setting up a Samba LDAP server [Link]

htm#summary

AFPAMEUDON CENTER
Centre Yves Bodiguel - 12/14 Avenue du Maréchal Juin
Vélizy Industrial Zone

92366 MEUDON-LA-FORET CEDEX

Phone: 01 45 37 78 00
Fax: 01 46 30 90 62

MINIPROJECT:

Linux-Microsoft Interoperability
File sharing and authentication
SAMBA 3 / LDAP

Created by:

AlexFALZON
[Link]@[Link]

Michaël VILLAR
villar.m@[Link]

Press edit
to access
the publisher
of the interface

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
Return to the cover page

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

SUMMARY

(The phrases in green italics are indicators of the project's progress).

INTRODUCTION:

SPECIFICATIONS:
TEST PLATFORM STRUCTURE:
ADOPTED METHOD:

PRESENTATION AND OPERATION OF THE LDAP DIRECTORY:

Functional authentication schemes:
setting up a Samba LDAP server [Link]

FORMAT OF THE DATABASE AND DEFINITIONS:

The Directory Information Tree
The attributes
Object classes
The diagrams

INSTALLATION OF LINUX FEDORA 3:

The installation of Linux Fedora Core 3 is complete.

INSTALLATION OF OPENLDAP :
OPENLDAP CONFIGURATION:
Customize the configuration of the [Link] file:
STARTING LDAP SERVER:
Verification of active processes:
Identification of the listening port:

CREATION OF THE STRUCTURE SAID READY TO RECEIVE SAMBA DATA

Creation of a file /etc/openldap/[Link]:
Insertion of this file into the LDAP directory:
Confirmation of insertions:
Index generation:

The directory is now ready to receive our Samba accounts.

LDAP SERVER CONNECTION TEST:

INSTALLATION OF THE ADMINISTRATION TOOL 'WEBMIN':

INSTALLATION OF THE ADMINISTRATION TOOL 'PHPLDAPADMIN':

SAMBACONFIGURATION:
- Editing the file /etc/samba/[Link] :
Initialization of the LDAP password:
Starting Samba:

The Samba server is ready to control the domain.

MANAGE ACCOUNTS:
Add a machine account to connect:
Addition of an administrator account to our domain:
Adding user groups:
Adding users to these groups:
-Modification of its properties (Samba):
Verification of users present in the database:

CREATION OF USER ENVIRONMENTS:

Creation of the directory /export/samba-test/homes/director and management of rights:
-Management of rights and creation of directories userdir1, usercom1, usertec1 in /export/samba-test/profiles/:
Creation of the file /export/samba-test/netlogon/[Link] and management of permissions:

CONFIGURATION OF CLIENT WORKSTATIONS:

· Windows Posts:
· Linux Posts:

The POSTELDAP machine can now be joined to the MICALEX domain with the users smbadmin, userdir1, usercom1, and usertec1.

SETTING UP ENCRYPTED AUTHENTICATION WITH TLS:

L'authentification est maintenant cryptée.

CONCLUSION:

ANNEX 1: [Link] FILE PROVIDED BY DEFAULT

ANNEX 2: FINAL [Link] FILE.
ANNEX 3: [Link] FILE
ANNEX 4: [Link] FILE
ANNEX 5: GLOSSARY
ANNEX 6: IMPORTANT ORDERS
setting up a Samba LDAP server [Link]

ANNEX 7: BIBLIOGRAPHY

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Introduction:

This project is carried out as part of a training program at the AFPA center Yves Bodiguel in Meudon la forêt.

The tools and techniques used are those found in March 2005.

Throughout this mini project you will find:

A presentation of LDAP technology

The different steps to set it up: installation of the OS (Fedora), Samba, administration tools, and the directory.
himself.
Configuration procedures and configuration files

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Specifications:

A company with a heterogeneous IT infrastructure (Linux and Windows clients) wants to centralize the user database, both for the
search for information on users only for authentications.

This database (directory) will need to be quickly accessible, and that Windows/Linux clients can authenticate on any
network station, and that client/server authentication communications are secured and encrypted.

The chosen products are free for the Fedora Linux OS, and for the LDAP server, OpenLDAP.

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Structure of the test platform:

For the installation of this platform, we will use three identical machines connected to an Ethernet network:

Physical structure:……… Intel(R) Celeron(R) CPU 2.40GHz

2.39 GHz, 512 MB of RAM

er
Logical structure: .......... on 1:
Samba PDC and LDAP server under Fedora core3

on the 2 and:
- WindowsXP pro sp2 + VMware
in virtual Samba PDC and LDAP server on Fedora Core 3

on the 3 th : (in multiboot)

station Windows XP pro
station Fedora core3

the chosen domain name for the project is micalex.

setting up a Samba LDAP server [Link]

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Method adopted:

The er
1 server allows for post-search testing.

The 2ndallows for the 'clean' setup of the final system and captures for the report.

The ème
3 test the Microsoft and Linux station.

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Presentation and operation of the LDAP directory:

LDAP (Lightweight Directory Access Protocol) is the TCP/IP version of the DAP protocol, the latter being the protocol for accessing the
OSI protocol of the X500 directory service.

