lunes, 21 de septiembre de 2009

Instalar LDAP

Instalar y configurar LDAP

La version que vamos a usar para la instalacion es Ubuntu 8.04 LTS
Instalamos ubuntu normal, el nombre de maquina que ponemos es mrldap, creamos un usuario syadmin y ponemos como ip 192.168.37.100.
Esta maquina ademas de LDAP se usara como DNS, DHCP, SAMBA, POSFIX.
Actualizamos el sistema operativo, para ello quitamos los comentarios de los repositorios multiverse en el fichero sources.list
$apt-get update
$apt-get upgrade
El siguiente paso ya lo hicimos en la instalacion de ubuntu
$apt-get install openssh-server
$vim /etc/hosts
127.0.0.1 localhost
127.0.1.1 ldap2.vablom.lan ldap2

# The following lines are desirable for IPv6 capable hosts

1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

$vim /etc/hostname
ldap2.vablom.lan

La configuracion de ntp nos la saltamos de momento
$apt-get install ntp
$vim /etc/ntp.conf
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).
server ntp.ubuntu.com
server pool.ntp.org

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

$ shutdown -r now

Estos 2 directorios los podremos usar si queremos para la instalacion de ldap
$ mkdir /ldaphome
$ mkdir /ldap_data

$ apt-get install postfix mailx
Durante la instalacion nos pregunta

Tipo generico de configuracion de correo: Sitio de internet

Nombre del sistema de correo: ldap2.vablom.lan


Pasamos a instalar LDAP
$ apt-get install slapd ldap-utils migrationtools
Nos pregunta lo siguiente:

Contraseña administrador: 12345

Confirmar contraseña: 12345


$ dpkg-reconfigure slapd

Desea omitir la configuracion del servidor OpenLDAp?

NO


DNS domain name

blom.es


Organization name:

blom.es


Contraseña administrador:

12345

Verificacion de contraseña:

12345


Database backend to use:

BDB


Desea que se borre..

NO


Desea mover la base de datos antigua:

YES


Allow LDAPv2 protocol

NO

Instalamos SAMBA
$ apt-get install samba smbldap-tools smbclient samba-doc
Integramos el schema de samba dentro de ldap
$ cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
$ gzip -d /etc/ldap/schema/samba.schema.gz
$ vim /etc/ldap/slapd.conf
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel none

# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb

# The base of your directory in database #1
suffix "dc=lanva"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn "cn=admin,dc=lanva"

# Where the database file are physically stored for database #1
directory "/var/lib/ldap"

# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.

# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0

# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.

# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500

# Indexing options for database #1
index objectClass eq

# Save the time that the entry gets modified, for database #1
lastmod on

# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30

# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange

       by dn="cn=admin,dc=vablom,dc=lan" write

       by anonymous auth

       by self write

       by * none

  1. Ensure read access to the base for things like
  2. supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *

       by dn="cn=admin,dc=lanva" write

       by * read


# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=lanva" write
# by dnattr=owner write

#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database

# The base of your directory for database #2
#suffix "dc=debian,dc=org"

Ahora nos toca configurar samba
$ cd /etc/samba/
salvamos el fichero original
$ cp smb.conf smb.conf.original
$ vim smb.conf
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of

  workgroup = VABLOM


# server string is the equivalent of the NT Description field

  server string = %h server (Samba, Ubuntu)


# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server

wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both

wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.

  dns proxy = no


# What naming service and in what order should we use to resolve host names
# to IP addresses

name resolve order = lmhosts host wins bcast

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred

interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
## not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.

bind interfaces only = true

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects

  log file = /var/log/samba/log.%m


# Cap the size of the individual log files (in KiB).

  max log size = 1000


# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.

syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.

  syslog = 0


# Do something sensible when Samba crashes: mail the admin a backtrace

  panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.

  security = user


# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.

  encrypt passwords = true


# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.

  passdb backend = ldapsam:ldap://localhost/



  obey pam restrictions = no


#######################################################################
#
# Begin: Custom LDAP Entries
#
ldap admin dn = cn=admin,dc=lanva
ldap suffix = dc=lanva
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users

Do ldap passwd sync
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
domain logons = yes
#
# End: Custom LDAP Entries
#
#####################################################


guest account = nobody
invalid users = root

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.

  unix password sync = yes


# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan < for
# sending the correct chat script for the passwd program in Debian Sarge).

  passwd program = /usr/bin/passwd %u

  passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .


# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.

  pam password change = yes


# This option controls how nsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user


                    1. Domains ###########

# Is this machine able to authenticate users. Both PDC and BDC
# must have this setting enabled. If you are the BDC you must
# change the 'domain master' setting to no
#

domain logons = yes
#
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of the user's profile directory
# from the client point of view)
# The following required a [profiles] share to be setup on the
# samba server (see below)

logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory

logon path = \\%N\%U\profile
logon path =

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)

logon drive = H
logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention

logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs

add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

########## Printing ##########

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this

load printers = yes

# lpr(ng) printing. You may wish to override the location of the
# printcap file

printing = bsd
printcap name = /etc/printcap

# CUPS printing. See also the cupsaddsmb(8) manpage in the
# cupsys-client package.

printing = cups
printcap name = cups

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting

include = /home/samba/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192

  socket options = TCP_NODELAY


# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.

message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &

# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.

domain master = auto

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)

idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash

# The following was the default behaviour in sarge,
# but samba upstream reverted the default because it might induce
# performance issues in large organizations.
# See Debian bug #368251 for some of the consequences of *not*
# having this setting and smb.conf(5) for details.

winbind enum groups = yes
winbind enum users = yes

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 (default) means that usershare is disabled.

usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones

  usershare allow guests = yes


#======================= Share Definitions =======================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username

[homes]
comment = Home Directories
browseable = no

## next parameter to 'no' if you want to be able to write to them.

read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.

create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.

directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server. Un-comment the following parameter
# to make sure that only "username" can connect to \\server\username
# This might need tweaking when using external authentication schemes

valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)

[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
read only = yes
share modes = no

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on

[profiles]
comment = Users profiles
path = /home/samba/profiles
guest ok = no
browseable = no
create mask = 0600
directory mask = 0700

[printers]

  comment = All Printers

  browseable = no

  path = /var/spool/samba

  printable = yes

  guest ok = no

  read only = yes

  create mask = 0700


# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]

  comment = Printer Drivers

  path = /var/lib/samba/printers

  browseable = yes

  read only = yes

  guest ok = no

# Uncomment to allow remote administration of Windows print drivers.
#Replace 'ntadmin' with the name of the group your admin users are
# members of.

write list = root, @ntadmin

# A sample share for sharing your CD-ROM with others.

[cdrom]
comment = Samba server's CD-ROM
read only = yes
locking = no
path = /cdrom
guest ok = yes

# The next two parameters show how to auto-mount a CD-ROM when the
# cdrom share is accesed. For this to work /etc/fstab must contain
# an entry like this:
#
# /dev/scd0 /cdrom iso9660 defaults,noauto,ro,user 0 0
#
# The CD-ROM gets unmounted automatically after the connection to the
#
## is mounted on /cdrom
#

preexec = /bin/mount /cdrom
postexec = /bin/umount /cdrom

$ /etc/init.d/samba restart
$ smbpasswd -w 12345
la contraseña se guarda en secrets.tdb

$ reboot now

Configuramos los SMBLDAP-TOOLS que son los scripts para la gestion de LDAP
$ cd /usr/share/doc/smbldap-tools/examples/
$ cp smbldap_bind.conf /etc/smbldap-tools/
$ cp smbldap.conf.gz /etc/smbldap-tools/
$ gzip -d /etc/smbldap-tools/smbldap.conf.gz

$ cd /etc/smbldap-tools/
$ net getlocalsid
SID for domain MRLDAP is: S-1-5-21-1445362342-3606539027-2252629484

Editamos el fichero
$ vi /etc/smbldap-tools/smbldap.conf
# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
## Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.

# Purpose :
# . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-1976967689-3255277978-196997638"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="VABLOM"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.

# Purpose :
# . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-1976967689-3255277978-196997638"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="LANVA"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"

# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"

# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
ldapTLS="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=vablom,dc=lan"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/ldaphome/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
#Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome=

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile=

# The default Home Drive Letter mapping
#(will be automatically mapped at logon time if home directory exist)

  1. Ex: userHomeDrive="H:"
userHomeDrive=

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript=

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="lanva"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
#############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"


Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)

# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner
# no_banner="1"

Editamos otro fichero
$ vi /etc/smbldap-tools/smbldap_bind.conf
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=admin,dc=lanva"
slavePw="12345"
masterDN="cn=admin,dc=lanva"
masterPw="12345"

Cambiamos los permisos a los ficheros
$ chmod 0644 /etc/smbldap-tools/smbldap.conf
$ chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Ahora creamos los usuarios y los grupos dentro de LDAP
$ smbldap-populate -u 30000 -g 30000

Verificamos los cambios en ldap
$ ldapsearch -x -b dc=lanva | less

añadimos usuarios a ldap
$ smbldap-useradd -a -m -M jcga -c "juan carlos" jcga
Explicacion de las opciones
-a allows Windows as well as Linux login
-m makes a home directory, leave this off if you do not need local access. PAM will be configured to automatically create a home directory.
-M sets up the username part of their email address
-c specifies their full name

Cambio la contraseña
$ smbldap-passwd jcga

Nos metemos con la autenticacion
$ apt-get install auth-client-config libpam-ldap libnss-ldap

Las preguntas son:

LDAP server Uniform Resource Identifier

ldapi://127.0.0.1/



Distinguished name of the search base:

dc=vablom,dc=lan



Ldap version:

3



Make local root database admin:

YES



Does the LDAP database require login?

NO



Ldap account for root:

cn=admin,dc=vablom,dc=lan



Ldap root account password

*****



Hacemos un backup del fichero antes de editar
$ cp /etc/ldap.conf /etc/ldap.conf.original

$ vim /etc/ldap.conf
###DEBCONF###
##
## Configuration of this file will be managed by debconf as long as the
## first line of the file says '###DEBCONF###'
##
## You should use dpkg-reconfigure to configure this file via debconf
##

#
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1

# The distinguished name of the search base.
base dc=vablom,dc=lan

# Another way to specify your LDAP server is to provide an
uri ldap://127.0.0.1/
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=vablom,dc=lan

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
bind_policy soft

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
#You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=padl,dc=com?one
#nss_base_shadow ou=People,dc=padl,dc=com?one
#nss_base_group ou=Group,dc=padl,dc=com?one
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
nss_initgroups_ignoreusers backup,bin,daemon,dhcp,games,gnats,irc,klog,libuuid,list,lp,mail,man,news,ntp,openldap,postfix,proxy,root,sshd,sync,sys,syslog,uucp,www-data


$ cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.original
$ cp /etc/ldap.conf /etc/ldap/ldap.conf

$ vim /etc/auth-client-config/profile.d/open_ldap
[open_ldap]
nss_passwd=passwd: compat ldap
nss_group=group: compat ldap
nss_shadow=shadow: compat ldap
pam_auth=auth required pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

pam_account=account sufficient pam_unix.so

account    sufficient   pam_ldap.so

account    required     pam_deny.so

pam_password=password sufficient pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_ldap.so use_first_pass

password   required     pam_deny.so

pam_session=session required pam_limits.so

session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077

session    required     pam_unix.so

session    optional     pam_ldap.so



$ cp /etc/nsswitch.conf /etc/nsswitch.conf.original
$ cd /etc/pam.d/
$ mkdir backup
$ cp * backup/

Para usar LDAP como autenticacion de clientes tenemos que usar este comando
$ auth-client-config -a -p open_ldap

$ reboot now





[editar]

Instalar el servidor BIND DNS

$ apt-get install bind9
Instalamos un servidor NFS
$ apt-get install nfs-kernel-server nfs-common portmap
$ dpkg-reconfigure portmap

Deberia enlazarse pormat a la direccion de la interfaz de red local?

