Mandriva Directory Server On Debian Etch

Version 1.1
Author: Oliver Meyer <o [dot] meyer [at] projektfarm [dot] de>

This document describes how to set up the Mandriva Directory Server (MDS) on Debian Etch. The resulting system provides a full-featured office server for small and medium companies - easy to administer via the web-based Mandriva Management Console (MMC).

 

Main Features

  • Easy administration via MMC
  • System wide OpenLDAP integration
  • SAMBA Primary Domain Controller (PDC)
  • Postfix Mailserver with Dovecot, Amavis, Spamassassin and ClamAV (POP3/IMAP/SSL/TLS/Quota)
  • BIND DNS-server
  • ISC DHCP-server
  • Squid web-proxy with SquidGuard

This howto is a practical guide without any warranty - it doesn't cover the theoretical backgrounds. There are many ways to set up such a system - this is the way I chose.

 

Preamble

This howto is quite complex. Please take your time, read it extensively and follow the steps minutely. The smallest amount of variance might effect that your setup won't work accurately.

 

1 Preparation

1.1 Basic System

Set up a standard debian etch system and update it. I used the following configuration for this howto and the attached virtual machine that is available for our subscribers:

Hostname: server1.example.com
SAMBA domain: EXAMPLE
IP: 192.168.0.100
Gateway: 192.168.0.2
All Passwords: howtoforge

 

1.2 Hostname

Edit the hosts file - assign the hostname to the server IP.

vi /etc/hosts

It should look like this:

127.0.0.1       localhost.localdomain   localhost
192.168.0.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

 

Afterwards insert the hostname into the hostname file ...

echo server1.example.com > /etc/hostname

... and reboot the system.

reboot

When the system is up again, the output of the both commands ...

hostname

... and ...

hostname -f

... should be:

server1.example.com

 

1.3 Filesystem ACLs

In order that SAMBA is able to map filesystem-ACLs between the Linux server and the Windows clients you need to add ACL-support to the corresponding mount point.

vi /etc/fstab

Add the option "acl" to the mount point where the SAMBA directories will be stored and the SAMBA users will have their homes. In my case it's "/" - the content should look like this:

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
/dev/sda1       /               ext3    defaults,acl,errors=remount-ro 0       1
/dev/sda5       none            swap    sw              0       0
/dev/hdc        /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

 

Afterwards remount the mountpoint to take the changes effect.

mount -o remount /

If all went well, the command ...

mount -l

... should show the option "acl" for the corresponding mountpoint:

/dev/sda1 on / type ext3 (rw,acl,errors=remount-ro)

 

2 Repositories

2.1 MDS

The MDS repository provides the MDS related packages and also patched packages for bind9 & dhcp3.

vi /etc/apt/sources.list

Add the following lines to the file.

# MDS repository
deb http://mds.mandriva.org/pub/mds/debian etch main

 

2.2 Debian Volatile

The Debian Volatile repository provides newer packages for ClamAV & Spamassassin than the standard debian repository.

vi /etc/apt/sources.list

Add the following lines to the file.

# Debian Volatile
deb http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free

 

2.3 Debian Backports

The Debian Backports repository provides newer packages for dovecot.

vi /etc/apt/sources.list

Add the following lines to the file.

# Debian Etch Backports
deb http://www.backports.org/debian etch-backports main

Afterwards refresh apt.

apt-get update

 

3 Needed packages

3.1 Install

Install the needed packages for this setup.

apt-get install mmc-web-base mmc-web-mail mmc-web-network mmc-web-proxy mmc-web-samba mmc-agent python-mmc-plugins-tools python-mmc-base python-mmc-mail python-mmc-network python-mmc-proxy python-mmc-samba postfix postfix-ldap sasl2-bin libsasl2 libsasl2-modules amavisd-new libdbd-ldap-perl libnet-ph-perl libnet-snpp-perl libnet-telnet-perl lzop nomarch zoo clamav clamav-daemon gzip bzip2 unzip unrar-free unzoo arj spamassassin libnet-dns-perl razor pyzor dcc-client slapd ldap-utils libnss-ldap libpam-ldap dhcp3-server dhcp3-server-ldap bind9 samba smbclient smbldap-tools cupsys cupsys-client foomatic-db-engine foomatic-db foomatic-db-hpijs foomatic-db-gutenprint foomatic-filters foomatic-filters-ppds fontconfig hpijs-ppds linuxprinting.org-ppds

The actual dovecot-packages in the standard debian repository have a bug in conjunction with LDAP - so you have to use the dovecot-packages from Debian Backports.

apt-get install -t etch-backports dovecot-common dovecot-imapd dovecot-pop3d

If you want to use HP printers it's recommeded to install a few more packages.

apt-get install hplip libusb-dev python-dev python-reportlab libcupsys2-dev libjpeg62-dev libsnmp9-dev lsb-core

 

3.2 Configuration

During the installation of the new packages you'll be asked a few questions - answer them as follows.

