Contribuez à SecuObs en envoyant des bitcoins ou des dogecoins.
Nouveaux articles (fr): 1pwnthhW21zdnQ5WucjmnF3pk9puT5fDF
Amélioration du site: 1hckU85orcGCm8A9hk67391LCy4ECGJca

Contribute to SecuObs by sending bitcoins or dogecoins.



[smbldap-tools - Partie 1] Présentation et installation

Par Rédaction, secuobs.com
Le 18/03/2007


Résumé : Présentation d'un controleur primaire de domaine sous SAMBA avec un annuaire LDAP en TLS. Installation d'OpenLDAP, SAMBA, smbldap-tools, support TLS pour LDAP.



Ce document a pour but de détailler l'installation d'un serveur Samba pour l'authentification itinérante sur un domaine Windows de machines de type Windows XP PRO ; cela avec des logiciels libres dont les smbldap-tools pour la connexion en TLS à un annuaire LDAP contenant les informations relatives aux comptes POSIX, Windows et Samba.

Mot de passe : secuobs
Domaine : secuobs,
Serveur LDAP : secuobs.com
Base LDAP : secuobs.com
SID du domaine : S-3-4-22-314929480-5475688708-357638684437678
OS : Debian

Installation préalable :

# apt-get install openssl ldap-utils smbldap-tools libnss-ldap libpam_ldap

Pour samba :

# mkdir /home/src
# cd /home/src/
# apt-get install dpkg-dev
# apt-get source samba
# apt-get build-dep samba
# cd samba-*


Ajouter « --with-ldapsam » dans les options de compilation :

# vi debian/rules

Pour OpenLDAP :

# auto-apt run dpkg-buildpackage -d
# cd ..
# apt-get source slapd
# apt-get build-dep slapd
# cd openldap-*


Vérifier la présence de « –with-tls --enable-ldbm » dans les options :

# vi debian/configure.options

# auto-apt run dpkg-buildpackage -d
# cd ..
# dpkg -i *.deb


Ajouter à /etc/default/slapd :

SLAPD_OPTIONS="-4"

Puis effectuer les commandes suivantes :

# apt-get install samba-doc
# gunzip -c /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema


Generation du mot de passe :

# slappasswd
New password:
Re-enter new password:
{SSHA}559t9tW76JaJJKKLL8bTAMza1+79tWGY


Ajouter le support TLS :

/etc/ldap/ca.conf :

default_ca = default_CA
[ default_CA ]
dir = . # Where everything is kept
certs = ./certs # Where the issued certs are kept
new_certs_dir = ./datas/ca.db.certs # Where the issued crl are kept
database = ./datas/ca.db.index # database index file
serial = ./datas/ca.db.serial # The current serial number
RANDFILE = ./datas/random-bits # private random number file
certificate = ./certs/ca.pem # The CA certificate
private_key = ./private/ca.key # The private key
default_days = 730
default_crl_days = 30
default_md = md5
preserve = no
x509_extensions = server_cert
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ server_cert ]
#subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
extendedKeyUsage = serverAuth,clientAuth,msSGC,nsSGC
basicConstraints = critical,CA:false


Certificats :

# cd /etc/ldap/
# mkdir certs csr datas keys private datas/ca.db.certs
# touch private/ca.key datas/ca.db.serial
# cp /dev/null datas/ca.db.index
# openssl rand 1024 > datas/random-bits
# openssl genrsa -des3 -out private/ca.key 1024 -rand datas/random-bits
Generating RSA private key, 1024 bit long modulus
.............................++++++
...................................................................................................................++++++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key:
Verifying - Enter pass phrase for private/ca.key:
# chmod 600 private/ca.key
# openssl req -new -x509 -days 3650 -key private/ca.key -out certs/ca.pem
enter pass phrase for private/ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:FRANCE
Locality Name (eg, city) []:PARIS
Organization Name (eg, company) [Internet Widgits Pty Ltd]:secuobs
Organizational Unit Name (eg, section) []:LDAP
Common Name (eg, YOUR name) []:secuobs.com
Email Address []:ldap@secuobs.com
# echo '01' > datas/ca.db.serial
# openssl genrsa -out keys/secuobs.com.key 1024
# openssl req -new -key keys/secuobs.com.key -out csr/secuobs.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:FRANCE
Locality Name (eg, city) []:PARIS
Organization Name (eg, company) [Internet Widgits Pty Ltd]:secuobs
Organizational Unit Name (eg, section) []:LDAP
Common Name (eg, YOUR name) []:secuobs.com
Email Address []:ldap@secuobs.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl ca -config ca.conf -out certs/secuobs.com.txt -infiles csr/secuobs.com.csr
Using configuration from ca.conf
Enter pass phrase for ./private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'FRANCE'
localityName :PRINTABLE:'PARIS'
organizationName :PRINTABLE:'secuobs'
organizationalUnitName:PRINTABLE:'LDAP'
commonName :PRINTABLE:'secuobs.com'
emailAddress :IA5STRING:'ldap@secuobs.com'
Certificate is to be certified until Jul 6 02:55:07 2007 GMT (730 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# perl -n -e 'm/BEGIN CERTIFICATE/ && do {$$seen=1}; $$seen && print;' < certs/secuobs.com.txt > certs/secuobs.com.pem
# mv certs/ca.pem ./
# mv certs/secuobs.com.pem ./
# mv keys/secuobs.com.key ./



Autres ressources de ce dossier

[smbldap-tools - Partie 2] Configuration [1] - lien

[smbldap-tools - Partie 3] Configuration [2] et tests - lien