Dans un premier tempsLDAPs'est contenté d'être l'interface à des annuaires X500, mais maintenantLDAPpeut gérer complètement les
bases (standaloneLDAP).
setting up a Samba LDAP server [Link]

Functional authentication schemes:

- For Linux:

- For Windows:
setting up a Samba LDAP server [Link]

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Database format and definitions:

The Directory Information Tree

The standalone LDAP uses the LDBM database format. Each entry is uniquely known in the tree thanks to
to Sondn (Distinguished Name).

Indicate the path to follow to reach the corresponding entrance starting from the top (example: dn = Isabelle
Bourdais technique Boulogne [Link]

The attributes

Each DSE entry can be considered as an object, therefore possessing certain attributes, for example if a person is an entry, the
Attributes can include first name, last name, age, .... It is also possible to define mandatory attributes (MUST) and others that are optional (MAY).

Object classes

We group objects that are in the same domain into a class of objects, which is characterized by mandatory or attributes.
optional and untyped.

The types of object class are:

typestructurel
classes of concrete objects from the directory (people, groups of people, ...)

auxiliary type
classes of objects that can be created to add additional attributes to already existing structural object classes.
In C++, it will be said that the auxiliary class derives from a structural class.

abstract type
default object classes that have no concrete meaning
for example, the top class is the generic object class.
All other classes derive from this class.

All other object classes derive from the class top (the root). Each class inherits the properties of a parent class and has
additional attributes compared to the latter.
setting up a Samba LDAP server [Link]

The diagrams

A schema describes all the rules used by the LDAP server to define object classes (attributes, syntax, ...).

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Installation of LINUX Fedora 3:

After booting from the installation DVD, press enter to start.

-Choisir la langue (french) et le type de clavier (french latin1).

Choose the custom installation type, an automatic partitioning.

Select 'delete all Linux partitions from the system' and confirm.

Click on the following in the 'disk configuration' window.

Select 'advanced options configuration of the boot loader' on the 'boot loader configuration' page.

Select 'force the use of LBA32' on the 'advanced bootloader configuration' page.

Enter your network settings:

activate the firewalld on the 'firewall configuration' page.

Select French on the 'other language' page and your time zone (Europe/Paris) in the

-page 'time zone selection'.

Enter your password.

Choose the following packages:

setting up a Samba LDAP server [Link]
setting up a Samba LDAP server [Link]

Wait a few minutes and then restart.

Accept the license agreement.

setting up a Samba LDAP server [Link]

Set the time, display resolution, system user data.

The installation of Linux Fedora Core 3 is complete.

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Installation of OpenLDAP:

We installed OpenLDAP using the packages available during the installation of Linux Fedora Core 3:
· [Link]

Note:
If the distribution used does not contain the original package, it must then be downloaded from the site:[Link]
Once downloaded, the package must be installed:

root#rpm -i [Link]

Retrieve the [Link] file by downloading it from the following address ([Link] lesmbldap-installer
from Matt Oquist (Software Engineering Consultant).
Put this schema in /etc/openldap/schema/

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

OpenLDAP configuration:

The folder /etc/openldap contains:

· a directory containing the schemas.

· A [Link] file.
· A [Link] file.

Content of the [Link] file:

#
LDAP Defaults
#

See [Link](5) for details

This file should be world readable but not world writable.

#BASE dc=example, dc=com

#URI ldap://[Link] ldap://[Link]

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
HOST [Link]
BASE dc=micalex,dc=fr

Note:
The most important file of openldap is the [Link] (see appendix 1).
This file defines the basic configuration of the ldap directory.

Customize the configuration of the [Link] file:

· Line 69: you must provide the suffix:

suffix "dc=micalex,dc=fr"

· line 70: it is necessary to provide the administrator of the directory:

 [Link]

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Introduction:

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Specifications:

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Structure of the test platform:

Physical structure:……… Intel(R) Celeron(R) CPU 2.40GHz

Logical structure: .......... on 1:

setting up a Samba LDAP server [Link]

Machine container
dn: ou=Computers,dc=micalex,dc=fr
objectclass: top
objectclass: organizationalUnit
you: Computers

Administrator
dn: cn=admin,ou=Users,dc=micalex,dc=fr
admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}aVF+ESI/rloVCQsmLqYinLlkh/v1krej

Insertion of this file into the LDAP directory:

[root@srvldapv ~]#ldapadd -W -D 'cn=Manager,dc=micalex,dc=fr' -xh localhost -f /etc/openldap/[Link]

Enter LDAP Password:*******

-Confirmation of insertions:
adding new entry "dc=micalex,dc=fr"
adding new entry "cn=Manager,dc=micalex,dc=fr"
adding new entry "ou=Users,dc=micalex,dc=fr"
adding new entry "ou=Machines,dc=micalex,dc=fr"
adding new entry "cn=admin,ou=Users,dc=micalex,dc=fr"

Index generation:

[root@srvldapv]#slapindex -f /etc/openldap/[Link]

The directory is now ready to receive our Samba accounts.

