Hi,
For weeks I have being reading about openldap, in the mailing lists, etc. Basically I have Samba with ldap and I need a GUI to administrate the users(I can use smbldap-tools and a shell, but not some of the administrators). I installed phpldapadmin, and I can log in with the user "Administrator", but I can change, remove or add any user or anything. I have read about people that have similar configurations to mine and solve this problem. Besides the user interface everything seems to work fine, the machines are logged to the domain, the samba server is a PDC. As far as I understand I need to create an ACL in /etc/openldap/slapd.conf for the group that is going to administrate, and the problem is because I am trying to grant permisions to the Group "Domain Admins", and domain admins is more like samba group. So far I can figure out why is not working the stuff I try, but I dont know how to fix it. It has to do with the objectclass. One of my ideas was to create an extra group, just for administrators, and called something like bofhs. I used this as a reference http://www.openldap.org/faq/data/cache/52.html
dn: cn=bofh,dc=mydomain,dc=com,dc=ec cn: bofhs objectclass: groupofNames member: cn=administrator,dc=mydomain,dc=com,dc=ec
Can I add something to the "Domain Admins" group so they can change data.
But i had problems creating this group, didnt work, in some examples they use ou=Group, I dont understand what the ou thing does.
Here is a sample of a backup of the ldap db,
dn: dc=mydomain,dc=com,dc=ec objectClass: dcObject objectClass: organization o: Company dc: mydomain structuralObjectClass: organization entryUUID: 9c8201ce-ccc9-102f-9758-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210326Z entryCSN: 20110214210326Z#000000#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210326Z
dn: cn=Manager,dc=mydomain,dc=com,dc=ec objectClass: organizationalRole cn: Manager structuralObjectClass: organizationalRole entryUUID: 9c82917a-ccc9-102f-9759-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210326Z entryCSN: 20110214210326Z#000001#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210326Z
dn: ou=People,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: organizationalUnit ou: People structuralObjectClass: organizationalUnit entryUUID: b071f8b0-ccc9-102f-975a-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000000#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: organizationalUnit ou: Group structuralObjectClass: organizationalUnit entryUUID: b0727074-ccc9-102f-975b-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000001#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: ou=Computers,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: organizationalUnit ou: Computers structuralObjectClass: organizationalUnit entryUUID: b072cd3a-ccc9-102f-975c-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000002#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: ou=Idmap,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: organizationalUnit ou: Idmap structuralObjectClass: organizationalUnit entryUUID: b07343a0-ccc9-102f-975d-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000003#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec cn: Administrator sn: Administrator objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 0 uid: Administrator uidNumber: 0 homeDirectory: /home/Administrator sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \IESS\Administrator sambaHomeDrive: H: sambaProfilePath: \IESS\profiles\Administrator sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-512 sambaSID: S-1-5-21-2323392562-1448967901-2038806033-500 loginShell: /bin/false gecos: Netbios Domain Administrator structuralObjectClass: inetOrgPerson entryUUID: b0739f26-ccc9-102f-975e-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z sambaLMPassword: 71DAB35FA93A2AB817306D272A9441BB sambaAcctFlags: [U] sambaNTPassword: AB9EA058E462D1881CD7AAC70FC462F2 sambaPwdLastSet: 1305237753 sambaPwdMustChange: 1309125753 userPassword:: e1NTSEF9Mnl6SUJjNTZEN1AxaW5oVmhFaE05dWtLNE1CdGR6Tkw= shadowLastChange: 15106 shadowMax: 45 entryCSN: 20110512220224Z#000001#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110512220224Z
dn: uid=nobody,ou=People,dc=mydomain,dc=com,dc=ec cn: nobody sn: nobody objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 514 uid: nobody uidNumber: 999 homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \IESS\nobody sambaHomeDrive: H: sambaProfilePath: \IESS\profiles\nobody sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-514 sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaAcctFlags: [NUD ] sambaSID: S-1-5-21-2323392562-1448967901-2038806033-2998 loginShell: /bin/false structuralObjectClass: inetOrgPerson entryUUID: b07615da-ccc9-102f-975f-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000005#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: cn=Domain Admins,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: Administrator description: Netbios Domain Administrators sambaSID: S-1-5-21-2323392562-1448967901-2038806033-512 sambaGroupType: 2 displayName: Domain Admins structuralObjectClass: posixGroup entryUUID: b0769776-ccc9-102f-9760-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000006#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: cn=Domain Users,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 cn: Domain Users description: Netbios Domain Users sambaSID: S-1-5-21-2323392562-1448967901-2038806033-513 sambaGroupType: 2 displayName: Domain Users structuralObjectClass: posixGroup entryUUID: b07735b4-ccc9-102f-9761-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z memberUid: user1 memberUid: user2 memberUid: user3 entryCSN: 20110511142120Z#000002#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110511142120Z