NO


Se reinicia
$ /etc/init.d/portmap restart

$ vim /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync) hostname2(ro,sync)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt)
# /srv/nfs4/homes gss/krb5i(rw,sync)
#
/ldaphome *(rw,async)

Reiniciamos el servicio NFS
$ /etc/init.d/nfs-kernel-server restart


[editar]

Instalamos webmin

Descargamos el fichero de instalacion. Podemos conectarnos a la pagina web http://superb-east.dl.sourceforge.net/sourceforge/webadmin/ antes para ver la version por la que van
$ wget http://superb-east.dl.sourceforge.net/sourceforge/webadmin/webmin_1.400_all.deb
Necesitamos instalar algunos paquetes
$ apt-get install openssl libauthen-pam-perl libio-pty-perl libmd5-perl libnet-ssleay-perl
Instalamos el fichero descargado
$ dpkg -i webmin_1.400_all.deb
"Webmin install complete. You can now login to https://mrldap.lanva:10000/
as root with your root password,
or as any user who can use sudo to run commands as root."

Configure BIND9 and the Primary DNS Zone

Top

We now want to create our DNS zone so that we are in charge of it and can make use of it. I prefer using a GUI to do this as opposed to editing the zone files.

In a web browser navigate to: https://192.168.0.60:10000 (Please use the IP address that YOU assigned to your server.)
Login as "sysadmin" and "12345
El menu que seguimos es
Servers > BIND DNS Server
Under "Existing DNS Zones" click "Create master zone"

Enter in the following information (customize to your needs!):

Zone type: Forward (Names to Addresses)
Domain name / Network: example.local
Records file: Automatic
Master server: dc01-ubuntu.example.local
Email address: sysadmin@example.local

Click "Create" button

Click "Apply Changes" button

Click "Address (0)" at the top

Fill in with this information (customize to your needs!):

Name: dc01-ubuntu
Address: 192.168.0.60
Click "Create" button
Click "Return to record types"

Click "Apply Changes" button.

Configure the Server to use Itself for DNS

Top

DNS doesn't do a whole lot of good if we don't use it. In this section we point our /etc/resolv.conf file to ourselves. I also recommend leaving in a known working DNS server as the seconday source just in case something screws up. In some of my trials I did notice that the server would hang trying to start BIND9.

Backup the /etc/resolv.conf file before editing it!

$ cp /etc/resolv.conf /etc/resolv.conf.original

Open the /etc/resolv.conf file for editing:

$ vim /etc/resolv.conf
search lanva
nameserver 192.168.37.100


$ reboot now

En este punto hemos sido capaces de meter una maquina windows en el dominio vablom con el usuario (vablom\root) y hemos iniciado sesion con un usuario ldap creado antes (jcgutierrez)
solo hemos puesto una direccion dns 192.168.37.100 y una ip fija local 192.168.37.10


[editar]

Instalamos phpldapadmin

$apt-get install apache2 php5 php5-ldap ldap-utils db4.2-util gq ldap-account-manager phpldapadmin

$vim /etc/apache2/httpd.conf
ServerName mrldap.lanva

$/etc/init.d/apache2 restart

Editamos esta linea para que funcione phpldapadmin
$vim /etc/php5/apache2/php.ini

memory_limit = 128M 


$/etc/init.d/apache2 restart

Configure SAMBA to Share /ldaphome
Editamos /etc/samba/smb.conf
Add the following lines to the bottom of the /etc/samba/smb.conf file:


  1. LDAPHOME share definition
[ldaphome]
path = /ldaphome
writeable = yes
browseable = yes
security mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0

$vi /etc/samba/smb.conf
Configure SAMBA - Enable the 'Netlogon' Share

Top

Create a directory for the netlogon share to use:

mkdir /home/samba
mkdir /home/samba/netlogon

Open the file /etc/samba/smb.conf for editing:

vim /etc/samba/smb.conf

Uncomment the netlogon lines by changing:


[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
writable = no
share modes = no

To:

[netlogon]

comment = Network Logon Service

  path = /home/samba/netlogon

  guest ok = yes

  writable = no

  share modes = no


Create a Simple Windows Logon Script

Top

We will create the logon script in the new Netlogon shared folder.

vim /home/samba/netlogon/allusers.bat
Copy and paste the following lines into that new file. Customize as necessary!

@echo off
REM # SYNC THE TIME WITH THE SERVER
net time \\mrldap.lanva /set /y
REM # DELETE ALL MAPPED DRIVES
net use h: /delete
REM # MAP ALL NECESSARY DRIVES
net use h: "\\mrldap.lanva\ldaphome\%username%"

We need to install an extra program to convert this file to a file that Windows can use.

$apt-get install flip

Use this program to convert the file:

$flip -m /home/samba/netlogon/allusers.bat

Now we need to tell Samba about this logon script.

$vim /etc/samba/smb.conf

Change the line: ; logon script = logon.cmd

To: logon script = allusers.bat

Please note that I removed the semicolon (;) and changed the name of the file.

Now when Windows clients log in to the domain the script will run.

Para que el usuario pueda acceder necesitamos cambiar los permisos de su directorio home

$sudo chown -R alej:Domain\ Users /ldaphome/alej/



$reboot now



[editar]

Instalacion de NFS en un cliente ubuntu

$apt-get install portmap nfs-common
$/etc/init.d/portmap restart
$/etc/init.d/nfs-common restart

Este manual esta sacado de http://www.rrcomputerconsulting.com/view.php?article_id=3





[editar]

Generar entidad certificadora personal con OpenSSL


Gracias a OpenSSL podemos tener comunicación encriptadas entre diferentes máquinas utilizando criptología asimetrica, es decir, claves públicas y privadas. Además, es posible montar entidades certificadoras que se encarguen de asegurar que una llave pertenece a quien dice pertenecer, de esta forma conseguimos encriptación y autentificación.

Las entidades certificadoras actuales cobrán por el servicio de firma de llaves y no suele ser precisamente asequible. Por otro lado, montar una entidad certificadora oficial también resulta muy costoso ya que se demandan unas ciertas garantias que destrás del negocio hay una cierta seguridad. Por tanto, es habitual que los administradores de pequeñas redes se creen su propios certificados para firmar sus claves. De esta forma podremos disponer de comunicaciones encriptadas sin necesidad de entidades certificadoras.

Estas entidades oficiales pagan para que aparezcan por defecto sus certificados en navegadores como Mozilla Firefox o Internet Explorer. De esta forma el propio navegador puede comprobar automáticamente que cuando se conecta a un sitio seguro, el certificado que recibe ha sido realmente firmado por una entidad oficial. Eso implica que nuestros certificados no serán reconocidos automáticamente por los navegadores a no ser que los añadamos manualmente, el único inconveniente que aporta esto es que el navegador mostrará un aviso extra al usuario (dependiendo de la configuración) advirtiendo que no reconoce la entidad certificadora.

Vamos a ver como configurar OpenSSL para montar nuestro servicio de certificación personal. Lo primero es tener OpenSSL instalado en el sistema (aptitude install openssl), la configuración la encontraremos en “/etc/ssl” y será allí donde editemos el fichero “openssl.cnf”. Os pongo un extracto del archivo con lo más importante:

...

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /etc/ssl/marblestationCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs

certificate = $dir/MSca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CR

private_key = $dir/private/MSca.key # The private key

default_days = 3650

...

En esta sección del fichero se define donde se va a almacenar toda la información, en mi caso lo guardaré todo en “/etc/ssl/marblestationCA”. Dentro de ese directorio creare toda una serie de subdirectorios que guardaran la información necesaria e imprescindible como por ejemplo el certificado o clave de la entidad (tanto privada como pública). También he puesto que por defecto se generen claves con un periodo de caducidad de 10 años ya que quiero olvidarme de renovar por una buena temporada.

Tendremos que crear la estructura de directorios y ficheros:

mkdir /etc/ssl/marblestationCA/
mkdir /etc/ssl/marblestationCA/certs
mkdir /etc/ssl/marblestationCA/private
mkdir /etc/ssl/marblestationCA/newcerts
mkdir /etc/ssl/marblestationCA/crl
echo "01" > /etc/ssl/marblestationCA/serial
touch /etc/ssl/marblestationCA/index.txt

A continuación crearemos la clave pública/privada de nuestra entidad certificadora:

cd /etc/ssl/marblestationCA/
openssl req -nodes -new -x509 -keyout private/MSca.key -out MSca.crt -days 3650

Es importante especificar el mismo nombre para la clave privada (MSca.key) y pública (MSca.crt) que pusimos en nuestra configuración de OpenSSL. En cuanto a las preguntas que nos haga para generar la clave:

Country Name (2 letter code) [ES]:
State or Province Name (full name) [Catalunya]:
Locality Name (eg, city) []:Tarragona
Organization Name (eg, company) [Marble Station]:
Organizational Unit Name (eg, section) []:Ejemplo
Common Name (eg, YOUR name) []:midominio.com
Email Address []:admin@midominio.com

Cabe destacar que en “Common Name” debemos poner el nombre de dominio correspondiente a la máquina donde estará la entidad certificadora.

Ahora ya tenemos nuestro servicio de certificaciones montado, las claves que hemos generado nos serviran para firmar terceras claves que serán utilizadas por ejemplo por los diferentes ordenadores de nuestra red.

Imaginemos que en el mismo servidor donde hemos montado nuestros certificados para firmar, tenemos un servidor web Apache seguro (SSL) y necesitamos un certificado firmado por nuestra entidad personal. Lo primero que tendremos que hacer será crear una petición de certificado junto a una clave privada:

openssl req -nodes -new -keyout midominio.key -out midominio.csr

Nos volverá a realizar las respectivas preguntas, debemos responder acorde para la máquina donde se va a utilizar la clave. En “midominio.key” tendremos la clave privada generada y en “midominio.csr” la petición de certificado. La entidad certificadora solo necesita acceso al segundo, vamos a generar ahora el certificado firmado por nuestra entidad personal:

openssl ca -out midominio.crt -in midominio.csr

Esto generará el archivo “midominio.crt” con el certificado firmado listo para ser usado por el solicitante. Además se guardará información referente al certificado firmado en “/etc/ssl/marblestationCA/” de forma que siempre tendremos un listado de todo lo que hemos firmado, también podremos revocar firmas (man openssl) en caso de que sea necesario.