 

3.2.1 LDAP

Enter the password for the LDAP admin and confirm it. (howtoforge)

 

3.2.2 Samba

Enter a name for your domain. (EXAMPLE)
Select "No" when you're asked if the smb.conf should be modified to use WINS settings from DHCP.

 

3.2.3 Postfix

Select "Internet Site" as general type of configuration.
Enter "server1.example.com" as mail name.

 

3.2.4 Libnss-LDAP

Enter "ldap://127.0.0.1/" as LDAP server URI.
Enter "dc=example,dc=com" as name for the search base.
Select the LDAP version. (3)
Enter "cn=admin,dc=example,dc=com" as LDAP account for root.
Enter the password for the LDAP admin. (howtoforge)

 

3.2.5 Libpam-LDAP

Select "Yes" when you're asked if the local root should be the database admin.
Select "No" when you're asked if the LDAP database requires login.
Enter "cn=admin,dc=example,dc=com" as LDAP account for root.
Enter the password for the LDAP admin. (howtoforge)

 

4 LDAP Configuration

4.1 Schema Files

First copy the schema files for MMC, mail, SAMBA, printer, DNS and DHCP into the LDAP schema directory.

cp /usr/share/doc/python-mmc-base/contrib/ldap/mmc.schema /etc/ldap/schema/
cp /usr/share/doc/python-mmc-base/contrib/ldap/mail.schema /etc/ldap/schema/
zcat /usr/share/doc/python-mmc-base/contrib/ldap/samba.schema.gz > /etc/ldap/schema/samba.schema
zcat /usr/share/doc/python-mmc-base/contrib/ldap/printer.schema.gz > /etc/ldap/schema/printer.schema
zcat /usr/share/doc/python-mmc-base/contrib/ldap/dnszone.schema.gz > /etc/ldap/schema/dnszone.schema
zcat /usr/share/doc/python-mmc-base/contrib/ldap/dhcp.schema.gz > /etc/ldap/schema/dhcp.schema

Next include the schema files into the LDAP configuration

vi /etc/ldap/slapd.conf

Include the schema files after the inetorgperson schema.

include /etc/ldap/schema/mmc.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/printer.schema
include /etc/ldap/schema/mail.schema
include /etc/ldap/schema/dnszone.schema
include /etc/ldap/schema/dhcp.schema

Enable the schemacheck (below the included schema files).

schemacheck on

 

4.2 Basic Configuration

In this step you'll need the ldap admin password (that you defined during the package installation in step 3) in encrypted form (SSHA) - so let's encrypt it.

slappasswd -s %ldap_admin_password%

E.g.:

slappasswd -s howtoforge

The output should look like this:

{SSHA}kPd9OeiwGx4lyZUiQ2NFmzXV0JWyLV9A

Note it down and proceed - open the LDAP server configuration file.

vi /etc/ldap/slapd.conf

Search the commented line with the entry for the LDAP admin (rootdn) ...

# rootdn "cn=admin,dc=example,dc=com"

... and comment it out. After that add a new line straight below. You have to enter the encrypted ldap admin password that you generated at the beginning of this step.

rootpw %encrypted_ldap_admin_password%

E.g.:

rootpw {SSHA}kPd9OeiwGx4lyZUiQ2NFmzXV0JWyLV9A

Next we have to modify the indexing options for the database. Search the following entry:

# Indexing options for database #1

Remove the line below ...

index objectClass eq

... and insert the following lines:

index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index zoneName,relativeDomainName eq
index dhcpHWAddress,dhcpClassData eq

Now add SAMBA to the access-list for the database. Search the following line:

access to attrs=userPassword,shadowLastChange

Change it that it looks like this:

access to attrs=userPassword,sambaLMPassword,sambaNTPassword

At this point the LDAP server configuration file should look like this:

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/mmc.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/printer.schema
include         /etc/ldap/schema/mail.schema
include         /etc/ldap/schema/dnszone.schema
include         /etc/ldap/schema/dhcp.schema

schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel        0

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend         bdb
checkpoint 512 30

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend                <other>

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "dc=example,dc=com"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn          "cn=admin,dc=example,dc=com"
rootpw          {SSHA}kPd9OeiwGx4lyZUiQ2NFmzXV0JWyLV9A

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0

# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500

# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500

# Number of lockers
dbconfig set_lk_max_lockers 1500

# Indexing options for database #1
index      objectClass,uidNumber,gidNumber                  eq
index      cn,sn,uid,displayName                            pres,sub,eq
index      memberUid,mail,givenname                         eq,subinitial
index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq
index      zoneName,relativeDomainName                 	    eq 
index      dhcpHWAddress,dhcpClassData                      eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by dn="cn=admin,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work 
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=example,dc=com" write
        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=example,dc=com" write
#        by dnattr=owner write

#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database        <other>

# The base of your directory for database #2
#suffix         "dc=debian,dc=org"

 

Additionally you have to edit the LDAP configuration file.

vi /etc/ldap/ldap.conf

Add the following lines:

host 127.0.0.1
base dc=example,dc=com

Afterwards restart the LDAP server.

/etc/init.d/slapd restart
Share this page:

18 Comment(s)