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

LDAP server connection test:

[root@srvldapv ~]#ldapsearch -b 'dc=micalex,dc=fr' -xh [Link]
# extended LDIF
#
LDAPv3
# base <dc=micalex,dc=fr> with scope sub
# filter: (objectclass=*)
requesting: ALL

[Link]
dc=micalex,dc=fr
objectClass: dcObject
objectClass: organization
dc: micalex
Samba 3
description: Samba 3

Manager, [Link]
dn: cn=Manager,dc=micalex,dc=fr
objectClass: organizationalRole
Manager
description: LDAP Manager

# Users, [Link]
dn: ou=Users,dc=micalex,dc=fr
objectClass: top
objectClass: organizationalUnit
you: Users

Machines, [Link]
dn: ou=Machines,dc=micalex,dc=fr
objectClass: top
objectClass: organizationalUnit
You: Machines

# admin, Users, [Link]

dn: cn=admin,ou=Users,dc=micalex,dc=fr
admin
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: e1NTSEF9YVZGK0VTSS9ybG9WQ1FzbUxxWWluTGxraC92MWtyZWo=

# search result
search: 2
setting up a Samba LDAP server [Link]

result: 0 Success

# numResponses: 6
# numEntries: 5

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Installation of the administration tool 'webmin':

Download '[Link]' from:

[Link]

Install the package:

[root@srvldapv]#rpm -i

To use this tool, type in Firefox[Link] .

To establish a secure connection (HTTPS):

1) Open Webmin, click on Webmin Configuration, then SSL Encryption.

2) Create a new SSL key by clicking on Create now.

To use Webmin, type from now on in Firefox[Link] .

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Installation of the administration tool 'phpldapadmin':

-Download phpldapadmin 0.9.5 from:

[Link]

-Unzip to /var/www/html/ with:

[root@srvldapv]#tar -xvzf /root/[Link] -C /var/www/html/
setting up an LDAP samba server [Link]

Verify with:
[root@srvldapv]#ls /var/www/html/

-Start the web server with:

[root@srvldapv]#service httpd start

Check its proper functioning, you should land on the Apache test page with:
[Link]

___________________________________________________

-Edit the [Link] file as shown in annex 3.

Rename it with:
[root@srvldapv]#cp /var/www/html/phpldapadmin-0.9.5/[Link] /var/www/html/phpldapadmin-0.9.5/[Link]

To use this tool, type in Firefox[Link]

To establish a secure connection (HTTPS):

1) Open Webmin, click on Servers, then Apache, and finally Per-Directory Options Files.

2) Indicate the path of Phpldapadmin:

/var/www/html/php

3) Then click on Create Options file.

To use Phpldapadmin, type now in Firefox

[Link] .

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
setting up an LDAP Samba server [Link]

Samba Configuration:

Editing the file /etc/samba/[Link]:

[Link] file
[global]
passdb backend = ldapsam:ldap://[Link], guest
ldap admin dn = cn=Manager,dc=micalex,dc=fr
ldap ssl = off
ldap delete dn = no
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap suffix = dc=micalex,dc=fr
workgroup = MICALEX
netbios name = SRVLDAPV
server string = SRVLDAPV
encrypt passwords = yes

domain logons = yes

os level = 65
domain master = Yes
local master = Yes
security = user

log file = /var/log/samba/%[Link]

log level = 2

[tmp]
comment = Partage des fichiers temporaires
path = /tmp
read only = no
writable = yes
guest ok = yes

Scripts and strategies

[netlogon]
path = /export/samba-test/netlogon
comment = Network logon service
read only = yes
guest ok = yes

A mapper via \server\user

[homes]
path = /export/samba-test/homes/%u
comment = Home directories
valid users = %S
writeable = yes
read only = no
create mask = 0664
directory mask = 0775
browsable = no

; A mapper via \server\profiles\user

[profiles]
path = /export/samba-test/profiles
create mask = 0600
directory mask = 0700
browsable = no
writeable = yes
Initialization of the LDAP password:

[root@srvldapv]#smbpasswd -w micalex
Setting stored password for "cn=Manager,dc=micalex,dc=fr" in [Link]

Starting Samba:

[root@srvldapv]#service samba start

The Samba server is ready to control the domain.

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Manage accounts:

Add a machine account to connect:

setting up a Samba LDAP server [Link]

[root@srvldapv]#useradd POSTELDAP$(under Unix)

[root@srvldapv]#smbpasswd -a -m POSTELDAP (for Samba)

Add an administrator account to our domain:

Adding a Samba administrator:

[root@srvldapv]#useradd -o -u 0 -g 0 smbadmin(Unix)
[root@srvldapv]#smbpasswd -a smbadmin(Samba)

Note:
This account will be used for all operations performed with the net command and for joining the Windows machine to the domain.

Add user groups:

[root@srvldapv]#groupadd direction(Unix)
[root@srvldapv]#groupadd commercial(Unix)
[root@srvldapv]#groupadd technique(Unix)

Adding users to these groups:

[root@srvldapv]#useradd -g direction userdir1(Unix)

[root@srvldapv]#smbpasswd -a userdir1(Samba)

[root@srvldapv]# useradd -g commercial usercom1 (Unix)

[root@srvldapv]#smbpasswd -a usercom1(Samba)

[root@srvldapv]#useradd -g technique usertec1(Unix)

[root@srvldapv]#smbpasswd -a usertec1(Samba)

Modification of its properties (Samba):

Definition of profile directories and home directories as well as the setup of scripts and a network drive letter for the user:

userdir1
[root@srvldapv]#pdbedit -r --profile=\\ SRVLDAPV \profiles\userdir1 --homedir =\\SRVLDAPV\userdir1--script=[Link]
--drive=U: userdir1

usercom1
[root@srvldapv]#pdbedit -r --profile=\\ SRVLDAPV \profiles\usercom1 --homedir =\\SRVLDAPV\usercom1--script=[Link]
--drive=U: usercom1

usertec1
[root@srvldapv]#pdbedit -r --profile=\\ SRVLDAPV \profiles\usertec1 --homedir =\\SRVLDAPV\usertec1--script=[Link]
--drive=U: usertec1

