www.it-ebooks.info Pro Ubuntu Server Administration Sander van Vugt www.it-ebooks.info Pro Ubuntu Server Administration Copyright © 2009 by Sander van Vugt All rights reserved No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher ISBN-13 (pbk): 978-1-4302-1622-3 ISBN-13 (electronic): 978-1-4302-1623-0 Printed and bound in the United States of America Trademarked names may appear in this book Rather than use a trademark symbol with every occurrence of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark Lead Editor: Frank Pohlmann Technical Reviewer: Samuel Cuella Editorial Board: Clay Andres, Steve Anglin, Mark Beckner, Ewan Buckingham, Tony Campbell, Gary Cornell, Jonathan Gennick, Michelle Lowman, Matthew Moodie, Jeffrey Pepper, Frank Pohlmann, Ben Renow-Clarke, Dominic Shakeshaft, Matt Wade, Tom Welsh Project Manager: Beth Christmas Copy Editor: Bill McManus Associate Production Director: Kari Brooks-Copony Production Editor: Elizabeth Berry Compositor: Linda Weidemann Proofreader: Liz Welch Indexer: Becky Hornyak Artist: April Milne Cover Designer: Kurt Krames Manufacturing Director: Tom Debolski Distributed to the book trade worldwide by Springer-Verlag New York, Inc., 233 Spring Street, 6th Floor, New York, NY 10013 Phone 1-800-SPRINGER, fax 201-348-4505, e-mail kn`ano)ju]_gaj`ola_ebe_`ena_perao]llhupkpdeo^]_gaj`qjpeh]jkpdan #^]_gaj`#`ena_perak qno ^]_gaj`d`^  Ola_ebe_>]_gaj`@ena_peraobkn#kpdan#6 >]_gaj`ola_ebe_`ena_perao]llhupkpdeo^]_gaj`qjpeh]jkpdan #^]_gaj`#`ena_perak qno ^]_gaj`8kpdan:  Ola_ebe_@ena_peraobkn`]p]^]oa-(kbpulad`^6 @]p]^]oaola_ebe_`ena_perao]llhupkpdeo`]p]^]ooaqjpeh]jkpdan #`]p]^]oa#`ena_perak qno `]p]^]oad`^ Pda^]oakbukqn`ena_pknuej`]p]^]oaoqbbet`_9o]j`anr]jrqcp(`_9jh www.it-ebooks.info C H A P T E R N C O N F I G U R I N G O P E N LD A P nkkp`j`ena_perabknola_ebuejc]oqlanqoankjpda`]p]^]oa*Pdeoeojaa`a` bknouj_nalh* nkkp`j_j9]`iej(`_9o]j`anr]jrqcp(`_9jh Sdanapda`]p]^]oabeha]nalduoe_]hhuopkna`bkn`]p]^]oa`ena_pknu+r]n+he^+h`]l Pda`^_kjbecoappejco]naqoa`pkcajan]pa]@>[?KJBECbehapdabenop peiaoh]l`op]npo*Pdau`kJKPkranne`aateopejc]jateopejc@>[?KJBEC beha*Ukqodkqh`pdanabkna_d]jcapdaoaoappejcoej@>[?KJBEC`ena_phu knnaikra@>[?KJBEC]j`naop]npoh]l`bkn_d]jcaopkp]gaabba_p* Bknpda@a^e]jl]_g]casaqoa.I>]o`ab]qhp^qp^aoqnapkql`]papdeo r]hqaebukqd]ralhajpukbN=I `^_kjbecoap[_]_daoeva,.,53-1., OrajD]npcanalknpa`pd]pdad]`pkoappdeor]hqaej_na`e^hudecd pkcapoh]l`nqjjejc]p]hh*Oaadppl6++^qco*`a^e]j*knc+/,/,13bknikna ejbkni]pekj* Jqi^ankbk^fa_popd]p_]j^ahk_ga`]ppdao]iapeia* `^_kjbecoap[hg[i]t[k^fa_po-1,, Jqi^ankbhk_go$^kpdnamqaopa`]j`cn]jpa`% `^_kjbecoap[hg[i]t[hk_go-1,, Jqi^ankbhk_gano `^_kjbecoap[hg[i]t[hk_gano-1,, Ej`atejcklpekjobkn`]p]^]oaej`atk^fa_p?h]ooam O]rapdapeiapd]ppdaajpnucapoik`ebea`(bkn`]p]^]oah]opik`kj ?da_glkejppda>angahau@>`]p]^]oalanek`e_]hhuej_]oakbouopai b]ehqna]j`pkolaa`oh]l`odqp`ksj* _da_glkejp1-./, Sdanapkopknapdanalhe_]hkcobkn`]p]^]oanalhkcbeha+r]n+he^+h`]l+nalhkc www.it-ebooks.info 209 210 C HAPTER N CO N FIG U R ING OP ENL DA P PdaqoanL]ooskn`^u`ab]qhp_]j^a_d]jca` ^updaajpnuksjejcepebpdau]na]qpdajpe_]pa`* Kpdanoodkqh`jkp^a]^hapkoaaep(at_alppda ]`iejajpnu^ahks Pdaoa] aoohejao]llhupk`]p]^]oa-kjhu ] aoopk]ppno9qoanL]ooskn`(od]`ksH]op?d]jca ^u`j9_j9]`iej(`_9o]j`anr]jrqcp(`_9jhsnepa ^u]jkjuikqo]qpd ^uoahbsnepa ^u&jkja Ajoqnana]`] aoopkpda^]oabknpdejcohega oqllknpa`O=OHIa_d]jeoio*Sepdkqppdeoukqi]u d]ralnk^haiosepdO=OHjkpgjksejcsd]p ia_d]jeoio]na]r]eh]^ha]j`pdahega* Jkpapd]ppdeoeo_krana`^upda#] aoopk&# =?H^ahkspkk^qpebukq_d]jcapd]p]olaklha ]naskjppk`kukq#hhopehhjaa`pdeoebukq s]jpO=OH$]j`lkooe^hakpdanpdejco%pkskng d]llehu* ] aoopk`j*^]oa9^u&na]` Pda]`iej`jd]obqhhsnepa] aoo(aranukjaahoa _]jna]`aranupdejc* ] aoopk& ^u`j9_j9]`iej(`_9o]j`anr]jrqcp(`_9jhsnepa ^u&na]` BknJapo_]laNk]iejcoqllknp(a]_dqoancapo]nk]iejc lnkbehabknsde_dpdaud]rasnepa] aoopk ] aoopk`j9*&(kq9Nk]iejc(k9iknojap ^u`j9_j9]`iej(`_9o]j`anr]jrqcp(`_9jhsnepa ^u`j]ppn9ksjansnepa  Ola_ebe_@ena_peraobkn`]p]^]oa.