Poniżej znajdują się przykładowe pliki konfiguracyjne niektórych usług podłączonych do LDAP omawianych na kursie.
ldap_servers: ldapi:// ldap_bind_dn: uid=saslauthd,ou=System,dc=example,dc=com ldap_password: haslo ldap_search_base: dc=example,dc=com ldap_mech: SIMPLE ldap_auth_method: bind
BASE dc=example,dc=com URI ldapi:// TLS_CACERTDIR /etc/ssl/certs/ TLS_REQCERT never
uri ldapi:// binddn uid=nssproxy,ou=System,dc=example,dc=com bindpw secret rootbinddn uid=remoteroot,dc=System,dc=example,dc=com base dc=example,dc=com scope sub pam_password exop
uid nslcd gid nslcd uri ldapi:// base dc=example,dc=com ldap_version 3 binddn uid=nssproxy,ou=System,dc=example,dc=com bindpw secret scope sub
# (...) auth default { mechanisms = plain login passdb ldap { args = /etc/dovecot/dovecot-ldap.conf } # to pobieramy od razu przy sprawdzaniu hasła userdb prefetch { } # dla serwerów SMTP (Postfix/Exim) socket listen { client { path = /var/run/dovecot/auth-client group = sasl mode = 0660 } } } # (...)
W Dovecot 2.x konfiguracja jest podobna, tylko rozmieszczona w osobnych plikach, należy przejrzeć 10-auth.conf (includy na końcu), auth-ldap.conf.ext, 10-master.conf (zamiast "socket listen" będzie "unix_listener").
uris = ldapi:// dn = uid=dovecot,ou=System,dc=example,dc=com dnpass = haslo auth_bind = yes ldap_version = 3 base = dc=example,dc=com scope = subtree pass_attrs = uid=user,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
# SASL - podłączenie do Dovecota smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = /var/run/dovecot/auth-client # Aliasy w LDAP alias_maps = ..., ldap:/etc/postfix/aliases-ldap.cf
Aliasy użytkownika trzymane w atrybucie mail (klasa inetOrgPerson).
server_host = ldapi:// bind = yes bind_dn = uid=postfix,ou=System,dc=example,dc=com bind_pw = haslo version = 3 search_base = dc=example,dc=com query_filter = (|(mail=%s@example.con)(mail=%s)) result_attribute = uid
# (...) hide ldap_default_servers = /var/run/ldapi # (...) begin routers # (...) # Aliasy - podobnie jak w Postfix user_aliases: driver = redirect allow_fail allow_defer data = ${lookup ldapm {ldapi:///dc=example,dc=com?uid?sub?(|(mail=${quote_ldap: $local_part})(mail=${quote_ldap: $local_part}@${quote_ldap_dn: $domain}))}} user = Debian-exim file_transport = address_file pipe_transport = address_pipe # (...) # Uwierzytelnianie - podłączenie do Dovecot begin authenticators PLAIN: driver = dovecot server_set_id = $auth1 server_socket = /var/run/dovecot/auth-client # done by dovecot server_advertise_condition = ${if def:tls_cipher } LOGIN: driver = dovecot server_set_id = $auth1 server_socket = /var/run/dovecot/auth-client # done by dovecot server_advertise_condition = ${if def:tls_cipher }
Konfiguracja PDC opartego o LDAP (część mniej istotnych opcji pominięta):
[global] workgroup = EXAMPLE security = user encrypt passwords = yes obey pam restrictions = yes local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes passdb backend = ldapsam:"ldapi:// ldaps://ldap2.example.com" idmap backend = ldapsam:"ldapi:// ldaps://ldap2.example.com" ldap admin dn = uid=samba,ou=System,dc=example,dc=com ldap suffix = dc=example,dc=com ldap machine suffix = ou=Hosts ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap passwd sync = only ldap delete dn = yes ; ldapsam:trusted = yes ; ldapsam:editposix = yes ; add user script = /usr/sbin/smbldap-useradd '%u' delete user script = /usr/sbin/smbldap-userdel '%u' ; add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' ; delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' ; set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' ; add group script = /usr/sbin/smbldap-groupadd '%g' && /usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}' ; delete group script = /usr/sbin/smbldap-userdel '%g' add machine script = /usr/sbin/smbldap-useradd -W -d /dev/null -g Machines -c 'Machine Account' -s /bin/false '%u' # for renaming machines # rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
Wybrane opcje z /etc/smbldap-tools/smbldap.conf
slaveLDAP="127.0.0.1" slavePort="389" masterLDAP="127.0.0.1" masterPort="389" ldapTLS="0" verify="none" suffix="dc=example,dc=com" usersdn="ou=Users,${suffix}" computersdn="ou=Machines,${suffix}" groupsdn="ou=Groups,${suffix}" idmapdn="ou=Idmap,${suffix}" sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" scope="sub" hash_encrypt="SSHA" crypt_salt_format="%s"