Como comenté, ibamos a utilizarlo para nuestro servidor Apache pero también podria ser compartido por otros servicios en la misma máquina, como por ejemplo un servicio de POP3/IMAP (recomiendo dovecot) y SMTP (recomiendo exim). Es importante asegurarnos que estas aplicaciones tengan acceso de lectura al certificado y que el resto de usuarios del sistema no puedan leerlo (sobretodo la llave privada .key).

Habitualmente suelo ubicar los certificados de servicios en /etc/ssl/certs y /etc/ssl/private de la máquina que los vaya a usar:

mv midominio.crt /etc/ssl/certs
mv midominio.key /etc/ssl/private

La petición de certificado midominio.csr no lo vamos a necesitar más puesto que ya hemos generado el certificado.

Ahora podriamos seguir generando nuevos certificados para después firmarlos y repartirlos entre las máquinas de nuestra red que dispongan de servicios con conexión segura.

En resumen, hemos llevado a cabo dos acciones:

1. Generación de los certificados de nuestra entidad certificadora no oficial (clave pública “MSca.crt” y clave privada “MSca.key”), se guardará toda la información en “/etc/ssl/marblestationCA/”
2. Generación de certificados firmados para los servicios o máquinas de nuestra red, se guardará automáticamente la información necesaria en “/etc/ssl/marblestationCA/” y la clave pública/certificado firmado se guardarán en la máquina que los vaya a usar (”/etc/ssl/certs”, “/etc/ssl/private” respectivamente):

1. Generación de una clave privada (midominio.key) con peticion de certificado (midominio.csr).

  2. Firma de la petición con nuestro certificado de entidad.

  3. El solicitante recibirá su certificado firmado (midominio.crt) que usará en conjunto con su clave privada para su servicio (podremos eliminar la petición midominio.csr).


Podemos revisar el contenido del certificado con este comando:


$ openssl x509 -text -in /etc/ssl/certs/lanva.crt


Configuración

Hay que indicarle al servidor de ldap, /etc/ldap/slapd.conf esto:

TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCACertificateFile /etc/openldap/cacerts/slapd.crt
TLSCertificateFile /etc/openldap/cacerts/slapd.crt
TLSCertificateKeyFile /etc/openldap/cacerts/slapd.key
referral ldaps://midominio.org


Al cliente, /etc/ldap/slapd.conf:


TLS_CACERT /etc/ssl/certs/cacert.pem


y en /etc/libnss-ldap.conf:


ssl start_tls

   tls_cacertfile /etc/ssl/certs/cacert.pem

   tls_ciphers HIGH:MEDIUM:+SSLv2:RSA


Es indispensable que todos los ficheros de claves y certificados tengan permisos de acceso de solo lectura para el usuario ldap:

chown ldap.ldap /etc/openldap/cacerts/slapd.*
chmod 400 /etc/openldap/cacerts/slapd.*

Parámetros de /etc/openldap/slapd.conf.

Se deben descomentar los parámetros TLSCACertificateFile, TLSCertificateFile y TLSCertificateKeyFile establecendo las rutas hacia el certificado y clave. Opcionalmente se puede descomentar la directiva referral para indicar el URI (Uniform Resource Identifier o Identificador Uniforme de Recursos) del servicio de directorio superior como ldaps en lugar de ldap.

A fin de que surtan efecto los cambios, es necesario reiniciar el servicio ldap.


[editar]

POSFIX Y SPAMASSASIN

Postfix is a widely used mail transport agent (MTA) used on many popular Unix/Linux systems. Nowadays, networks are overwhelmed by SPAM mail, fortunately, there is a way to filter them with software such as spamassassin.
This articles is not going to go through postfix installation. Instead, you might refer to a previous article on How-to run postfix with virtual domains. 1. Getting Started
By now, you should have a running SMTP server running postfix. There is a couple of package we need to install: spamassassin and its client spamc
$sudo apt-get install spamassassin spamc
spamassassin package includes a daemon which can be called by user programs such as procmail... but can also be integrated into a Mail Transport Agent such as postfix. 2. Using spamassassin as a standalone daemon
In this part of the tutorial, we are going to make spamassassin run as its own user (default on debian sarge is root), configure some settings and make postfix use spamassassin as an after-queue content filter, which means that the content is going to be filters through spamassassin after postfix has dealt with the delivery. 2.1. Setting up spamassassin
Okie, so you installed spamassassin from debian repository, on default settings, spamassassin runs as root user and is not started. To avoid that, we are going to create a specific user and group for spamassassin. As root user, run the following commands:
#groupadd -g 5001 spamd #useradd -u 5001 -g spamd -s /sbin/nologin -d /var/lib/spamassassin spamd #mkdir /var/lib/spamassassin #chown spamd:spamd /var/lib/spamassassin
Now, we need to change some settings in /etc/default/spamassassin and make sure you get the following values:
ENABLED=1 SAHOME="/var/lib/spamassassin/" OPTIONS="--create-prefs --max-children 5 --username spamd --helper-home-dir ${SAHOME} -s ${SAHOME}spamd.log" PIDFILE="${SAHOME}spamd.pid"
What happen here, is that we are going to run spamd daemon as user spamd and make it use its own home dir (/var/lib/spamassassin/) and is going to output its logs in /var/lib/spamassassin/spamd.log 2.2. Configuring spamassassin
Now, we need to give spamassassin some rules. The default settings are quite fine, but you might tweak them up a bit. So let's edit /etc/spamassassin/local.cf and make it looks like that:
rewrite_header Subject [***** SPAM _SCORE_ *****] required_score 2.0 #to be able to use _SCORE_ we need report_safe set to 0 #If this option is set to 0, incoming spam is only modified by adding some "X-Spam-" headers and no changes will be made to the body. report_safe 0
# Enable the Bayes system use_bayes 1 use_bayes_rules 1 # Enable Bayes auto-learning bayes_auto_learn 1
# Enable or disable network checks skip_rbl_checks 0 use_razor2 0 use_dcc 0 use_pyzor 0
Here, we set spamassassin' spamd default settings to rewrite email subject to [***** SPAM _SCORE_ *****], where _SCORE_ is the score attributed to the email by spamassassin after running different tests, only if the actual score is greater or equal to 2.0. So email with a score lower than 2 won't be modified.
To be able to use the _SCORE_ in the rewrite_header directive, we need to set report_safe to 0.
In the next section, we tell spamassassin to use bayes classifier and to improve itself by auto-learning from the messages it will analyse.
In the last section, we disable collaborative network such as pyzor, razor2 and dcc. Those collaborative network keep an up-to-date catalogue of know mail checksum to be recognized as spam. Those might be interresting to use, but I'm not going to use them here as I found it took long enough to spamassassin to deal with spams only using it rules.
Now, start spamd with the following command line:
#/etc/init.d/spamassassin start
We are almost done, we still need to configure postfix in such a way that it will pass all mails delivered to local mailboxes to spamassassin. 3. Make Postfix call Spamassassin
Now, we need to tell postfix to use spamassassin. In our case, spamassassin will be invoked only once postfix has finished with the email.
To tell postfix to use spamassassin, we are going to edit /etc/postfix/master.cf and change the line:
smtp inet n - - - - smtpd
to:
smtp inet n - - - - smtpd
-o content_filter=spamassassin
and then, at the end of master.cf, let's add:
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e    
       /usr/sbin/sendmail -oi -f ${sender} ${recipient}

and here we go, our spam filter is setted up, we need to reload postfix settings and everything should be ready.
#/etc/init.d/postfix reload 4. Conclusion
This is an easy to set up alternative which will filter spams using spamassassin and postfix.
There is actually other way to do so (which I will cover later on), like using amavis for instance, which will use spamassassin without needing spamassassin daemon (spamd).
The presented alternative will still send all emails to their recipient (which is something I actually prefer to rejecting and dumping email spotted as spam). One can then make up rule using either its webmail or mail client, filtering all emails having subject like "[***** SPAM" to be moved to a specific place in the client so you can easily move them away from your precious emails, but still in the end, there will be there, so you won't have any emails discarded because they seemed to be spammed when there actually where real important mails.
In the end, this will behave a bit like famous mail providers such as yahoo, google, hotmail ... do, you will have "Bulk Mails" and "Mails".

Instalar posfix con dovecot y ldap


Postfix Virtual Hosting With LDAP Backend With Dovecot As IMAP/POP3 Server On Ubuntu Hardy Heron 8.04 TLS
I've been running with a MySQL backend for virtual hosting for some time, but when I discovered Phamm and the added FTP feature (amongst others) I decided to switch to LDAP as backend for Postfix with virtual hosting.
In view of the fact that the installation and configuration guide of Phamm is lacking some basic information it took me quite some time (including crying, swearing, getting depressed, ...) to put it all together and get it working. Long live google to find hints or explanations for problems and configuration issues. Piecing it all together wasn't simple so I would like to share how I configured it and got it all working toghether (as I like), but I think that it will benefit other users as well.
Software to be used in this how to:
Postfix (logical), Postfix-ldap, Dovecot IMAP / POP3, Openldap, Apache2, php5-ldap, phpldapadmin and gnarwl.
Note: this how to also uses dovecot deliver as maildrop agent and dovecot sasl for smtp sasl authentication. For one: postfix maildrop doesn't support ldap and I didn'd want to use courier (maildrop, authdaemon and sasl) if dovecot coud do the trick and also provide sieve support.
Assumtions:
This how to assumes the following configurations, if your installtion differs from this, than replace the entries below with your actual configuration.
Mail delivery (mailboxes) path:
/home/vmail/domains
User vmail:
UID:1000, GID:1000
User postfix:
UID: 108, GID:108
Openldap base dn:
dc=example,dc=tld
Openldap admin account:
cn=admin,dc=example,dc=tld
Phamm search dn:
o=hosting,dc=example,dc=tld

Step 1: Install and configure an ubuntu server
I recommend following one of the guides below for this (I do not need to rewrite or reinvent what others did bether than me):
The Perfect Server - Ubuntu Hardy Heron (Ubuntu 8.04 LTS Server)
or my favourite:
The Perfect SpamSnake - Ubuntu 8.04 LTS
In both cases, skip the installtion of the courier packages.
So let's get started:

[editar] Instalar postfix-ldap

$ apt-get install postfix-ldap
Leyendo lista de paquetes... Hecho Creando árbol de dependencias Leyendo la información de estado... Hecho Se instalarán los siguientes paquetes extras:
openssl openssl-blacklist postfix ssl-cert
Paquetes sugeridos:
ca-certificates openssl-doc mail-reader postfix-cdb postfix-mysql postfix-pcre postfix-pgsql procmail
 resolvconf sasl2-bin
Se instalarán los siguientes paquetes NUEVOS:
openssl openssl-blacklist postfix postfix-ldap ssl-cert
0 actualizados, 5 se instalarán, 0 para eliminar y 7 no actualizados. Necesito descargar 7938kB de archivos. After this operation, 16,3MB of additional disk space will be used. ¿Desea continuar [S/n]? s Des:1 http://es.archive.ubuntu.com hardy-updates/main openssl 0.9.8g-4ubuntu3.4 [385kB] Des:2 http://es.archive.ubuntu.com hardy-updates/main openssl-blacklist 0.3.3+0.4-0ubuntu0.8.04.3 [6333kB] Des:3 http://es.archive.ubuntu.com hardy-updates/main ssl-cert 1.0.14-0ubuntu2.1 [12,3kB] Des:4 http://es.archive.ubuntu.com hardy-updates/main postfix 2.5.1-2ubuntu1.2 [1160kB] Des:5 http://es.archive.ubuntu.com hardy-updates/main postfix-ldap 2.5.1-2ubuntu1.2 [46,9kB] Descargados 7938kB en 1min18s (101kB/s) Preconfigurando paquetes ... Seleccionando el paquete openssl previamente no seleccionado. (Leyendo la base de datos ... 16748 ficheros y directorios instalados actualmente.) Desempaquetando openssl (de .../openssl_0.9.8g-4ubuntu3.4_i386.deb) ... Seleccionando el paquete openssl-blacklist previamente no seleccionado. Desempaquetando openssl-blacklist (de .../openssl-blacklist_0.3.3+0.4-0ubuntu0.8.04.3_all.deb) ... Seleccionando el paquete ssl-cert previamente no seleccionado. Desempaquetando ssl-cert (de .../ssl-cert_1.0.14-0ubuntu2.1_all.deb) ... Seleccionando el paquete postfix previamente no seleccionado. Desempaquetando postfix (de .../postfix_2.5.1-2ubuntu1.2_i386.deb) ... Seleccionando el paquete postfix-ldap previamente no seleccionado. Desempaquetando postfix-ldap (de .../postfix-ldap_2.5.1-2ubuntu1.2_i386.deb) ... Configurando openssl (0.9.8g-4ubuntu3.4) ...
Configurando openssl-blacklist (0.3.3+0.4-0ubuntu0.8.04.3) ... Configurando ssl-cert (1.0.14-0ubuntu2.1) ...
Configurando postfix (2.5.1-2ubuntu1.2) ... Adding group `postfix' (GID 115) ... Done. Adding system user `postfix' (UID 106) ... Adding new user `postfix' (UID 106) with group `postfix' ... Not creating home directory `/var/spool/postfix'. Creating /etc/postfix/dynamicmaps.cf Adding tcp map entry to /etc/postfix/dynamicmaps.cf Adding group `postdrop' (GID 116) ... Done. setting myhostname: ldap1.blom.lan setting alias maps setting alias database changing /etc/mailname setting myorigin setting destinations: blom.lan, ldap1.blom.lan, localhost.blom.lan, localhost setting relayhost: setting mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 setting mailbox_size_limit: 0 setting recipient_delimiter: + setting inet_interfaces: all
Postfix is now set up with a default configuration. If you need to make changes, edit /etc/postfix/main.cf (and others) as needed. To view Postfix configuration values, see postconf(1).
After modifying main.cf, be sure to run '/etc/init.d/postfix reload'.
Running newaliases
* Stopping Postfix Mail Transport Agent postfix
  ...done.
* Starting Postfix Mail Transport Agent postfix
  ...done.
Configurando postfix-ldap (2.5.1-2ubuntu1.2) ... Adding ldap map entry to /etc/postfix/dynamicmaps.cf
Processing triggers for libc6 ... ldconfig deferred processing now taking place

[editar] Instalar php5-ldap

$ apt-get install php5-ldap
Leyendo lista de paquetes... Hecho Creando árbol de dependencias Leyendo la información de estado... Hecho Se instalarán los siguientes paquetes extras:
apache2-mpm-prefork apache2-utils apache2.2-common libapache2-mod-php5 libapr1 libaprutil1 libpcre3 libpq5
 libxml2 php5-common
Paquetes sugeridos:
apache2-doc php-pear
Paquetes recomendados
xml-core
Se instalarán los siguientes paquetes NUEVOS:
apache2-mpm-prefork apache2-utils apache2.2-common libapache2-mod-php5 libapr1 libaprutil1 libpcre3 libpq5
 libxml2 php5-common php5-ldap
0 actualizados, 11 se instalarán, 0 para eliminar y 7 no actualizados. Necesito descargar 5391kB de archivos. After this operation, 13,9MB of additional disk space will be used. ¿Desea continuar [S/n]? s Des:1 http://es.archive.ubuntu.com hardy/main libapr1 1.2.11-1 [115kB] Des:2 http://es.archive.ubuntu.com hardy-updates/main libpq5 8.3.6-0ubuntu8.04 [287kB] Des:3 http://es.archive.ubuntu.com hardy/main libaprutil1 1.2.12+dfsg-3 [70,0kB] Des:4 http://es.archive.ubuntu.com hardy-updates/main apache2-utils 2.2.8-1ubuntu0.3 [139kB] Des:5 http://es.archive.ubuntu.com hardy-updates/main apache2.2-common 2.2.8-1ubuntu0.3 [754kB] Des:6 http://es.archive.ubuntu.com hardy-updates/main libpcre3 7.4-1ubuntu2.1 [206kB] Des:7 http://es.archive.ubuntu.com hardy-updates/main apache2-mpm-prefork 2.2.8-1ubuntu0.3 [230kB] Des:8 http://es.archive.ubuntu.com hardy-updates/main libxml2 2.6.31.dfsg-2ubuntu1.3 [786kB] Des:9 http://es.archive.ubuntu.com hardy-updates/main php5-common 5.2.4-2ubuntu5.5 [316kB] Des:10 http://es.archive.ubuntu.com hardy-updates/main libapache2-mod-php5 5.2.4-2ubuntu5.5 [2471kB] Des:11 http://es.archive.ubuntu.com hardy-updates/main php5-ldap 5.2.4-2ubuntu5.5 [18,1kB] Descargados 5391kB en 25s (210kB/s) Seleccionando el paquete libapr1 previamente no seleccionado. (Leyendo la base de datos ... 17014 ficheros y directorios instalados actualmente.) Desempaquetando libapr1 (de .../libapr1_1.2.11-1_i386.deb) ... Seleccionando el paquete libpq5 previamente no seleccionado. Desempaquetando libpq5 (de .../libpq5_8.3.6-0ubuntu8.04_i386.deb) ... Seleccionando el paquete libaprutil1 previamente no seleccionado. Desempaquetando libaprutil1 (de .../libaprutil1_1.2.12+dfsg-3_i386.deb) ... Seleccionando el paquete apache2-utils previamente no seleccionado. Desempaquetando apache2-utils (de .../apache2-utils_2.2.8-1ubuntu0.3_i386.deb) ... Seleccionando el paquete apache2.2-common previamente no seleccionado. Desempaquetando apache2.2-common (de .../apache2.2-common_2.2.8-1ubuntu0.3_i386.deb) ... Seleccionando el paquete libpcre3 previamente no seleccionado. Desempaquetando libpcre3 (de .../libpcre3_7.4-1ubuntu2.1_i386.deb) ... Seleccionando el paquete apache2-mpm-prefork previamente no seleccionado. Desempaquetando apache2-mpm-prefork (de .../apache2-mpm-prefork_2.2.8-1ubuntu0.3_i386.deb) ... Seleccionando el paquete libxml2 previamente no seleccionado. Desempaquetando libxml2 (de .../libxml2_2.6.31.dfsg-2ubuntu1.3_i386.deb) ... Seleccionando el paquete php5-common previamente no seleccionado. Desempaquetando php5-common (de .../php5-common_5.2.4-2ubuntu5.5_i386.deb) ... Seleccionando el paquete libapache2-mod-php5 previamente no seleccionado. Desempaquetando libapache2-mod-php5 (de .../libapache2-mod-php5_5.2.4-2ubuntu5.5_i386.deb) ... Seleccionando el paquete php5-ldap previamente no seleccionado. Desempaquetando php5-ldap (de .../php5-ldap_5.2.4-2ubuntu5.5_i386.deb) ... Configurando libapr1 (1.2.11-1) ...
Configurando libpq5 (8.3.6-0ubuntu8.04) ...
Configurando libaprutil1 (1.2.12+dfsg-3) ...
Configurando apache2-utils (2.2.8-1ubuntu0.3) ... Configurando apache2.2-common (2.2.8-1ubuntu0.3) ... Module alias installed; run /etc/init.d/apache2 force-reload to enable. Module autoindex installed; run /etc/init.d/apache2 force-reload to enable. Module dir installed; run /etc/init.d/apache2 force-reload to enable. Module env installed; run /etc/init.d/apache2 force-reload to enable. Module mime installed; run /etc/init.d/apache2 force-reload to enable. Module negotiation installed; run /etc/init.d/apache2 force-reload to enable. Module setenvif installed; run /etc/init.d/apache2 force-reload to enable. Module status installed; run /etc/init.d/apache2 force-reload to enable. Module auth_basic installed; run /etc/init.d/apache2 force-reload to enable. Module authz_default installed; run /etc/init.d/apache2 force-reload to enable. Module authz_user installed; run /etc/init.d/apache2 force-reload to enable. Module authz_groupfile installed; run /etc/init.d/apache2 force-reload to enable. Module authn_file installed; run /etc/init.d/apache2 force-reload to enable. Module authz_host installed; run /etc/init.d/apache2 force-reload to enable.
Configurando libpcre3 (7.4-1ubuntu2.1) ...
Configurando apache2-mpm-prefork (2.2.8-1ubuntu0.3) ...
* Starting web server apache2
  ...done.
Configurando libxml2 (2.6.31.dfsg-2ubuntu1.3) ...
Configurando php5-common (5.2.4-2ubuntu5.5) ... Configurando libapache2-mod-php5 (5.2.4-2ubuntu5.5) ...
Creating config file /etc/php5/apache2/php.ini with new version
* Reloading web server config apache2
  ...done.
Configurando php5-ldap (5.2.4-2ubuntu5.5) ...
Processing triggers for libc6 ... ldconfig deferred processing now taking place