(kbpula#kpdan#$_]j^ad`^pkk%6 @]p]^]oaola_ebe_`ena_perao]llhupkpdeo`]p]^]ooaqjpeh]jkpdan #`]p]^]oa#`ena_perak qno `]p]^]oa8kpdan: Pda^]oakbukqn`ena_pknubkn`]p]^]oa oqbbet`_9`a^e]j(`_9knc www.it-ebooks.info C H A P T E R N C O N F I G U R I N G O P E N LD A P As you can see, there are many comment lines that explain what happens in the oh]l`*_kjb file Let’s go through the most important sections of it Configuring Schema and Process Files First, there are four lines that refer to the schema files that your LDAP server is going to use You may notice that not all the files in +ap_+h`]l+o_dai] are referred to here If there are additional files that you want to include in the schema, make sure to create an ej_hq`a line for all of them Next, there are two lines that refer to status files your LDAP server maintains Both files are in +r]n+nqj+oh]l` The oh]l`*le` file maintains the current PID of your oh]l` server, and the oh]l`*]nco file contains a list of arguments that were passed to the Samba server when it was started oh]l`*]nco may be useful for troubleshooting if your oh]l` server doesn’t behave the way it should For example, your oh]l` server might be missing a required argument, in which case you can check oh]l`*]nco to find out which arguments were used when starting the Samba server Listing 8-5 shows what the file should look like on a default installation of OpenLDAP Listing 8-5 /var/run/slapd/slapd.args Shows with Which Parameters slapd Was Started nkkpAN Prints out all packets sent and received behpan Gives information about search filter processing _kjbec Displays information about configuration file processing =?H Shows what happens with regard to access control list processing More information about LDAP ACLs is provided later in this section op]po Shows information about connections, LDAP operations, and results If you want to enable logging, this is the recommended log level op]po Shows what stats log entries were sent odahh Prints communication with shell back end l]noa Gives information about LDAP entry parsing This is useful if you need to debug why certain information cannot be provided by the LDAP server ouj_ Provides information about LDAP synchronization jkja Disables logging completely Following the log lines in oh]l`*_kjb are the ik`qhal]pd and ik`qhahk]` lines, which you can use to load additional modules (which I not cover in this book) The next two lines in oh]l`*_kjb are of interest with regard to the performance of your LDAP server: oevaheiep1,, pkkh)pdna]`o- www.it-ebooks.info 213 214 C HAPTER N CO N FIG U R ING OP ENL DA P oevaheiep1,, limits the number of entries returned for a search operation If you want to export your LDAP database to LDIF files, this limit can be really annoying, because it doesn’t allow all the records in your database to be shown Make sure to increase it as needed to get a complete list of all records pkkh)pdna]`o- tells oh]l` to run one thread only, in which case you can’t benefit from a multicore environment if you have one On a heavily used LDAP server that runs on a multicore architecture, increase the number of threads to the number of cores that you want to use simultaneously After the two lines that specify which database to use, the oqbbet line specifies the suffix your LDAP server should use This is the base location in the hierarchical Directory where oh]l` will expect to see the entries in the database By default, it has the name of the DNS container your server is in Next are a few settings that relate to the database that LDAP maintains First, `^_kjbec oap[_]_daoeva,.,53-1., defines the size of the LDAP cache, with a maximum of MB This is rather limited, and will cause performance problems if you are using a large LDAP database If your server has enough RAM, make sure to update it For instance, use the following to set it to 16 MB: `^_kjbecoap[_]_daoeva,-2333.