Mandriva Directory Server On Debian Etch
Version 1.1
Author: Oliver Meyer <o [dot] meyer [at] projektfarm [dot] de>
This document describes how to set up the Mandriva Directory Server (MDS) on Debian Etch. The resulting system provides a full-featured office server for small and medium companies - easy to administer via the web-based Mandriva Management Console (MMC).
Main Features
- Easy administration via MMC
- System wide OpenLDAP integration
- SAMBA Primary Domain Controller (PDC)
- Postfix Mailserver with Dovecot, Amavis, Spamassassin and ClamAV (POP3/IMAP/SSL/TLS/Quota)
- BIND DNS-server
- ISC DHCP-server
- Squid web-proxy with SquidGuard
This howto is a practical guide without any warranty - it doesn't cover the theoretical backgrounds. There are many ways to set up such a system - this is the way I chose.
Preamble
This howto is quite complex. Please take your time, read it extensively and follow the steps minutely. The smallest amount of variance might effect that your setup won't work accurately.
1 Preparation
1.1 Basic System
Set up a standard debian etch system and update it. I used the following configuration for this howto and the attached virtual machine that is available for our subscribers:
Hostname: server1.example.com
SAMBA domain: EXAMPLE
IP: 192.168.0.100
Gateway: 192.168.0.2
All Passwords: howtoforge
1.2 Hostname
Edit the hosts file - assign the hostname to the server IP.
vi /etc/hosts
It should look like this:
127.0.0.1 localhost.localdomain localhost 192.168.0.100 server1.example.com server1 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts
Afterwards insert the hostname into the hostname file ...
echo server1.example.com > /etc/hostname
... and reboot the system.
reboot
When the system is up again, the output of the both commands ...
hostname
... and ...
hostname -f
... should be:
server1.example.com
1.3 Filesystem ACLs
In order that SAMBA is able to map filesystem-ACLs between the Linux server and the Windows clients you need to add ACL-support to the corresponding mount point.
vi /etc/fstab
Add the option "acl" to the mount point where the SAMBA directories will be stored and the SAMBA users will have their homes. In my case it's "/" - the content should look like this:
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 /dev/sda1 / ext3 defaults,acl,errors=remount-ro 0 1 /dev/sda5 none swap sw 0 0 /dev/hdc /media/cdrom0 udf,iso9660 user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0
Afterwards remount the mountpoint to take the changes effect.
mount -o remount /
If all went well, the command ...
mount -l
... should show the option "acl" for the corresponding mountpoint:
/dev/sda1 on / type ext3 (rw,acl,errors=remount-ro)
2 Repositories
2.1 MDS
The MDS repository provides the MDS related packages and also patched packages for bind9 & dhcp3.
vi /etc/apt/sources.list
Add the following lines to the file.
# MDS repository
deb http://mds.mandriva.org/pub/mds/debian etch main
2.2 Debian Volatile
The Debian Volatile repository provides newer packages for ClamAV & Spamassassin than the standard debian repository.
vi /etc/apt/sources.list
Add the following lines to the file.
# Debian Volatile
deb http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free
2.3 Debian Backports
The Debian Backports repository provides newer packages for dovecot.
vi /etc/apt/sources.list
Add the following lines to the file.
# Debian Etch Backports
deb http://www.backports.org/debian etch-backports main
Afterwards refresh apt.
apt-get update
3 Needed packages
3.1 Install
Install the needed packages for this setup.
apt-get install mmc-web-base mmc-web-mail mmc-web-network mmc-web-proxy mmc-web-samba mmc-agent python-mmc-plugins-tools python-mmc-base python-mmc-mail python-mmc-network python-mmc-proxy python-mmc-samba postfix postfix-ldap sasl2-bin libsasl2 libsasl2-modules amavisd-new libdbd-ldap-perl libnet-ph-perl libnet-snpp-perl libnet-telnet-perl lzop nomarch zoo clamav clamav-daemon gzip bzip2 unzip unrar-free unzoo arj spamassassin libnet-dns-perl razor pyzor dcc-client slapd ldap-utils libnss-ldap libpam-ldap dhcp3-server dhcp3-server-ldap bind9 samba smbclient smbldap-tools cupsys cupsys-client foomatic-db-engine foomatic-db foomatic-db-hpijs foomatic-db-gutenprint foomatic-filters foomatic-filters-ppds fontconfig hpijs-ppds linuxprinting.org-ppds
The actual dovecot-packages in the standard debian repository have a bug in conjunction with LDAP - so you have to use the dovecot-packages from Debian Backports.
apt-get install -t etch-backports dovecot-common dovecot-imapd dovecot-pop3d
If you want to use HP printers it's recommeded to install a few more packages.
apt-get install hplip libusb-dev python-dev python-reportlab libcupsys2-dev libjpeg62-dev libsnmp9-dev lsb-core
3.2 Configuration
During the installation of the new packages you'll be asked a few questions - answer them as follows.