[editar] Instalar openldap

$ apt-get install slapd ldap-utils migrationtools

Leyendo lista de paquetes... Hecho Creando árbol de dependencias Leyendo la información de estado... Hecho Se instalarán los siguientes paquetes extras: libdb4.2 libltdl3 libperl5.8 libslp1 odbcinst1debian1 unixodbc Paquetes sugeridos: openslp-doc slpd libct1 libmyodbc odbc-postgresql Se instalarán los siguientes paquetes NUEVOS: ldap-utils libdb4.2 libltdl3 libperl5.8 libslp1 migrationtools odbcinst1debian1 slapd unixodbc 0 actualizados, 9 se instalarán, 0 para eliminar y 7 no actualizados. Necesito descargar 3145kB de archivos. After this operation, 8040kB of additional disk space will be used. ¿Desea continuar [S/n]? s
Nos pregunta la contraseña para el administrador: 12345
y la verificamos: 12345
Des:1 http://es.archive.ubuntu.com hardy/main libdb4.2 4.2.52+dfsg-4 [400kB] Des:2 http://es.archive.ubuntu.com hardy/main libltdl3 1.5.26-1ubuntu1 [178kB] Des:3 http://es.archive.ubuntu.com hardy-updates/main libperl5.8 5.8.8-12ubuntu0.4 [535kB] Des:4 http://es.archive.ubuntu.com hardy/main libslp1 1.2.1-7.1 [50,1kB] Des:5 http://es.archive.ubuntu.com hardy/main odbcinst1debian1 2.2.11-16build1 [66,2kB] Des:6 http://es.archive.ubuntu.com hardy/main unixodbc 2.2.11-16build1 [289kB] Des:7 http://es.archive.ubuntu.com hardy-updates/main slapd 2.4.9-0ubuntu0.8.04.2 [1355kB] Des:8 http://es.archive.ubuntu.com hardy-updates/main ldap-utils 2.4.9-0ubuntu0.8.04.2 [246kB] Des:9 http://es.archive.ubuntu.com hardy/main migrationtools 47-3ubuntu2 [26,8kB] Descargados 3145kB en 5s (550kB/s) Preconfigurando paquetes ... Seleccionando el paquete libdb4.2 previamente no seleccionado. (Leyendo la base de datos ... 17627 ficheros y directorios instalados actualmente.) Desempaquetando libdb4.2 (de .../libdb4.2_4.2.52+dfsg-4_i386.deb) ... Seleccionando el paquete libltdl3 previamente no seleccionado. Desempaquetando libltdl3 (de .../libltdl3_1.5.26-1ubuntu1_i386.deb) ... Seleccionando el paquete libperl5.8 previamente no seleccionado. Desempaquetando libperl5.8 (de .../libperl5.8_5.8.8-12ubuntu0.4_i386.deb) ... Seleccionando el paquete libslp1 previamente no seleccionado. Desempaquetando libslp1 (de .../libslp1_1.2.1-7.1_i386.deb) ... Seleccionando el paquete odbcinst1debian1 previamente no seleccionado. Desempaquetando odbcinst1debian1 (de .../odbcinst1debian1_2.2.11-16build1_i386.deb) ... Seleccionando el paquete unixodbc previamente no seleccionado. Desempaquetando unixodbc (de .../unixodbc_2.2.11-16build1_i386.deb) ... Seleccionando el paquete slapd previamente no seleccionado. Desempaquetando slapd (de .../slapd_2.4.9-0ubuntu0.8.04.2_i386.deb) ... Seleccionando el paquete ldap-utils previamente no seleccionado. Desempaquetando ldap-utils (de .../ldap-utils_2.4.9-0ubuntu0.8.04.2_i386.deb) ... Seleccionando el paquete migrationtools previamente no seleccionado. Desempaquetando migrationtools (de .../migrationtools_47-3ubuntu2_all.deb) ... Configurando libdb4.2 (4.2.52+dfsg-4) ... Configurando libltdl3 (1.5.26-1ubuntu1) ...
Configurando libperl5.8 (5.8.8-12ubuntu0.4) ...
Configurando libslp1 (1.2.1-7.1) ...
Configurando odbcinst1debian1 (2.2.11-16build1) ...
Configurando unixodbc (2.2.11-16build1) ...
Configurando slapd (2.4.9-0ubuntu0.8.04.2) ...
Creating new user openldap... done.
Creating initial slapd configuration... done.
Creating initial LDAP directory... done.
Reloading AppArmor profiles : done. Starting OpenLDAP: slapd.
Configurando ldap-utils (2.4.9-0ubuntu0.8.04.2) ... Configurando migrationtools (47-3ubuntu2) ... Processing triggers for libc6 ... ldconfig deferred processing now taking place
Hacemos la configuracion para ldap
$dpkg-reconfigure slapd

Desea omitir la configuracion del servidor OpenLDAp?
NO


DNS domain name
blom.lan


Organization name:
blom.lan


Contraseña administrador:
12345
Verificacion de contraseña:
12345


Database backend to use: BDB


Desea que se borre la base de datos cuando se purgue el paquete slapd?
NO


Desea mover la base de datos antigua:
YES


Allow LDAPv2 protocol
NO

Stopping OpenLDAP: slapd. Moving old database directory to /var/backups: - directory unknown... done. Creating initial slapd configuration... done. Creating initial LDAP directory... done. Reloading AppArmor profiles : done. Starting OpenLDAP: slapd.

[editar] Instalar apache y phpldapadmin

$ apt-get install apache2
Leyendo lista de paquetes... Hecho Creando árbol de dependencias Leyendo la información de estado... Hecho Se instalarán los siguientes paquetes NUEVOS:
apache2
0 actualizados, 1 se instalarán, 0 para eliminar y 7 no actualizados. Necesito descargar 44,6kB de archivos. After this operation, 102kB of additional disk space will be used. Des:1 http://es.archive.ubuntu.com hardy-updates/main apache2 2.2.8-1ubuntu0.3 [44,6kB] Descargados 44,6kB en 0s (83,2kB/s) Seleccionando el paquete apache2 previamente no seleccionado. (Leyendo la base de datos ... 17968 ficheros y directorios instalados actualmente.) Desempaquetando apache2 (de .../apache2_2.2.8-1ubuntu0.3_all.deb) ... Configurando apache2 (2.2.8-1ubuntu0.3) ...
$ apt-get install phpldapadmin
Leyendo lista de paquetes... Hecho Creando árbol de dependencias Leyendo la información de estado... Hecho Se instalarán los siguientes paquetes NUEVOS:
phpldapadmin
0 actualizados, 1 se instalarán, 0 para eliminar y 7 no actualizados. Necesito descargar 922kB de archivos. After this operation, 4805kB of additional disk space will be used. Des:1 http://es.archive.ubuntu.com hardy/universe phpldapadmin 1.1.0.4-2ubuntu1 [922kB] Descargados 922kB en 15s (60,2kB/s) Preconfigurando paquetes ... Seleccionando el paquete phpldapadmin previamente no seleccionado. (Leyendo la base de datos ... 17975 ficheros y directorios instalados actualmente.) Desempaquetando phpldapadmin (de .../phpldapadmin_1.1.0.4-2ubuntu1_all.deb) ... Configurando phpldapadmin (1.1.0.4-2ubuntu1) ...
* Restarting web server apache2
  ...done.

$vi /etc/apache2/httpd.conf
ServerName ldap1.blom.lan

Editamos esta linea para que funcione phpldapadmin
$vim /etc/php5/apache2/php.ini
memory_limit = 64M

$/etc/init.d/apache2 restart

  • Restarting web server apache2
...done.

[editar] Importar schemas de openldap

$ cd /etc/ldap/schema
$ wget http://open.rhx.it/phamm/schema/ISPEnv2.schema
--17:58:53-- http://open.rhx.it/phamm/schema/ISPEnv2.schema
=> `ISPEnv2.schema' Connecting to 192.168.33.86:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 9,071 (8.9K) [text/plain] 100%[=======================================================================>] 9,071 --.--K/s 17:58:53 (75.96 KB/s) - `ISPEnv2.schema' saved [9071/9071]
$ wget http://open.rhx.it/phamm/schema/amavis.schema
--17:59:51-- http://open.rhx.it/phamm/schema/amavis.schema
=> `amavis.schema' Connecting to 192.168.33.86:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 24,405 (24K) [text/plain] 100%[=======================================================================>] 24,405 109.16K/s 17:59:52 (109.01 KB/s) - `amavis.schema' saved [24405/24405]
$ wget http://open.rhx.it/phamm/schema/dnsdomain2.schema
--18:00:46-- http://open.rhx.it/phamm/schema/dnsdomain2.schema
=> `dnsdomain2.schema' Connecting to 192.168.33.86:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 3,848 (3.8K) [text/plain] 100%[=======================================================================>] 3,848 --.--K/s 18:00:46 (198.35 KB/s) - `dnsdomain2.schema' saved [3848/3848]
$ wget http://open.rhx.it/phamm/schema/pureftpd.schema
--18:01:27-- http://open.rhx.it/phamm/schema/pureftpd.schema
=> `pureftpd.schema' Connecting to 192.168.33.86:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 2,474 (2.4K) [text/plain] 100%[=======================================================================>] 2,474 --.--K/s 18:01:27 (279.09 KB/s) - `pureftpd.schema' saved [2474/2474]
$ wget http://open.rhx.it/phamm/schema/radius.schema
--18:02:08-- http://open.rhx.it/phamm/schema/radius.schema
=> `radius.schema' Connecting to 192.168.33.86:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 13,259 (13K) [text/plain] 100%[=======================================================================>] 13,259 34.71K/s 18:02:08 (34.63 KB/s) - `radius.schema' saved [13259/13259]
$ wget http://open.rhx.it/phamm/schema/samba.schema
--18:02:54-- http://open.rhx.it/phamm/schema/samba.schema
=> `samba.schema' Connecting to 192.168.33.86:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 16,927 (17K) [text/plain] 100%[=======================================================================>] 16,927 104.62K/s 18:02:54 (103.97 KB/s) - `samba.schema' saved [16927/16927]
El directorio de schemas queda con los siguientes elementos
$ ls -l
total 240
-rw-r--r-- 1 root root 24405 2007-12-21 15:01 amavis.schema
-rw-r--r-- 1 root root 2180 2008-08-05 22:21 collective.schema
-rw-r--r-- 1 root root 2084 2008-08-05 22:21 corba.schema
-rw-r--r-- 1 root root 21175 2008-08-05 22:21 core.ldif
-rw-r--r-- 1 root root 20346 2008-08-05 22:21 core.schema
-rw-r--r-- 1 root root 12089 2008-08-05 22:21 cosine.ldif
-rw-r--r-- 1 root root 14030 2008-08-05 22:21 cosine.schema
-rw-r--r-- 1 root root 3848 2007-12-21 15:01 dnsdomain2.schema
-rw-r--r-- 1 root root 10474 2008-08-05 22:21 duaconf.schema
-rw-r--r-- 1 root root 3378 2008-08-05 22:21 dyngroup.schema
-rw-r--r-- 1 root root 3571 2008-08-05 22:21 inetorgperson.ldif
-rw-r--r-- 1 root root 6360 2008-08-05 22:21 inetorgperson.schema
-rw-r--r-- 1 root root 9071 2007-12-21 15:01 ISPEnv2.schema
-rw-r--r-- 1 root root 3295 2008-08-05 22:21 java.schema
-rw-r--r-- 1 root root 2471 2008-08-05 22:21 misc.schema
-rw-r--r-- 1 root root 5996 2008-08-05 22:21 nadf.schema
-rw-r--r-- 1 root root 6889 2008-08-05 22:21 nis.ldif
-rw-r--r-- 1 root root 7723 2008-08-05 22:21 nis.schema
-rw-r--r-- 1 root root 3393 2008-08-05 22:21 openldap.ldif
-rw-r--r-- 1 root root 1602 2008-08-05 22:21 openldap.schema
-rw-r--r-- 1 root root 4678 2008-08-05 22:21 ppolicy.schema
-rw-r--r-- 1 root root 2474 2007-12-21 15:01 pureftpd.schema
-rw-r--r-- 1 root root 13259 2007-12-21 15:01 radius.schema
-rw-r--r-- 1 root root 3591 2008-08-05 22:21 README
-rw-r--r-- 1 root root 16927 2007-12-21 15:01 samba.schema

Descargamos y extraemos el phamm.schema
$cd /usr/src
$wget http://open.rhx.it/phamm/phamm-0.5.15.tar.gz
$tar xvzf phamm0.5.15.tar.gz
Siempre tenemos que ver que version de phamm hay disponible para descargar y lo podemos ver en esta direccion http://www.phamm.org/download.php
$cd /etc/ldap/schema
$cp /usr/src/phamm0.5.15/schema/phamm.schema .