-2, Next, there are three lines that relate to locking: `^_kjbecoap[hg[i]t[k^fa_po-1,, `^_kjbecoap[hg[i]t[hk_go-1,, `^_kjbecoap[hg[i]t[hk_gano-1,, These three lines set the number of objects that can be locked, or opened, simultaneously to a maximum of 1500 If that causes any problems, make sure to increase these parameters to something higher The exact number you need depends on the use of your LDAP server Next in oh]l`*_kjb is another important performance-related parameter, ej`at k^fa_p?h]ooam This option ensures that an index is created based on the object names in use If you need to find objects based on a specific attribute on a regular basis, make sure to add an index entry for that attribute For instance, ej`at_jam would add an index based on the common name of objects Configuring ACLs The last relevant part of the oh]l`*_kjb configuration file defines some ACLs These specify which users can what on your LDAP database For instance, the line ] aoopk `j*^]oa9^u&na]` makes sure that anyone can read entries from the LDAP database This default setting makes your LDAP server usable, but it also poses a potential security risk To avoid that, make sure to configure your firewall in a way that only authorized users can connect to your LDAP server www.it-ebooks.info C H A P T E R N C O N F I G U R I N G O P E N LD A P Using ACLs in LDAP is not too hard Each ACL has the following form: ] aoopksd]pgej`]j`n]jcakb`]p]^usdkaraneo]hhksa`] aoo* In this example, first you specify the kind and range of data, which represents the objects you are giving rights to For example, you can use an asterisk (&) here to allow access to everything, or use something like kq9Laklha(`_9o]j`anr]jrqcp(`_9jh to limit access Second, you have to indicate who gets the access You this by using the LDAP name of the object you are granting access to Third, you need to specify what type of access you are granting The following types of access are available: s jkja: No access is allowed s ]qpd: The specified user can use the object for authentication only s _kil]na: The specified user can compare property values of the object with a specific search string s oa]n_d: The specified user can search for information s na]`: The specified user can read all data s snepa: The specified user can modify all data When specifying to which data you want to give access, you can grant object-level access or attribute-level access For instance, the following example gives user accounts rights to modify some properties of their account: ] aoopk`j9*&(`_9o]j`anr]jrqcp(`_9jh]ppno9_j(oj(`ao_nelpekj(ca_ko ^uoahbsnepa At this point, make sure that your LDAP server is up and running Just by installing it, you have already ensured that it is started automatically when you boot your server To make sure all new settings are used as well, use the following command to restart the oh]l` server: +ap_+ejep*`+oh]l`naop]np Adding Information to the LDAP Database Now that the LDAP server is up and running, it’s time to add some information to the database The way to that is by creating an LDIF file In this LDIF file, you define not only the objects that you want to create, but also all the properties these objects should have Generally, that means a lot of typing to create something like a simple user Listing 8-7 shows a sample configuration file in which a user is created www.it-ebooks.info 215 216 C HAPTER N CO N FIG U R ING OP ENL DA P Listing 8-7 To Add Objects to the Database, Create and Import an LDIF File nkkp