3.2.1 LDAP
Enter the password for the LDAP admin and confirm it. (howtoforge)
3.2.2 Samba
Enter a name for your domain. (EXAMPLE)
Select "No" when you're asked if the smb.conf should be modified to use WINS settings from DHCP.
3.2.3 Postfix
Select "Internet Site" as general type of configuration.
Enter "server1.example.com" as mail name.
3.2.4 Libnss-LDAP
Enter "ldap://127.0.0.1/" as LDAP server URI.
Enter "dc=example,dc=com" as name for the search base.
Select the LDAP version. (3)
Enter "cn=admin,dc=example,dc=com" as LDAP account for root.
Enter the password for the LDAP admin. (howtoforge)
3.2.5 Libpam-LDAP
Select "Yes" when you're asked if the local root should be the database admin.
Select "No" when you're asked if the LDAP database requires login.
Enter "cn=admin,dc=example,dc=com" as LDAP account for root.
Enter the password for the LDAP admin. (howtoforge)
4 LDAP Configuration
4.1 Schema Files
First copy the schema files for MMC, mail, SAMBA, printer, DNS and DHCP into the LDAP schema directory.
cp /usr/share/doc/python-mmc-base/contrib/ldap/mmc.schema /etc/ldap/schema/
cp /usr/share/doc/python-mmc-base/contrib/ldap/mail.schema /etc/ldap/schema/
zcat /usr/share/doc/python-mmc-base/contrib/ldap/samba.schema.gz > /etc/ldap/schema/samba.schema
zcat /usr/share/doc/python-mmc-base/contrib/ldap/printer.schema.gz > /etc/ldap/schema/printer.schema
zcat /usr/share/doc/python-mmc-base/contrib/ldap/dnszone.schema.gz > /etc/ldap/schema/dnszone.schema
zcat /usr/share/doc/python-mmc-base/contrib/ldap/dhcp.schema.gz > /etc/ldap/schema/dhcp.schema
Next include the schema files into the LDAP configuration
vi /etc/ldap/slapd.conf
Include the schema files after the inetorgperson schema.
include /etc/ldap/schema/mmc.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/printer.schema
include /etc/ldap/schema/mail.schema
include /etc/ldap/schema/dnszone.schema
include /etc/ldap/schema/dhcp.schema
Enable the schemacheck (below the included schema files).
schemacheck on
4.2 Basic Configuration
In this step you'll need the ldap admin password (that you defined during the package installation in step 3) in encrypted form (SSHA) - so let's encrypt it.
slappasswd -s %ldap_admin_password%
E.g.:
slappasswd -s howtoforge
The output should look like this:
{SSHA}kPd9OeiwGx4lyZUiQ2NFmzXV0JWyLV9A
Note it down and proceed - open the LDAP server configuration file.
vi /etc/ldap/slapd.conf
Search the commented line with the entry for the LDAP admin (rootdn) ...
# rootdn "cn=admin,dc=example,dc=com"
... and comment it out. After that add a new line straight below. You have to enter the encrypted ldap admin password that you generated at the beginning of this step.
rootpw %encrypted_ldap_admin_password%
E.g.:
rootpw {SSHA}kPd9OeiwGx4lyZUiQ2NFmzXV0JWyLV9A
Next we have to modify the indexing options for the database. Search the following entry:
# Indexing options for database #1
Remove the line below ...
index objectClass eq
... and insert the following lines:
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index zoneName,relativeDomainName eq
index dhcpHWAddress,dhcpClassData eq
Now add SAMBA to the access-list for the database. Search the following line:
access to attrs=userPassword,shadowLastChange
Change it that it looks like this:
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
At this point the LDAP server configuration file should look like this:
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/mmc.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/printer.schema
include /etc/ldap/schema/mail.schema
include /etc/ldap/schema/dnszone.schema
include /etc/ldap/schema/dhcp.schema
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel 0
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
checkpoint 512 30
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=example,dc=com"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}kPd9OeiwGx4lyZUiQ2NFmzXV0JWyLV9A
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index zoneName,relativeDomainName eq
index dhcpHWAddress,dhcpClassData eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=example,dc=com" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=example,dc=com" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
Additionally you have to edit the LDAP configuration file.
vi /etc/ldap/ldap.conf
Add the following lines:
host 127.0.0.1
base dc=example,dc=com
Afterwards restart the LDAP server.
/etc/init.d/slapd restart