Verification of users present in the database:

setting up a Samba LDAP server [Link]

[root@srvldapv]#pdbedit -vL

Or via phpldapadmin:

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Creation of user environments:

Creation of the directory /export/samba-test/homes/director and management of rights:

[root@srvldapv]#mkdir -p /export/samba-test/homes/userdir1
[root@srvldapv]#chown userdir1:direction /export/samba-test/homes/userdir1
[root@srvldapv]#chmod 700 /export/samba-test/homes/userdir1

[root@srvldapv]#mkdir -p /export/samba-test/homes/usercom1
[root@srvldapv]#chown userdir1:direction /export/samba-test/homes/usercom1
[root@srvldapv]#chmod 700 /export/samba-test/homes/usercom1

[root@srvldapv]#mkdir -p /export/samba-test/homes/usertec1
[root@srvldapv]#chown userdir1:direction /export/samba-test/homes/usertec1
[root@srvldapv]#chmod 700 /export/samba-test/homes/usertec1

-Management of rights and creation of the directories userdir1, usercom1, usertec1 in /export/samba-test/profiles/:

[root@srvldapv]#mkdir -p /export/samba-test/profiles/userdir1
[root@srvldapv]#chown userdir1:direction /export/samba-test/profiles/userdir1
[root@srvldapv]#chmod 700 /export/samba-test/profiles/userdir1

[root@srvldapv]#mkdir -p /export/samba-test/profiles/usercom1
[root@srvldapv]#chown usercom1:commercial /export/samba-test/profiles/usercom1
[root@srvldapv]#chmod 700 /export/samba-test/profiles/usercom1

[root@srvldapv]#mkdir -p /export/samba-test/profiles/usertec1
[root@srvldapv]#chown usertec1:technique /export/samba-test/profiles/usertec1
[root@srvldapv]#chmod 700 /export/samba-test/profiles/usertec1

-Creation of the file /export/samba-test/netlogon/[Link] and management of permissions:

[root@srvldapv]#echo -e "echo \"Test\"\npause" > /export/samba-test/netlogon/[Link]

[root@srvldapv]#chown director:direction /export/samba-test/netlogon/[Link]
[root@srvldapv]#chmod 400 /export/samba-test/netlogon/[Link]

The POSTELDAP machine can now be joined to the MICALEX domain with the users smbadmin, userdir1, usercom1 and
usertec1.
setting up an LDAP Samba server [Link]
setting up a Samba LDAP server [Link]

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Configuration of client workstations :

· Windows Posts:

Note:
In order for the Windows machines to be authenticated, they need to belong to the NT Domain (MICALEX) that we have created.

First, it is necessary to create a machine account on the Domain PDC:

[root@srvldapv]#useradd POSTE07$
[root@srvldapv]#smbpasswd -a -m POSTE07

-Procedure on the client workstation:

1) Right-click on the workstation

2) Select properties

3) Select the computer name tab

4) SelectEdit...

Select 'Domain' in 'member of:' and enter the name of the NT Domain you want

6) Use the comptesmbadmin to join the Domain.

setting up a Samba LDAP server [Link]

7) Restart the workstation and then use an existing account under Samba (userdir1, usercom1,…) to log in to the workstation.

· Linux Posts:

Note:
In order for Linux stations to authenticate on the LDAP directory, we use PAM (Pluggable Authentication Modules) which will allow us to
define the levels and methods of authentication.
PAM is an authentication service that requires the accounts that need to authenticate on the LDAP directory to exist locally.
For the configuration of the PAM service on client workstations, we use the GUI: Webmin.

-Procedure:

1) Connecting to Webmin in secure mode (https). The root account of the client machine is used.
To use this tool, type in Firefox: [Link]

2) Select the PAM module located under the System tab

3) Select the login service

setting up an LDAP Samba server [Link]

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Setting up encrypted authentication with TLS:

The following captures testify to a security flaw.

Indeed, the password is well encrypted.(even encrypted, they are precious... Many tools can be found to 'break' them...), but not theSID,
the GID and the UID are transmitted in clear on the network. To meet the specifications we have chosen the solution of encrypted authentication with
TLS.
setting up a Samba LDAP server [Link]

A simple way to secure our transactions is to use TLS (Transport Layer Security, formerly SSLv3.0, renamed and
normalized by the IETF, see RFC2246), which will ensure the encryption of data

Note:
For the authentication to be encrypted, it is necessary to use the secure communication protocol TLS. It uses a certificate for authentication.
between the client station and the LDAP server.

1) In the directory /etc/openldap, create a directory 'cert' that will contain the keys and the certificate:

[root@srvldapv]#mkdir /etc/openldap/cert

2) In this directory, generate the server's private key:

[root@srvldapv]#openssl genrsa -out [Link] 1024

3) Then the public key and the certificate request (in [Link]):

[root@srvldapv]#openssl req -new -key [Link] -out [Link]

Correctly complete the information that is requested from you. Remember to properly enter the CN (Common Name) as the FQDN.
The (full DNS name) of your server will be used when clients query the LDAP database.