dn: cn=Domain Guests,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests description: Netbios Domain Guests Users sambaSID: S-1-5-21-2323392562-1448967901-2038806033-514 sambaGroupType: 2 displayName: Domain Guests structuralObjectClass: posixGroup entryUUID: b077a364-ccc9-102f-9762-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000008#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: cn=Domain Computers,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 cn: Domain Computers description: Netbios Domain Computers accounts sambaSID: S-1-5-21-2323392562-1448967901-2038806033-515 sambaGroupType: 2 displayName: Domain Computers structuralObjectClass: posixGroup entryUUID: b0781966-ccc9-102f-9763-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000009#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: cn=Administrators,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDom ainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators structuralObjectClass: posixGroup entryUUID: b07892b0-ccc9-102f-9764-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#00000a#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: cn=Account Operators,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 548 cn: Account Operators description: Netbios Domain Users to manipulate users accounts sambaSID: S-1-5-32-548 sambaGroupType: 5 displayName: Account Operators structuralObjectClass: posixGroup entryUUID: b07907c2-ccc9-102f-9765-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#00000b#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: cn=Print Operators,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 cn: Print Operators description: Netbios Domain Print Operators sambaSID: S-1-5-32-550 sambaGroupType: 5 displayName: Print Operators structuralObjectClass: posixGroup entryUUID: b079790a-ccc9-102f-9766-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#00000c#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: cn=Backup Operators,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: Backup Operators description: Netbios Domain Members can bypass file security to back up files sambaSID: S-1-5-32-551 sambaGroupType: 5 displayName: Backup Operators structuralObjectClass: posixGroup entryUUID: b079eab6-ccc9-102f-9767-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#00000d#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: cn=Replicators,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators description: Netbios Domain Supports file replication in a sambaDomainName sambaSID: S-1-5-32-552 sambaGroupType: 5 displayName: Replicators structuralObjectClass: posixGroup entryUUID: b07a6950-ccc9-102f-9768-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#00000e#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z
dn: sambaDomainName=IESS,dc=mydomain,dc=com,dc=ec structuralObjectClass: sambaDomain entryUUID: b07ad228-ccc9-102f-9769-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z sambaPwdHistoryLength: 0 sambaLockoutThreshold: 0 sambaMaxPwdAge: -1 gidNumber: 1000 uidNumber: 1000 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaSID: S-1-5-21-2323392562-1448967901-2038806033 sambaNextRid: 1000 sambaDomainName: IESS entryCSN: 20110512220215Z#000000#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110512220215Z
dn: uid=user1,ou=People,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: user1 sn: user1 givenName: user1 uid: user1 uidNumber: 1002 gidNumber: 513 homeDirectory: /home/user1 loginShell: /bin/false gecos: System User userPassword:: e2NyeXB0fXg= structuralObjectClass: inetOrgPerson entryUUID: e660228a-ccc9-102f-9447-ffc7e9a6c1f6 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210530Z sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 displayName: rloor sambaAcctFlags: [UX] sambaSID: S-1-5-21-2323392562-1448967901-2038806033-3004 sambaLMPassword: XXX sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-513 sambaNTPassword: XXX sambaLogonScript: logon.bat sambaHomePath: \IESS\user1 sambaHomeDrive: H: entryCSN: 20110214210530Z#000006#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210530Z
dn: uid=user2,ou=People,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: user2 sn: user2 givenName: user2 uid: user2 uidNumber: 1003 gidNumber: 513 homeDirectory: /home/user2 loginShell: /bin/false gecos: System User userPassword:: e2NyeXB0fXg= structuralObjectClass: inetOrgPerson entryUUID: e692c104-ccc9-102f-9448-ffc7e9a6c1f6 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210530Z sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 displayName: user2 sambaAcctFlags: [UX] sambaSID: S-1-5-21-2323392562-1448967901-2038806033-3006 sambaLMPassword: XXX sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-513 sambaNTPassword: XXX sambaLogonScript: logon.bat sambaHomePath: \IESS\user2 sambaHomeDrive: H: entryCSN: 20110214210530Z#00000b#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210530Z
dn: uid=user3,ou=People,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: user3 sn: user3 givenName: user3 uid: user3 uidNumber: 1204 gidNumber: 513 homeDirectory: /home/user3 loginShell: /bin/false gecos: System User structuralObjectClass: inetOrgPerson entryUUID: e6c4c500-ccc9-102f-9449-ffc7e9a6c1f6 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210531Z sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: user3 sambaSID: S-1-5-21-2323392562-1448967901-2038806033-3008 sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-513 sambaLogonScript: logon.bat sambaHomePath: \IESS\user3 sambaHomeDrive: H: sambaLMPassword: 57D26D340E8A2411AAD3B435B51404EE sambaAcctFlags: [U] sambaNTPassword: 79715183CF6136D501018FF3F5C381E4 sambaPwdLastSet: 1297878031 sambaPwdMustChange: 1301766031 userPassword:: e1NTSEF9MXQ3dHJoWUxRT05hUnFuQWQ0N3A5QTAwQUNkR05tZGg= shadowLastChange: 15021 shadowMax: 45 entryCSN: 20110216174031Z#000003#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110216174031Z
And here is my slapd.conf, I erased the acls I created to test most of it, none worked.
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules: # modulepath /usr/lib64/openldap
# Modules available in openldap-servers-overlays RPM package # Module syncprov.la is now statically linked with slapd and there # is no need to load it here # moduleload accesslog.la # moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload smbk5pwd.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la
# modules available in openldap-servers-sql RPM package: # moduleload back_sql.la
# The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
#access to * # by self write # by users read # by anonymous auth
#access to attrs=userpassword # by self =xw # by anonymous auth by anonymous auth
#access to * # by self write # by users read
access to attrs=userpassword by self write by anonymous auth by * none
access to * by self write by users read by anonymous read by * none access to * by uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec write
#access to dn.regex = "ou = personal_addressbook or =(.+),, dc = korrigan, dc = org" #by dn.regex="cn=$1,ou=Users,dc=korrigan,dc=org" write by dn.regex = "cn = $ 1, ou = Users, dc = korrigan, dc = org" write #by dn="cn=admin,dc=korrigan,dc=org" write by dn = "cn = admin, dc = korrigan, dc = org" write #by * none by * none ####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=mydomain,dc=com,dc=ec" rootdn "cn=Manager,dc=mydomain,dc=com,dc=ec" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXX # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM
# Extras para ser servidor master de ldap loglevel 256
Sorry for the long email.
JDC