Editamos slapd.conf para incluir los schemas que necesitemos para phamm:
$vi /etc/ldap/slapd.conf
...

include /etc/ldap/schema/ISPEnv2.schema
include /etc/ldap/schema/amavis.schema
include /etc/ldap/schema/pureftpd.schema
...
Estos schemas son solo para el correo y el ftp. Podemos incluir otros schemas que necesitemos para otras funciones que ya veremos mas adelante
Reiniciamos openldap para que se carguen los nuevos schemas
$/etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd.


[editar] Configuracion con phpldapadmin

Iniciamos sesion en phpldapadmin y creamos la organizacion.

Click en dc=blom,dc=lan.
Click en Crear nuevo objeto.
Click en Default.
En la siguiente pantalla buscar organization en el scroll box.
Click Crear objeto. En la siguiente pantalla cambiar a o(o) en el desplegable. Escribir el nombre del hosting (ldap1) en el primer campo y pulsar Crear objeto.

[editar] Configurar postfix

Para usar dovecot sasl nosotros necesitamos lo siguiente:
$postconf -e "smtpd_sasl_type = dovecot"
$postconf -e "smtpd_sasl_path = private/auth"

Para habilitar dovecot como servidor de entrega necesitamos ejecutar lo siguiente:
$postconf -e "mailbox_transport = dovecot"
$postconf -e "dovecot_destination_recipient_limit = 1"
$postconf -e "mailbox_command = /usr/lib/dovecot/deliver"

Ahora necesitamos configurar los protocolos para la entrega con dovecot y gnarwl:
$vi /etc/postfix/master.cf
Insertar lo siguiente: ...
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient)
gnarwl unix - n n - - pipe
flags=F user=vmail argv=/usr/bin/gnarwl -a ${user}@${nexthop} -s ${sender}

  1. To allow sasl authenticad users to send mail through postfix add the following to the entry
smtpd_recipient_restrictions = permit_mynetworks
...
Añadimos la siguiente lineas de configuracion para postfix
$vi /etc/postfix/main.cf
...
permit_sasl_authenticated
# Configuramos postfix para que funcione con ldap
ldap_bind_dn = cn=admin,dc=blom,dc=lan ldap_bind_pw = secret ldap_search_base = o=ldap1,dc=blom,dc=lan ldap_domain = dc=blom,dc=lan ldap_server_host = localhost ldap_server_port = 389 ldap_version = 3
# aliases aliases_server_host = $ldap_server_host aliases_search_base = $ldap_search_base aliases_query_filter = (&(&(objectClass=VirtualMailAlias)(mail=%s))(accountActive=TRUE)) aliases_result_attribute = maildrop aliases_bind = yes aliases_cache = no aliases_bind_dn = $ldap_bind_dn aliases_bind_pw = $ldap_bind_pw aliases_version = $ldap_version
# VirtualForward virtualforward_server_host = $ldap_server_host virtualforward_search_base = $ldap_search_base virtualforward_query_filter = (&(&(objectClass=VirtualMailAccount)(mail=%s))(vacationActive=FALSE)(forwardActive=TRUE)(accountActive=TRUE)(delete=FALSE)) virtualforward_result_attribute = maildrop virtualforward_bind = yes virtualforward_cache = no virtualforward_bind_dn = $ldap_bind_dn virtualforward_bind_pw = $ldap_bind_pw virtualforward_version = $ldap_version
# Accounts accounts_server_host = $ldap_server_host accounts_search_base = $ldap_search_base accounts_query_filter = (&(&(objectClass=VirtualMailAccount)(mail=%s))(forwardActive=FALSE)(accountActive=TRUE)(delete=FALSE)) accounts_result_attribute = mailbox accounts_cache = no accounts_bind = yes accounts_bind_dn = $ldap_bind_dn accounts_bind_pw = $ldap_bind_pw accounts_version = $ldap_version accountsmap_server_host = $ldap_server_host accountsmap_search_base = $ldap_search_base accountsmap_query_filter = (&(&(objectClass=VirtualMailAccount)(mail=%s))(forwardActive=FALSE)(accountActive=TRUE)(delete=FALSE)) accountsmap_result_attribute = mail accountsmap_cache = no accountsmap_bind = yes accountsmap_bind_dn = $ldap_bind_dn accountsmap_bind_pw = $ldap_bind_pw accountsmap_version = $ldap_version
# virtual quota quota_server_host = $ldap_server_host quota_search_base = $ldap_search_base quota_query_filter = (&(&(objectClass=VirtualMailAccount)(mail=%s))(accountActive=TRUE)(delete=FALSE)) quota_result_attribute = quota quota_cache = no quota_bind = yes quota_bind_dn = $ldap_bind_dn quota_bind_pw = $ldap_bind_pw quota_version = $ldap_version
# Mail to reply for gnarwl and mail to forward during vacation recipient_bcc_maps = ldap:vfm vfm_server_host = $ldap_server_host vfm_search_base = $ldap_search_base vfm_query_filter = (&(&(objectClass=VirtualMailAccount)(mail=%s))(vacationActive=TRUE)(forwardActive=FALSE)(accountActive=TRUE)(delete=FALSE)) vfm_result_attribute = mailAutoreply vfm_cache = no vfm_bind = yes vfm_bind_dn = $ldap_bind_dn vfm_bind_pw = $ldap_bind_pw vfm_version = $ldap_version
# transport_maps maildrop_destination_concurrency_limit = 2 maildrop_destination_recipient_limit = 1 gnarwl_destination_concurrency_limit = 1 gnarwl_destination_recipient_limit = 1 transport_maps = hash:/etc/postfix/transport, ldap:transport mydestination = $transport_maps, localhost, $myhostname, localhost.$mydomain, $mydomain virtual_alias_maps = hash:/etc/postfix/virtual, ldap:virtualforward, ldap:aliases, ldap:accountsmap
# virtual accounts for delivery virtual_mailbox_base = /home/vmail virtual_mailbox_maps = ldap:accounts virtual_minimum_uid = 1000 virtual_uid_maps = static:1000 virtual_gid_maps = static:1000
local_recipient_maps = proxy:unix:passwd.byname, $alias_maps, $virtual_mailbox_maps ...
Añadimos el protocolo para el transporte por gnarwl:
$ vi /etc/postfix/transport
...
.autoreply  :gnarwl ...
Compilamos el transport db:
$postmap /etc/postfix/transport
Con esto finaliza la configuracion de postfix. Tendremos que reiniciar los servicios mas tarde.

[editar] Instalar y configurar dovecot

Esto instalara dovecot con todos los archivos necesarios y creara el estandar de certificados SSL para IMAP y POP3.
$ apt-get install dovecot-imapd dovecot-pop3d
Leyendo lista de paquetes... Hecho
Creando árbol de dependencias
Leyendo la información de estado... Hecho
Se instalarán los siguientes paquetes extras:
dovecot-common libmysqlclient15off mysql-common
Se instalarán los siguientes paquetes NUEVOS:
dovecot-common dovecot-imapd dovecot-pop3d libmysqlclient15off mysql-common
0 actualizados, 5 se instalarán, 0 para eliminar y 7 no actualizados.
Necesito descargar 4818kB de archivos.
After this operation, 10,0MB of additional disk space will be used.
¿Desea continuar [S/n]? s
Des:1 http://es.archive.ubuntu.com hardy-updates/main mysql-common 5.0.51a-3ubuntu5.4 [60,3kB]
Des:2 http://es.archive.ubuntu.com hardy-updates/main libmysqlclient15off 5.0.51a-3ubuntu5.4 [1837kB]
Des:3 http://es.archive.ubuntu.com hardy-updates/main dovecot-common 1:1.0.10-1ubuntu5.1nowiki> [1696kB]
Des:4 http://es.archive.ubuntu.com hardy-updates/main dovecot-imapd 1:1.0.10-1ubuntu5.1 [630kB]
Des:5 http://es.archive.ubuntu.com hardy-updates/main dovecot-pop3d 1:1.0.10-1ubuntu5.1 [596kB]
Descargados 4818kB en 28s (167kB/s)
Seleccionando el paquete mysql-common previamente no seleccionado.
(Leyendo la base de datos ...
18571 ficheros y directorios instalados actualmente.)
Desempaquetando mysql-common (de .../mysql-common_5.0.51a-3ubuntu5.4_all.deb) ...
Seleccionando el paquete libmysqlclient15off previamente no seleccionado.
Desempaquetando libmysqlclient15off (de .../libmysqlclient15off_5.0.51a-3ubuntu5.4_i386.deb) ...
Seleccionando el paquete dovecot-common previamente no seleccionado.
Desempaquetando dovecot-common (de .../dovecot-common_1%3a1.0.10-1ubuntu5.1_i386.deb) ...
Seleccionando el paquete dovecot-imapd previamente no seleccionado.
Desempaquetando dovecot-imapd (de .../dovecot-imapd_1%3a1.0.10-1ubuntu5.1_i386.deb) ...
Seleccionando el paquete dovecot-pop3d previamente no seleccionado.
Desempaquetando dovecot-pop3d (de .../dovecot-pop3d_1%3a1.0.10-1ubuntu5.1_i386.deb) ...
Configurando mysql-common (5.0.51a-3ubuntu5.4) ...
Configurando libmysqlclient15off (5.0.51a-3ubuntu5.4) ...

Configurando dovecot-common (1:1.0.10-1ubuntu5.1) ...

Creating config file /etc/dovecot/dovecot.conf with new version

Creating config file /etc/dovecot/dovecot-ldap.conf with new version

Creating config file /etc/dovecot/dovecot-sql.conf with new version
adduser: Warning: The home directory `/usr/lib/dovecot' does not belong to the user you are currently creating.
Adding user `dovecot' to group `mail' ...
Adding user dovecot to group mail
Done.
You already have ssl certs for dovecot.