Note:
To enable TLS communications, the [Link] file must be modified. There are two types of directives:
· the pure OpenLDAP directives (see Annex 6)
· the directives added by libpam_ldap and libnss_ldap.

4) On the LDAP server ([Link]), modify /etc/openldap/[Link] and add the paths to the different keys and the certificate:

TLS
Path to the LDAP server certificate
TLSCertificateFile /etc/openldap/cert/[Link]
Path to the private key of the LDAP server
TLSCertificateKeyFile /etc/openldap/cert/[Link]
Path to the CA certificate
TLSCACertificateFile /etc/openldap/cert/[Link]

5) Add this to the [Link] file of the client workstation:

setting up a Samba LDAP server [Link]

#Directive SSL OpenSSL (for ldapsearch in particular)

TLS_CACERT /etc/openldap/cert/[Link]

#Directives SSL libnss and libpam

Activation SSL brute (port 636)
ssl yes
Activation of SSL via starttls command (standard port 389)
ssl start_tls
Verify server certificate
tls_checkpeer yes
Location of the CA certificate
tls_cacertfile /etc/openldap/cert/[Link]

6) The 'cacert' file (This is the certificate) must be present on the station's disk. It should be copied to the correct location (here /etc/openldap/cert/)
from our LDAP server.

Thanks to this method, the sniffing of the message no longer brings any critical information:

Authentication is now encrypted.

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Conclusion:

This Windows and Linux interoperability project made us realize the authentication difficulties for
heterogeneous systems. It was necessary to implement a strategy that allows us to unify user account management while ensuring a level of
acceptable security for authentication.

We have therefore chosen two different authentication strategies based on a single account base:

- For Windows, we opted for an NT domain with a Samba 3 controller using an LDAP directory as the account base.
- For Linux, we have chosen direct authentication of user accounts on an LDAP directory.

It was necessary to ensure a secure dialogue for authentication, initially between Windows and Samba 3 and an encrypted dialogue by TLS for Linux.
and LDAP.

We have noticed a security vulnerability when using roaming profiles because the transfer of files from the server to the workstation occurs in
clear.

For graphical administration, we chose interfaces that allow remote administration. This administration is
secured by the use of secure connections: HTTPS protocol.

OpenLDAP : PhpLDAPadmin
Samba 3 : Webmin

The Webmin interface also allows for system administration from any Linux machine, we can manage the level
authentication of any process via PAM.

Certain software offers us the possibility to further refine security. For example, the NuFW firewall is capable of managing rules of
filters based on users. For each connection request packet, it can use the LDAP directory to authenticate the user. The
setting up a Samba LDAP server [Link]

Performance tests demonstrate the effectiveness and speed of this method. Many other software solutions are based on this.
stable and free technique.

Thanks to this project, we were able to see that interoperability in a heterogeneous environment is possible but remains a cumbersome solution to implement.
It requires extreme finesse in configuration to provide an acceptable level of security.

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Annex 1: default supplied [Link] file

#
See [Link](5) for details on configuration options.
This file should NOT be world readable.
#
include /etc/openldap/schema/[Link]
include /etc/openldap/schema/[Link]
include /etc/openldap/schema/[Link]
include /etc/openldap/schema/[Link]

Allow LDAPv2 client connections. This is NOT the default.

allow bind_v2

Do not enable referrals until AFTER you have a working directory

service AND an understanding of referrals.
#referral ldap://[Link]

pidfile /var/run/[Link]
argsfile /var/run/[Link]

Load dynamic backend modules:

# modulepath /usr/sbin/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la

The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
/usr/share/ssl/certs, running "make [Link]", and fixing permissions on
[Link] so that the ldap user or group can read it. Your client software
may balk at self-signed certificates, however.
# TLSCACertificateFile /usr/share/ssl/certs/[Link]
# TLSCertificateFile /usr/share/ssl/certs/[Link]
# TLSCertificateKeyFile /usr/share/ssl/certs/[Link]

Sample security restrictions

# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

Sample access control policy:

# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to [Link]="" by * read
# access to [Link]="cn=Subschema" by * read
access to *
# by self write
# by users read
# by anonymous author
#
if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
updates to rootdn. (e.g., "access to * by * read")
#
rootdn can always read and write EVERYTHING!

#######################################################################
ldb and/or bdb database definitions
#######################################################################

database bdb
suffix dc=my-domain,dc=com
rootdn cn=Manager,dc=my-domain,dc=com
Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and [Link](5) for details.
Use of strong authentication encouraged.
root password secret
root password {crypt}ijFYNcSNctBYg

The database directory MUST exist prior to running slapd AND

should only be accessible by the slapd and slap tools.
Mode 700 recommended.
directory /var/lib/ldap
setting up a Samba LDAP server [Link]

Indices to maintain for this database

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber, gidNumber, loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq, pres, sub

Replicas of this database

#replogfile /var/lib/ldap/openldap-master-replog
#replica host=[Link] starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/[Link]@[Link]

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Annex 2: definitive [Link].

