine, I don’t anticipate any problems.

The last step, where I do think I’ll have problems, is getting dovecot to work with the ldap server. In the past, I couldn’t get this to work. But I’m hoping now that I’ll be able to get it figured out.