Configurando dovecot-imapd (1:1.0.10-1ubuntu5.1) ...

  • Restarting IMAP/POP3 mail server dovecot
...done.

Configurando dovecot-pop3d (1:1.0.10-1ubuntu5.1) ...

  • Restarting IMAP/POP3 mail server dovecot
...done.

Processing triggers for libc6 ...
ldconfig deferred processing now taking place
Hacemos una copia de seguridad del archivo de configuración original.
$ mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.bck
$ mv /etc/dovecot/dovecot-ldap.conf /etc/dovecot/dovecot-ldap.conf.bck
Creamos unos ficheros de configuracion nuevos
$ vi /etc/dovecot/dovecot.conf
auth_verbose = yes
mail_debug = yes

base_dir = /var/run/dovecot/
protocols = imap imaps pop3 pop3s
protocol lda {
postmaster_address = postmaster@example.tld
auth_socket_path = /var/run/dovecot/auth-master
log_path = /var/log/dovecot-deliver.log
info_log_path = /var/log/dovecot-deliver.log
}
listen = *
shutdown_clients = yes
log_path = /var/log/dovecot.log
info_log_path = /var/log/mail.log
log_timestamp = "%b %d %H:%M:%S "
syslog_facility = mail
disable_plaintext_auth = no
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
login_chroot = yes
login_user = postfix
login_process_per_connection = yes
login_processes_count = 2
login_max_processes_count = 128
login_max_connections = 256
login_greeting = Welkom bij Webhabitat's Dovecot eMail Server.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
login_log_format = %$: %s
default_mail_env = maildir:/home/vmail/domains/%d/%u
first_valid_uid = 108 # REMEBER THIS MUST BE CHANGED TO YOUR UID FOR "postfix" FROM /etc/passwd
pop3_uidl_format = %08Xu%08Xv
auth default {
mechanisms = PLAIN LOGIN
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user = vmail
group = vmail
}
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
user = vmail
}

$ vi /etc/dovecot/dovecot-ldap.conf

hosts = localhost auth_bind = yes auth_bind_userdn = mail=%u,vd=%d,o=hosting,dc=example,dc=tld ldap_version = 3 base = dc=example,dc=tld dn = cn=admin,dc=example,dc=tld dnpass = secret deref = never scope = subtree user_filter = (&(objectClass=VirtualMailAccount)(accountActive=TRUE)(mail=%u)) pass_filter = (&(objectClass=VirtualMailAccount)(accountActive=TRUE)(mail=%u)) default_pass_scheme = MD5 # the uid of your vmail user user_global_uid = 1000 # the guid of your vmail group user_global_gid = 1000
Note: Remember to change example.tld to your own domain.tld see assumptions.
The follwoing entry in dovecot.conf enables sasl:
socket listen {
master {
                       path = /var/run/dovecot/auth-master
                               mode = 0600
                       user = vmail
                       group = vmail
               }
               client {
                       path = /var/spool/postfix/private/auth
                       mode = 0660
                       user = postfix
                       group = postfix
               }
       }
       user = vmail
}
The following entry in dovecot.conf provides session and logging for dovecot deliver:
protocol lda {
postmaster_address = postmaster@example.tld
 auth_socket_path = /var/run/dovecot/auth-master
 log_path = /var/log/dovecot-deliver.log
 info_log_path = /var/log/dovecot-deliver.log
 }
At this moment I haven't gotten dovecot to use the quota entries provided by phamm, this will be an addon in the (very, hopefully :) ) future.
This concludes the dovecot configuration. Step 5: Installing and configuring phamm:
Since we downloaded and extracted the phamm archive before, we can directly begin with the installation and configuration of the phamm interface.
Note: I hacked into the phamm configuration and .php script files to accomplish the following:
* Maildrop to to postmaster@example.tld rather than postmaster wich is a unix account
   * Maildrop for abuse to postmaster@example.tld rather than postmaster
   * %domain% for the welcome message to reflect postmaster@domain.tld rather than postmaster
   * cc for the welcome message to postmaster@example.tld to have an idea of the number of mailboxes created by the virtual mail domain admins. ==> defoult maps to postmaster so your unix account will get the mails or rather root.
The other hacks are just to define other defaults:
* Setting smtp auth to default
   * Setting the quota number form mail
   * Setting the default home directory for ftp
   * setting the default quota for ftp
In any case I believe that these changes are an improvement rather than customisation so I will list them here before we go into the actual installation and configuration of phamm. For those who do not care about these features can skip the following until the actual phamm configuration and installation.
My hacks:
The hacks are done on the source, not the actual (see later installation).
First we will do the welcome message part.
cd /usr/src/phammphamm-0.5.12 vi config.inc.php
Change (starting line 94):
// Welcome message define ('SEND_WELCOME',0); $welcome_msg = '../welcome_message.txt'; $welcome_subject = 'Welcome!'; $welcome_sender = 'root@localhost'; $welcome_bcc = 'root@localhost';
To
// Welcome message define ('SEND_WELCOME',1); $welcome_msg = '../welcome_message.txt'; $welcome_subject = 'Welcome!'; $welcome_sender = 'postmaster@%domain%'; $welcome_bcc = 'postmaster@example.tld';
This will send the welcome email as from postmaster@domain.tld (domain.tld being the mail domain (virtual) and send a bcc to postmaster@example.tld where example.tld represents the technical domain.
Next we will set the defaults for email and domain creation:
vi plugins/mail.xml
Change (line 288):
$entry["maildrop"] = "postmaster";
To
$entry["mail"] = "postmaster@".$domain_new;
And also (line 307) from:
$entry_abuse["maildrop"] = "postmaster";
To
$entry_abuse["maildrop"] = "postmaster@".$domain_new;
OK these were my cuntom hacks, now let's go to the installation and configuration of phamm.
mkdir /yourwwwroot/phamm cp -R * /yourwwwroot/pham/. chown -R www-data:www-data /yourwwwroot/pham cd /yourwwwroot/phamm rm -R examples rm -R doc rm -R DTD rm -R schema
This in order to remove files that are not needed in the www directory.
Now we will configure phamm for actual use.
vi config.inc.php
Change the ldap connection parameters to fit your actual configuration.
// *============================* // *=== LDAP Server Settings ===* // *============================*
// The server address (IP or FQDN) define ('LDAP_HOST_NAME','127.0.0.1');
// The protocol version [2,3] define ('LDAP_PROTOCOL_VERSION','3');
// The server port define ('LDAP_PORT','389');
// The container define ('SUFFIX','dc=example,dc=tld');
// The admin bind dn (could be rootdn) define ('BINDDN','cn=admin,dc=example,dc=tld');
// The Phamm container define ('LDAP_BASE','o=hosting,dc=example,dc=tld');
Enable the fpt plugin (line 172) by removing the //
And on line 215 change CRYPT to MD5. Most other software that use LDAP use MD5 hashing, so it is therefore a good thing to have phamm use MD5.
Since the transport maildrop: is hardcoded in phamm we need to change this in order to enable dovecot deliver.
vi plugins/mail.xml
Replace each entry with maildrop: with dovecot: (do no forget the semicolon). In ordinary situations, the commands in postfix's main.cf would do (that we added before), but ldap transport as used and implemented by phamm overrides this and implements maildrop.
This has to be done for line 62. This will substitute maildrop for dovecot deliver.
That's it for the configuration.
You can edit plugins/mail.xml to change the defaults for smtp and quota, modify them to your needs.
You can edit plugins/ftp.xml to change the defaults for default ftp (base) directory and quoata, modify them to your needs.
OK we're almost there.
Now execute the following commands:
/etc/init.d/postfix restart /etc/init.d/dovecot restart
Next browse to http://yourdoamin.tld/phamm and log in with the account admin and your openldap password.
Add the email domain, next add a mailbox and you should be up and running.
Use the following command to see if there are any errors:
tail -f /var/log/mail.log
Hey we're up and runnung.
Well almost, one last thing to do if everything wotks is to add the acl for phamm to openldap in order for domain admins to administer their domains and users to change their passwords and/or vacation, forwards.
vi /etc/ldap/slapd.conf
Comment the following entries:
# The admin dn has full write access, everyone else # can read everything. #access to * # by dn="cn=admin,dc=example,dc=tld" write # by * read
# For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=example,dc=tld" write # by dnattr=owner write
And add the following above (change if your configuration is different from the assumptions)
# acl specific for phamm
# Copyright (c) 2005 Alessandro De Zorzi, Mirko Grava # http://phamm.rhx.it/ # # Permission is granted to copy, distribute and/or modify this document # under the terms of the GNU Free Documentation License, Version 1.2 # or any later version published by the Free Software Foundation; # A copy of the license in DOCS.LICENSE file.
# First of all # acl for pdns access to dn.regex="^(.+,)?cn=([^,]+),ou=dns,dc=example,dc=tld$"
by dn="cn=admin,dc=example,dc=tld" write
       by anonymous auth
       by dn.exact="cn=dnsldap,ou=dns,dc=example,dc=tld" read
       by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write
access to dn.regex="^(.+,)?dc=([^,]+),ou=dns,dc=example,dc=tld$"
by dn="cn=admin,dc=example,dc=tld" write
       by anonymous auth
       by dn.exact="cn=dnsldap,ou=dns,dc=example,dc=tld" read
       by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write
access to dn.exact="ou=dns,dc=example,dc=tld"
by dn="cn=admin,dc=example,dc=tld" write
       by anonymous auth
       by dn.exact="cn=dnsldap,ou=dns,dc=example,dc=tld" read
# now mail service # account must edit his password, spam level, forward, vacation, his name # postmaster with editAccounts=FALSE do the same thing for his domain # postmaster with editAccounts=TRUE can add account/alias and edit also amavisBypassVirusChecks, quota and smtpAuth # vadmin could do the same as postmaster with editAccounts=TRUE for some domains access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=userPassword,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=example,dc=tld" write
       by self write
       by anonymous auth
       by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write
       by set="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive
by dn="cn=admin,dc=example,dc=tld" write
       by self read
       by set="user/editAccounts & [TRUE]" write
       by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
       by set="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=cn,sn,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel
by dn="cn=admin,dc=example,dc=tld" write
       by self write
       by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write
       by set="user/vd & [$1]" write
access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=editAccounts
by dn="cn=admin,dc=example,dc=tld" write
       by self read
       by set="user/editAccounts & [TRUE]" write
       by * none
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=objectClass,entry
by dn="cn=admin,dc=example,dc=tld" write
       by self write
       by anonymous read
       by set="user/editAccounts & [TRUE]" write
       by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassSpamChecks,accountActive,delete
by dn="cn=admin,dc=example,dc=tld" write
       by self read
       by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write
       by set="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=FTPQuotaMBytes,FTPStatus,FTPQuotaFiles,uid,otherPath
by dn="cn=admin,dc=example,dc=tld" write
       by anonymous read
       by self read
       by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
       by set="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=uidNumber,gidNumber,createMaildir,vdHome,mailbox,otherTransport
by dn="cn=admin,dc=example,dc=tld" write
       by self read
       by set="user/vd & [$1]" read
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd
by dn="cn=admin,dc=example,dc=tld" write
       by self write
       by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write
       by set="user/vd & [$2]" write
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$"
by dn="cn=admin,dc=example,dc=tld" write
       by self write
       by set="user/editAccounts & [FALSE]" read
       by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write
       by set="user/vd & [$2]" write
access to dn.regex=".+,o=hosting,dc=example,dc=tld$"
by dn="cn=admin,dc=example,dc=tld" write
       by self write
       by anonymous auth
access to dn.regex=".+,dc=tld$"
by dn="cn=admin,dc=example,dc=tld" write
       by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=userPassword
by dn="cn=admin,dc=example,dc=tld" write
       by self write
       by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=vd
by dn="cn=admin,dc=example,dc=tld" write
       by self read
Restart slapd and if you don't get errors the acl is implemented.
/etc/init.d/slapd restart
To thest the acl you can log in to phamm usein as uid/pmd the credentials for the virtual mail domain you created, eg: example.tld pwd
If you can log in and add/change/delete mail accounts the acl is ok. Step 6: install and configure gnarwl
Well after the last pages you're in for a surprise. If you tought that configuring everything before was difficult you're in for a treat.
Let's install gnarwl:
apt-get install gnarwl
Now let's configure gnarwl.
First we're going to backup the original configuration file and replace it with a new one.
mv /etc/gnarwl.conf /etc/gnarwl.conf.bck
Now we create the new conf file:
vi /etc/gnarwl.conf
And insert the following:
map_sender $sender map_receiver $recepient map_subject $subject map_field $begin vacationStart map_field $end vacationEnd map_field $fullname cn map_field $deputy vacationForward map_field $reply mail server localhost port 389 scope sub login cn=admin,dc=example,dc=tld password secret protocol 0 base dc=example,dc=tld queryfilter (&(mailAutoreply=$recepient)(vacationActive=TRUE)) result vacationInfo blockfiles /var/lib/gnarwl/block/ umask 0644 blockexpire 48 mta /usr/sbin/sendmail -F $recepient -t $sender maxreceivers 64 maxheader 512 charset ISO8859-1 badheaders /var/lib/gnarwl/badheaders.db blacklist /var/lib/gnarwl/blacklist.db forceheader /var/lib/gnarwl/header.txt forcefooter /var/lib/gnarwl/footer.txt recvheader To Cc loglevel 3
Change the default to your actual configuration.
Last but not least execute the following command to make gnarwl work:
chown -R vmail:vmail /var/lib/gnarwl/
Well that's it. You should now have a postfix, dovecot, gnarwl working with an LDAP backend and Phamm as management interface.
For additonal configuration see the respective sites of the software developers to further tune or adapt this to your requirements and needs.



