Note on sharing a single LDAP database with multiple Samba servers

Quote:

“… to share a single set of users/groups in LDAP to multiple samba
servers you will need LDAP and a PDC and the other servers will be
BDCs. yes you will join BDC’s with net rpc join -D domain -S
pdc_server_name -U root%password

read chapter 5.3 of samba 3 by example.pdf”

– Adam Williams

Source: http://lists.samba.org/archive/samba/2008-August/142551.html

LDAP posixGroup vs. groupofNames

In LDAP there are two common ways of grouping users.  The objectClass posixGroup and the objectClass groupofNames.  What’s the difference?

posixGroup:  Uses the memberUid attribute which contains only the value of the UID of a users full DN.  For example:

cn=SomeGroup,ou=Groups,dc=example,dc=com
memberUID: someuser

groupofNames: Uses the member attribute which contains the full DN of the user.  For example:

cn=SomeGroup,ou=Groups,dc=example,dc=com
member: uid=someuser,ou=People,dc=example,dc=com

The posixGroup version is generally use in UNIX environments.

The groupof Names version is the more Windows/AD like method.  EMC VNX Unisphere expects this method.

 

Reference: http://lists.arthurdejong.org/openldap-technical/2010/02/msg00170.html

Using OpenLDAP with amavisd-new on CentOS

Preface

First off, read the README.ldap file!  It contains just about all the information you need.  For some reason its not available on the amavisd-new homepage.  So you’ll need to look at the copy on your server (its usually located in /usr/share/doc/amavisd-new-<version>) or go to the amavisd-new homepage and download the tar.gz file, and look at the copy in there.

Assumptions

  • Server is running CentOS 5
  • Using running OpenLDAP
  • OpenLDAP is already up and running correctly
  • amavisd-new is already up and running correctly
  • amavisd-new was installed from the RPMForge repository

!!! WARNING !!!

If you mis-configure amavisd-new’s LDAP configuration, email will be bounced!

If amavisd-new cannot connect to your LDAP server, email will be bounced!

I strongly suggest you test your setup on a development server before rolling it out.

Step 1. OpenLDAP Configuration

For OpenLDAP to be able to use the amavisd-new LDAP schema, you need to tell OpenLDAP to include it.

  1. Copy the schema file to OpenLDAPs schema directory.  At the same time, I change the files name so its easier to identify.
    # sudo cp /usr/share/doc/amavisd-new-2.6.4/LDAP.schema /etc/openldap/schema/amavisd.schema
  2. Add the following include line to /etc/openldap/slapd.conf immediately after the other include entries.
    include /etc/openldap/schema/amavisd.schema.
  3. Restart the OpenLDAP server so it uses the amavisd-new schema we just added.
    # sudo /etc/init.d/ldap restart

Step 2. Installing the required perl modules

For amavisd-new to be able to access LDAP, four perl modules need to be installed:

  • Net::LDAP
  • Net::LDAP::Util
  • Net::LDAP::Search
  • Net::LDAP::Bind

How you install them is up to you.  You can search for the RPM or use CPAN.

  • If you want the RPM, check RPMForge for the perl-LDAP rpm.
  • If you opt for the CPAN route, just intall the modules as usuall.  Just be sure to have any requirements installed before hand.

Step 3. Amavisd-new Configuration

Configuring Amavisd-new to use LDAP is pretty simple.  You just need to add the following to your amavisd.conf file.  I always put it at the start of the file for clarity.
$enable_ldap  = 1;
$default_ldap = {
hostname      => "localhost",
timeout       => 5,
tls           => 0,
base          => ou=People,dc=example,dc=com,
query_filter  => (&(objectClass=amavisAccount)(mail=%m)),
};

Before restarting amavisd-new, make sure to update the value for base, its sure to be different this what I show. You may also want to adjust the query_filter if you dont use the mail attribute or use more than just mail.

At work I actually use Qmail with LDAP support for our mail store.  So my configuation block actually looks like:
$enable_ldap = 1;
$default_ldap = {
hostname => [ localhost, ldap2.example.com ],
timeout => 5,
tls => 0,
base => ou=accounts,dc=example,dc=com,
query_filter => (&(objectClass=amavisAccount)(|(mail=%m)(mailAlternateAddress=%m))),
};

As you can see, Im checking both the mail and mailAlternateAddress attributes. I also have a second LDAP server listed should the local one be unavailable.

Once you have finished configuring amavid-new, reload it to use the new configuration.
# sudo amavisd reload

Step 4. Is it working

The easiest way to make sure everything is working is to send and email through the server. If you’re OpenLDAP logging is enabled and the level is high enough, you will see the following types of entries being logged:

Aug 10 09:54:59 mail1 slapd[32134]: conn=2595 op=3 SRCH base="ou=accounts,dc=example,dc=com" scope=2 deref=2 filter="(&(objectClass=amavisAccount)(|(|(mail=sales@example.com)(mail=sales)(mail=@example.com)(mail=@.example.com)(mail=@.com)(mail=@.))(|(mailAlternateAddress=sales@example.com)(mailAlternateAddress=sales)(mailAlternateAddress=@example.com)(mailAlternateAddress=@.example.com)(mailAlternateAddress=@.com)(mailAlternateAddress=@.))))"

This is amavisd-new searching LDAP for it’s values.  amavisd-new will search for an exact match of the email address through ‘@.’, which you can think of as the “global” or top level settings.

See the README.ldap file for a full explanation or the values searched for.

One final note

Not every entry in your LDAP database has to have amavisd-new attributes.  If amavisd-new doesn’t find any values, it will proceed to use the values in /etc/amavisd.conf as normal.  Think of the LDAP attributes as overrides.

Amavisd-new LDAP attributes

Here is list of all the available amavisd-new LDAP attributes:

amavisArchiveQuarantineTo
amavisBadHeaderAdmin
amavisBadHeaderLover
amavisBadHeaderQuarantineTo
amavisBannedAdmin
amavisBannedFilesLover
amavisBannedQuarantineTo
amavisBannedRuleNames
amavisBlacklistSender
amavisBypassBannedChecks
amavisBypassHeaderChecks
amavisBypassSpamChecks
amavisBypassVirusChecks
amavisLocal
amavisMessageSizeLimit
amavisNewVirusAdmin
amavisSpamAdmin
amavisSpamDsnCutoffLevel
amavisSpamKillLevel
amavisSpamLover
amavisSpamModifiesSubj
amavisSpamQuarantineCutoffLevel
amavisSpamQuarantineTo
amavisSpamSubjectTag
amavisSpamSubjectTag2
amavisSpamTag2Level
amavisSpamTagLevel
amavisVirusAdmin
amavisVirusLover
amavisVirusQuarantineTo
amavisWarnBadHeaderRecip
amavisWarnBannedRecip
amavisWarnVirusRecip
amavisWhitelistSender

Changes:

2010/08/17 Added new section about perl-ldap module.

Setting up a secondary CentOS Directory Server

A new Directory Server how-to is here!

Setting up a secondary CentOS Directory Server is a how-to describing how to install a second CentOS Directory Server and link it to a configuration/master Directory Server.  Just like it’s predecessor, this is a step-by-stop how-to that includes a sample session.

You can find the how-to at http://www.rainingpackets.com/wiki/doku.php?id=setting_up_a_secondary_centos_directory_server.