#
See [Link](5) for details on configuration options.
This file should NOT be world readable.
#
include /etc/openldap/schema/[Link]
include /etc/openldap/schema/[Link]
include /etc/openldap/schema/[Link]
include /etc/openldap/schema/[Link]
#include /etc/openldap/schema/[Link]
#include /etc/openldap/schema/[Link]
#include /etc/openldap/schema/[Link]
#include /etc/openldap/schema/[Link]
#include /etc/openldap/schema/[Link]

Allow LDAPv2 client connections. This is NOT the default.

allow bind_v2

Do not enable referrals until AFTER you have a working directory

service AND an understanding of referrals.
#referral ldap://[Link]

pidfile /var/run/[Link]
argsfile /var/run/[Link]

Load dynamic backend modules:

# modulepath /usr/sbin/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la

The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
/usr/share/ssl/certs, executing "make [Link]", and correcting permissions on
[Link] so that the ldap user or group can read it. Your client software
may balk at self-signed certificates, however.
# TLSCACertificateFile /usr/share/ssl/certs/[Link]
# TLSCertificateFile /usr/share/ssl/certs/[Link]
# TLSCertificateKeyFile /usr/share/ssl/certs/[Link]

# Sample security restrictions

# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

Sample access control policy:

# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to [Link]="" by * read
# access to [Link]="cn=Subschema" by * read
access to *
# by self write
# by users read
# by anonymous auth
#
if no access controls are present, the default policy
allows anyone and everyone to read anything but restricts
updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
ldb and/or bdb database definitions
#######################################################################

database bdb
setting up an LDAP Samba server [Link]

suffix dc=micalex,dc=fr
rootdn cn=Manager,dc=micalex,dc=fr
Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and [Link](5) for details.
Use of strong authentication encouraged.
root password {CRYPT}avMFiNMraPfxQ
root password ijFYNcSNctBYg

The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap

Indices to maintain for this database

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq, pres, sub
index uidNumber, gidNumber, loginShell eq,pres
index uid, memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

Replicas of this database

#replogfile /var/lib/ldap/openldap-master-replog
#replica host=[Link] starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/[Link]@[Link]

Then on the LDAP server modify /etc/openldap/[Link] and add the paths to the various keys and the certificate for
authentication via TLS:

TLS
Path to the LDAP server certificate
TLSCertificateFile /etc/openldap/cert/[Link]
Path to the private key of the LDAP server
TLSCertificateKeyFile /etc/openldap/cert/[Link]
Path to the CA certificate
TLS CACertificate File /etc/openldap/cert/[Link]

To return to the table of contents click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Appendix 3: [Link] file

<?php

/*
* The phpLDAPadmin config file
*
* This is where you customize phpLDAPadmin. The most important
* part is immediately below: The 'LDAP Servers' section.
* You must specify at least one LDAP server there. You may add
* as many as you like. You can also specify your language, and
* many other options.
*
*/

/**
phpLDAPadmin can encrypt the content of sensitive cookies if you set this
* to a big random string.
*/
$blowfish_secret = '';

Your LDAP servers

$i=0;
$servers = array();
$servers[$i]['name'] ='[Link]'; A convenient name that will appear in
the tree viewer and throughout phpLDAPadmin to
Identify this LDAP server to users.
$servers[$i]['host'] ='[Link]'; /* Examples:
[Link]
ldaps://[Link]/
ldapi://%2fusr%local%2fvar%2frun%2fldapi
(Unix socket at /usr/local/var/run/ldap)
Note: Leave 'host' blank to make phpLDAPadmin
ignore this server. */
$servers[$i]['base'] ='dc=micalex,dc=fr'; /* The base DN of your LDAP server. Leave this
blank to have phpLDAPadmin auto-detect it for you.
$servers[$i]['port'] = 389; The port your LDAP server listens on
389 is standard.
$servers[$i]['auth_type'] = 'config'; /* Three options for auth_type:
1. 'cookie': you will login via a web form,
and a client-side cookie will store your
login and password.
2. 'session': same as cookie but your login dn
and password are stored on the web server in
a persistent session variable.
3. 'config': specify your login dn and password
here in this config file. No login will be
required to use phpLDAPadmin for this server.
Choose wisely to protect your authentication
information appropriately for your situation. If
you choose 'cookie', your cookie contents will be
encrypted using blowfish and the secret you specify
above as $blowfish_secret.
$servers[$i]['login_dn'] ='cn=Manager,dc=micalex,dc=fr';
/* The DN of the user for phpLDAPadmin to bind with.
For anonymous binds or 'cookie' or 'session' auth_types,
leave the login_dn and login_pass blank. If you specify a
login_attr in conjunction with a cookie or session auth_type,
then you can also specify the login_dn/login_pass here for
searching the directory for users (ie, if your LDAP server
setting up an LDAP Samba server [Link]

does not allow anonymous binds.