[editar]

Replicar BD ldap en 2 servidores

Yo tengo el PDc y BDc de la siguiente forma en el slapd.conf

en el PDC:
Esto es una sola linea corrida: $vim /etc/ldap/slapd.conf
replica host=192.168.2.12:389 binddn="cn=admin,dc=pdc,dc=ovmc" credentials=Aing5a bindmethod=simple

en el BDC:

$vim /etdc/ldap/slapd.conf
updatedn "cn=admin,dc=pdc,dc=ovmc"
updateref ldap://ip_o_nombre_de_equipo_del_PDC

Tengo como usuario a admin, otros usan Manager, es lo mismo, pero no me hico falta crear un usuario en especifico para realizar replicas, con el mismo usuario que administra el arbol ldap es suficiente, si quieres aplicar seguridad, solo aplicar listar de control de acceso (ACL) en el slapd.conf del PDC

Este tipo de replica es llamado "Slurpd"

La replica se hace en menos se un segundo, al agregar un usuario en el pdc me voy rapido a un consola del bdc y al hacer gentent passwd ya veo el usuario agregado.

otra forma de hacer replica es por medio de "Syncrepl" pero por ese metodo no he probado.
---

[editar]

LDAP v2.0

Instalamos Ubuntu server 9.04 solo con openssh en las opciones
Nos logeamos en el sistema y empezamos a trabajar
$ apt-get update
$ apt-get upgrade
$ apt-get install vim-nox
$ apt-get install heimdal-kdc
En servidores kerberos del dominio no he puesto nada por no saber que poner
$ apt-get install ldap-utils
$ apt-get install libnss-ldap
LDAP server Uniform Resource Identifier:
ldap://correo.blom.lan
Distinguished name of the search base:
dc=blom,dc=lan
LDAP version to use:
3
Make local root Database admin:
SI
Does the LDAP database require login?:
NO
LDAP account for root:
cn=admin,dc=blom,dc=lan
LDAP root account password:
sistemas
$ apt-get install libpam-cracklib
$ apt-get install libpam-foreground
$ apt-get install libpam-ldap
$ apt-get install libpam-modules
$ apt-get install migrationtools
$ apt-get install nfs-common
$ apt-get install nfs-kernel-server
$ apt-get install phpldapadmin
$ apt-get install samba
$ apt-get install samba-common
$ apt-get install samba-doc
$ apt-get install slapd
Contraseña administrador en el directorio LDAP
sistemas
$ apt-get install smbclient
$ apt-get install smbldap-tools
Una vez instalados los paquetes tenemos que modificar los ficheros de configuracion
Esta guia tiene los conocimientos que he ido sacando y combinando de multiples tutoriales y si quieres un tutorial completo puedes visitar la siguiente URL: http://ubuntuforums.org/showthread.php?t=640760 . $ vi /etc/hostname
correo.blom.lan
$ vi hosts
127.0.0.1 localhost
192.168.33.188 correo.blom.lan correo


  1. The following lines are desirable for IPv6 capable hosts
1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Ubuntu installed
Creamos el directorio donde va ha estar LDAP instalado y donde estaran los datos
$ mkdir /ldaphome
$ mkdir /ldap_data
Si vamos a dejar el directorio por defecto para la instalacion de LDAP no hace falta crear el directorio ldap_data
Instalamos postfix
$ apt-get install postfix mailx
Tipo generico de configuracion de correo
Sitio de internet
System mail name:
correo.blom.lan
Instalacion de LDAP en el directorio por defecto
$ apt-get install slapd ldap-utils migrationtools
$ dpkg-reconfigure slapd
¿Desea omitir la ocnfiguracion del servidor OpenLDAP?
NO
DNS domain name
blom.lan
Organization name:
blom.lan
Database backend to use:
BDB
¿Desea que se borre la base de datos cuando se purgue el paquete slapd?
NO
¿Desea mover la base de datos antigua?
SI
Contraseña del administrador:
sistemas
Verificacion de contraseña:
sistemas
Allow LDAPv2 protocol?
NO


Get root permission sudo bashEdit /etc/hosts file vim /etc/hostsupdate to: 127.0.0.1 localhost 127.0.1.1 pdc pdc.example.local
  1. The following lines are desirable for IPv6 capable hosts
1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts

Update /etc/hostname file vim /etc/hostname update to: pdc.example.local
Install needed package apt-get install slapd ldap-utils samba smbldap-tools samba-doc During the installation, you might get prompt to setup openLDAP admin password, just enter you one you like
Update openLDAP dpkg-reconfigure slapdSettings: No DNS domain name: example.local Name of your organization: example.local Admin password: (Enter again from last step) Confirm password: (Enter again from last step) OK BDB No Yes No
Copy samba.schema to openLDAP folder cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ gzip -d /etc/ldap/schema/samba.schema.gz
Edit /etc/ldap/slapd.conf vim /etc/ldap/slapd.conf Add include /etc/ldap/schema/samba.schema Update access to attrs=userPassword,shadowLastChange,sambaNTPasswor d,sambaLMPassword This step you might see "access to attribute", change to attrs.
Restart openLDAP /etc/init.d/slapd restart
Copy required files cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/ cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/ gzip -d /etc/smbldap-tools/smbldap.conf.gz
Get domain SID net getlocalsid
Edit smbldap.conf vim /etc/smbldap-tools/smbldap.conf Update SID="(Copy from last step)" sambaDomain="EXAMPLE" ldapTLS="0" suffix="dc=example,dc=local" sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" userSmbHome= userProfile= userHomeDrive= userScript=
mailDomain="IDEALX.ORG"
All lines are included, you just have to update them.
Edit smbldap_bind.conf file vim /etc/smbldap-tools/smbldap_bind.conf Update slaveDN="cn=admin,dc=example,dc=local" slavePw="(Your openLDAP password)" masterDN="cn=admin,dc=example,dc=local" masterPw="(Your openLDAP password)" All lines are included, you just have to update them.
Set file permission chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
Populate to openLDAP server smbldap-populate You might get prompt for openLDAP password, just enter the one you set.
Edit /etc/samba/smb.conf file vim /etc/samba/smb.conf Update workgroup = EXAMPLE security = user passdb backend = ldapsam:ldap://localhost/ obey pam restrictions = no
invalid users = root
domain logons = yes Add ldap admin dn = cn=admin,dc=example,dc=local ldap suffix = dc=example, dc=local ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users If root is not your manager account, add another line admin users = USER_NAME
Restart samba /etc/init.d/samba restart
Set openLDAP password for samba smbpasswd -w (Your openLDAP password)
Until here, you are pretty much done.
Here is how to add users, you can use the text mode or GUI mode like phpldapadmin.
Text Mode: Add user smbldap-useradd -a -m USER_NAME useradd -g GROUP USER_NAME smbldap-passwd USER_NAME
Add machine account smbldap-useradd -a -m MACHINE_NAME$ useradd –-g GROUP -–d /dev/null -–s /dev/null MACHINE_NAME$ Notice there is a $ sign after machine name.
Install GUI Mode: apt-get install apache2 phpldapadmin Edit /etc/apache2/httpd.conf vim /etc/apache2/httpd.conf Add ServerName pdc.example.local Restart apache /etc/init.d/apache2 restart Copy phpldapadmin to apache www directory cp -R /usr/share/phpldapadmin/ /var/www/phpldapadmin GUI Mode is really simple, you just have to open up the browser and go to http://localhost/phpldapadmin/ . Login as username cn=admin,dc=example,dc=local and your openLDAP password. Then you may add user or machine account throught the left side of the menu. If you are trying to add machine account. Click on "Create new entry here" under "ou=Computers", and select "Samba3 Machine".
After all the procedures, you may login your Windows client into the doamin. Right click on "My Computer" -> Properties -> Computer Name -> Either "Network ID" or "Change..."
If you have any question, I will try to answer you when I'm free. But since I am new to this too. My answer will be very limited. This tutorial I have tried myself on several computers. So I am pretty sure it works unless I missed something. There are lots of settings you need to study yourself since this is the easiest way of setting up. So I do not want to include them. For example the samba's netlogon and shares settings in smb.conf.

No hay comentarios:

Publicar un comentario en la entrada

Nota: solo los miembros de este blog pueden publicar comentarios.