$servers[$i]['login_pass'] ='micalex'; Your LDAP password. If you specified an empty login_dn above, this
MUST also be blank.
$servers[$i]['tls'] = false; Use TLS (Transport Layer Security) to connect to the LDAP
server.
$servers[$i]['low_bandwidth'] = false; /* If the link between your web server and this LDAP server is
Slow, it is recommended that you set 'low_bandwidth' to true.
This will cause phpLDAPadmin to forego some "fancy" features
to conserve bandwidth.
$servers[$i]['default_hash'] = 'crypt'; Default password hashing algorithm.
One of md5, ssha, sha, md5crypt, smd5, blowfish, crypt or
leave blank for now default algorithm.
$servers[$i]['login_attr'] = 'dn'; If you specified 'cookie' or 'session' as the auth_type above,
you can optionally specify here an attribute
to use when logging in. If you enter 'uid'
and login as 'dsmith', phpLDAPadmin will
search for (uid=dsmith) and log in as that user. Leave
blank or specify 'dn' to use full DN for
logging in. Note also that if your LDAP server requires
you to login to perform searches, you can enter
the DN to use when searching in 'login_dn' and
'login_pass' above. You may also specify 'string', in which case
you can provide a string to use for logging users
in. See 'login_string' directly below.
$servers[$i]['login_string'] = 'uid=<username>,ou=People,dc=micalex,dc=fr';
If you specified 'cookie' or 'session' as the auth_type above,
and you specified 'string' for 'login_attr' above, you must provide
a string here for logging users in. If, for example, I
I have a lot of user entries with DNs like
uid=dsmith,ou=People,dc=example,dc=com, then I can specify a string
uid=<username>,ou=People,dc=example,dc=com and my users can login with
their user names alone, i.e., "dsmith" in this case.
$servers[$i]['login_class'] = ''; /* If 'login_attr' is used above such that phpLDAPadmin will
search for your DN at login, you may restrict the search to
a specific objectClass. E.g., set this to 'posixAccount' or
'inetOrgPerson', depending on your setup.
$servers[$i]['read_only'] = false; Specify true if you want phpLDAPadmin to not
display or permit any modification to the
LDAP server.
$servers[$i]['show_create'] = true; Specify false if you do not want phpLDAPadmin to
draw the 'Create new' links in the tree viewer.
$servers[$i]['enable_auto_uid_numbers'] = false;
This feature allows phpLDAPadmin to
automatically determine the next
available uidNumber for a new entry.
$servers[$i]['auto_uid_number_mechanism'] = 'search';
The mechanism to use when finding the next available uidNumber.
Two possible values: 'uidpool' or 'search'. The 'uidpool'
mechanism uses an existing uidPool entry in your LDAP server
to blindly lookup the next available uidNumber. The 'search'
mechanism searches for entries with a uidNumber value and finds
the first available uidNumber (slower).
$servers[$i]['auto_uid_number_search_base'] ='ou=People,dc=micalex,dc=fr';
The DN of the search base when the 'search'
mechanism is used above.
$servers[$i]['auto_uid_number_min'] = 1000;
The minimum number to use when searching for the next
available UID number (only when 'search' is used for
auto_uid_number_mechanism
$servers[$i]['auto_uid_number_uid_pool_dn'] ='cn=uidPool,dc=micalex,dc=fr';
The DN of the uidPool entry when 'uidpool'
mechanism is used above.
$servers[$i]['auto_uid_number_search_dn'] = '';
If you set this, then phpldapadmin will bind to LDAP with this user
ID when searching for the uid number. The idea is, this user id would
have full (readonly) access to uidnumber in your ldap directory (the
logged in user may not), so that you can be guaranteed to get a unique
uidnumber for your directory.
$servers[$i]['auto_uid_number_search_dn_pass'] = '';
The password for the dn above.
$servers[$i]['disable_anon_bind'] = false;
Disable the anonymous login.
$servers[$i]['custom_pages_prefix'] = 'custom_';
Use customized page with prefix when available.

$servers[$i]['unique_attrs_dn'] = '';
If you set this, then phpldapadmin will bind to LDAP with this user
when testing for unique attributes (as set in unique_attrs array). If you
want to enforce unique attributes, then this id should have full (readonly)
access to the attributes in question (the logged in user may not have
enough access)
$servers[$i]['unique_attrs_dn_pass'] = '';
The password for the dn above

The [Link] file is quite substantial. But since the rest does not require modification, we have not presented it in its entirety.

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Appendix 4: [Link] file

[global]
passdb backend = ldapsam:ldap://[Link], guest
ldap admin dn = cn=Manager,dc=micalex,dc=fr
ldap ssl = off
ldap delete dn = no
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap suffix = dc=micalex,dc=fr
workgroup = MICALEX
netbios name = SRVLDAPV
server string = SRVLDAPV
encrypt passwords = yes

domain logons = yes

setting up a Samba LDAP server [Link]

os level = 65
domain master = Yes
local master = Yes

security = user

log file = /var/log/samba/%[Link]

log level = 2

[tmp]
comment = Partage des fichiers temporaires
path = /tmp
read only = no
writable = yes
guest ok = yes

Scripts and strategies

[netlogon]
path = /export/samba-test/netlogon
comment = Network logon service
read only = yes
guest ok = yes

A mapper via \server\user

[homes]
path = /export/samba-test/homes/%u
comment = Home directories
valid users = %S
writeable = yes
read only = no
create mask = 0664
directory mask = 0775
browsable = no

A mapper via \server\profiles\user

[profiles]
path = /export/samba-test/profiles
create mask = 0600
directory mask = 0700
browsable = no
writeable = yes

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Annex 5: glossary

ACL (Access Control List): List specifying the rights assigned to one or more actors (e.g., a user) over a resource (e.g., a file).

BDC (Backup Domain Controller): Secondary domain controller, takes over from the PDC in case of failure. A term specific to an NT domain.

Class: allows you to define the characteristics of a family of objects by specifying mandatory attributes and/or possible optional attributes. There
the possibility of inheritance between classes, multiple or not, for LDAP objects (For a subclass, automatic retrieval of attributes defined in the
upper classes from which it inherits). All classes inherit from the Top class, which is the top class of the class hierarchy (only one
attribute: objectClass.

DC (Domain Controller): Generic term used to refer to a domain controller, whether it is a PDC, BDC (NT), or has no level.
of particular importance (Active Directory).

DIB (Directory Information Base): A LDAP/X.500 directory is a collection of information of all categories. This information is stored
in the 'Directory Information Base' or DIB. The DIB is made up of entries, the content of which is governed by the concepts of object and classes.

DIT (Directory Information Tree): An LDAP/X.500 tree is organized in a hierarchical manner, starting from a single root named 'root'. This
root can be seen as a null entry (empty object).

DN(Distinguish Name) : Au sein d'un annuaire LDAP, représente le nom et le chemin d'un objet.
Example: "cn=Users,ou=Groups,dc=martymac,dc=com".

LDAP Entries: LDAP entries are a collection of attributes. Each attribute describes a specific type of information and can contain a
or several values (It is said that an attribute can be multi-valued). Each type of attribute is associated with a specific syntax that provides the possible format of
its values.

GID (Group Identifier): A numeric identifier representing a group of users under Unix.

Graphical User Interface

LDAP (Lightweight Directory Access Protocol): Lightweight adaptation of the X500 protocol. Protocol for managing network directories.

NetBios (Network Basic Input/Output System): is not a protocol. Method of communication over an existing protocol; is actually a layer.
intermediary between SMB and an underlying protocol such as TCP (cf. NBT) or IPX. It operates at layer 5 (session) of the OSI model. Provides a
name and service resolution method for upper layers. Uses a 15 character machine name model + 1 character of
control specifying the services offered by the machines. NetBios was developed in 1983 by Sytec Inc. for IBM.
setting up an LDAP Samba server [Link]

NSS (NSSwitch, Name Service Switch): Mechanism that intercepts name requests made by the machine (concerning the names of
machines, users: see getent, ...) and redirects them to different sources of information (LDAP, MySQL...). Works with different modules.

LDAP Objects: The concept of an object allows for the abstract representation of any type of existing information or entity. An object class is a family
of objects having certain common characteristics.

OIDs (Object Identifiers): Object Identifiers are unique sequences of numbers that are used to reliably identify a type of data.
OIDs are used to designate the identity of classes, attribute types, and possible syntaxes of these attributes. OIDs are formed from
the hierarchy specified by the OSI, globally (in the same way as the objects described in the MIBs...)

PAM (Pluggable Authentication Modules): Module-based authentication mechanism. It is thus possible to use all kinds of sources of
data (passwd file, LDAP, biometrics...) to validate a user.

PDC (Primary Domain Controller): Primary Domain Controller. A term specific to an NT domain.

SAM (Security Account Manager): Database containing security information on a Windows NT server, including accounts and
user passwords.

Schema: The schema of a directory is a set of rules that must be used by the tree manager (DIB and DIT) to restrict the
possibilities for creating and structuring entries.

SID (Security Identifier): A SID is a unique identifier assigned to each entity in a Windows domain. It is composed of a part called 'SID
local", which identifies the domain, and a second one called "RID" (Relative Identifier), which identifies the actor (user/group/machine) within
of the domain: an example of a SID could be: S-1-5-21-3493456274-4211610059-1786859526-512 which identifies the Administrators group of
domain (512) within the domain S-1-5-21-3493456274-4211610059.

TLS (Transport Layer Security): Formerly SSLv3.0, renamed and standardized by the IETF, see RFC2246. Secure conversation protocol for
attack an LDAP server.

UID (User Identifier): A numeric identifier representing a user in Unix.

UNC (Universal Naming Convention): Universal naming convention (under Windows) used to designate the path of a directory.
shared. E.g.: \Server
older.
X500: Standard designed by telecom operators to interconnect their telephone directories.

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Annex 6: Important orders

OpenLDAP package contents:

ldapadd opens a connection to the LDAP server and adds entries.

Ldapcompare opens a connection to the LDAP server and compares according to the specified parameters.

ldapdelete Open a connection to the LDAP server and delete one or more entries.

ldapmodify open a connection to the LDAP server and modify entries.

open a connection
ldap modify relative distinguished nameto the LDAP server and modify the RDN of the entries.

ldappasswd is a tool to configure the password of an LDAP user.

ldapsearch Open a connection to the LDAP server and perform a search according to the specified parameters.

ldapwhoami Open a connection to the LDAP server and perform a whoami operation.

slapadd is used to add specified entries in LDAP Directory Interchange Format (LDIF) into
a slapd database.

slapcat is used to generate an LDAP LDIF output based on the content of a slapd database.

slapd is a standalone LDAP server.

slap index is used to regenerate the slapd indexes according to the current content of a database.

slappasswd is a password tool for OpenLDAP

setting up an LDAP Samba server [Link]

slurped is an autoname replica server for LDAP.

liblber and libldap These libraries support LDAP programs and provide functionality for others.
programs interacting with LDAP.

ldapsearch objectclass=person display all users

ldapsearch objectclass=organization afficher l'ensemble desétablissements

ldapsearch 'objectclass=*' display the entire records

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Annex 7: Bibliography

General:

[Link]
[Link]
[Link]
[Link]
[Link]

Howtos :

[Link]
[Link]
[Link]

Administration :

[Link]

MIB :

[Link]

To return to the summary click here

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°