Ubuntu 11.04 SBS (Small Business Server) Setup: Part 6 – Account Management

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Now you have OpenLDAP and Kerberos up and running, it’s time to learn how to manage your users and groups.

Management Scripts Configuration

Firstly, we’re going to install some scripts to aid with basic management tasks:

sudo apt-get install ldapscripts

Now we need to edit the config file /etc/ldapscripts/ldapscripts.conf uncommenting and changing the following to match your environment:

#  Copyright (C) 2005 Ganal LAPLANCHE - Linagora
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

# Note for Debian users:
# On Debian system ldapscripts will try to parse and use some system config.
# Look on commented variables and description lines started with DEBIAN.
# But you could override it's values here.


# LDAP Configuration
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=danbishop,dc=org"

# The following file contains the raw password of the binddn
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
#BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"

# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=danbishop,dc=org" # Global suffix
GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users"         # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)

# Start with these IDs *if no entry found in LDAP*
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID

# User properties
# DEBIAN: values from /etc/adduser.conf are used.
#USHELL="/bin/sh"
#UHOMES="/home/%u"     # You may use %u for username here
CREATEHOMES="yes"      # Create home directories and set rights ?
#HOMESKEL="/etc/skel"  # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
#HOMEPERMS="755"       # Default permissions for home directories

# User passwords generation
# Command-line used to generate a password for added users (you may use %u for username here)
# WARNING !!!! This is evaluated, everything specified here will be run !
# Special value "" will ask for a password interactively
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
PASSWORDGEN="pwgen -s"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
#PASSWORDGEN=""

# User passwords recording
# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
# (useful when performing a massive creation / net rpc vampire)
# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"

# Where to log
LOGFILE="/var/log/ldapscripts.log"

# Temporary folder
TMPDIR="/tmp"

# Various binaries used within the scripts
# Warning : they also use uuencode, date, grep, sed, cut, expr, which... 
# Please check they are installed before using these scripts
# Note that many of them should come with your OS

# OpenLDAP client commands
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"

# Character set conversion : $ICONVCHAR <-> UTF-8
# Comment ICONVBIN to disable UTF-8 conversion
#ICONVBIN="/usr/bin/iconv"
#ICONVCHAR="ISO-8859-15"

# Base64 decoding
# Comment UUDECODEBIN to disable Base64 decoding
#UUDECODEBIN="/usr/bin/uudecode"

# Getent command to use - choose the ones used
# on your system. Leave blank or comment for auto-guess.
# GNU/Linux
#GETENTPWCMD="getent passwd"
#GETENTGRCMD="getent group"
# FreeBSD
#GETENTPWCMD="pw usershow"
#GETENTGRCMD="pw groupshow"
# Auto
GETENTPWCMD=""
GETENTGRCMD=""

# You can specify custom LDIF templates here
# Leave empty to use default templates
# See *.template.sample for default templates
#GTEMPLATE="/path/to/ldapaddgroup.template"
#UTEMPLATE="/path/to/ldapadduser.template"
#MTEMPLATE="/path/to/ldapaddmachine.template"
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""

The changes from the default file are highlighted below:

# Provides LDAP server's address and the admin username
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=danbishop,dc=org"

# These have all been uncommented, Users changed to People
# and the correct suffix set for our domain
SUFFIX="dc=danbishop,dc=org" # Global suffix
GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users"         # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)

# This creates home directories when we create users
CREATEHOMES="yes"

If you’ve read through the default comments in /etc/ldapscripts/ldapscripts.conf you’ll see that it finds the LDAP admin password from a /etc/ldap.secret file. So the following two commands create that file, write our admin password to it (change PASSWORD to your admin password) and then set it to be non-world-readable. This prevents users discovering your LDAP password, but allows root, or processes running as root, to read the file and find the password.

sudo sh -c "echo -n 'PASSWORD' > /etc/ldap.secret"
sudo chmod 400 /etc/ldap.secret

You might also have noticed that /etc/adduser.conf is used to determine home directory defaults. Ubuntu allows users to view the contents of other user’s home directories by default. In some environments, particularly home environments, this is fine, but you might want to change that by editing DIR_MODE=0755 to be DIR_MODE=0700.

Managing Users

Now the LDAP scripts are configured we can start creating users. We’re going to use the group name “admin” for administrators as this is the default for Ubuntu and will enable us to give admin rights to users on every machine on the network without any further configuration. However, as this group already exists as a local group, we need to be very careful that we don’t lock ourselves out of the server here…

The first thing to do is create a password for our first admin user. As we are using Kerberos for authentication, the administrator needs a principal creating. This is done like so:

sudo kadmin.local -q "addprinc dan"

Now we need some groups to hold our users. The first two groups we will create will be “admin” and “user”:

sudo ldapaddgroup admin
sudo ldapaddgroup user

Next we will create a user and assign him to a group:

sudo ldapadduser dan 10001

Note the use of group 10001 rather than simply “admin”. This is to avoid any confusion with the local admin group on the server. In some instances, I’ve seen this cause issues. Group 10001 will be the first ldap group you created, you can see the GIDs for all groups by using the command “getent group”.

And finally add the user to the user group:

sudo ldapaddusertogroup dan 10002

You can now login to the server (and later client machines) as this user. The “localadmin” account on the server will no longer be able to use sudo as it doesn’t belong to the ldap “admin” group, only the local one. For subsequent users, you may create the Kerberos principal after creating the LDAP user if you prefer.

References

http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2

  • Hayden

    Hi, me commenting again. All seems to have gone better for me with the 11.04 guide (really major thanks for this BTW as it makes a lot more sense than some of the other piecemeal guides I’ve been reading through) but I’m having issues when I try to add the groups.

    I get: Error adding group admin to LDAP

    And when I check the log file it says:
    >> 05/03/11 – 01:21 : Command : /usr/sbin/ldapaddgroup admin
    No such object (32)
    Matched DN: dc=thesoundlab,dc=co,dc=uk
    ldap_add: No such object (32)
    matched DN: dc=thesoundlab,dc=co,dc=uk
    Error adding group admin to LDAP

    Doesn’t really explain which object there is no such of. I’ve checked the configuration file for typos and there doesn’t seem to be any. Starting to wonder if I’m wrong for using dc=co,dc=uk for a .co.uk domain but that was what I found to use on other sites by searching.

    Many thanks if you can shed any light on this.

    • Dan Bishop

      Does this happen if you try creating a group with a different name too? Did you get any errors when you imported your frontend.thesoundlab.co.uk.ldif file? Do the contents of that file match your /etc/ldapscripts/ldapscripts.conf file, e.g. Groups and Groups not groups and Groups? Other than that I’m afraid I’m at a bit of a loss…

  • Hayden

    There was no error with the frontend and the same problem happened with the User group. The two files contents seem to match up. Cheers anyway, I’ll have to do some more searching.

  • Hayden

    Must have botched something somewhere as I just wiped and followed the steps again and it works now. \o/

  • Chris J.

    So I ran into an issue at this step

    sudo ldapadduser dan 10001

    That step ran fine (swapping dan with chris) but afterwards when I try to run the next command I get and error stating chris is not in the sudoers file. Which I obviously was. Note chris was the username I installed ubuntu with. Do these usernames need to be different?

  • Chris J.

    I was able to figure it out. I see that you even had a comment about this issue in your post.

    • Dan Bishop

      Glad to hear it Chris! 🙂

  • Bob

    Hi Dan,

    Thanks for this excelent entry, its so hard to find decend documentation on setting up kerberos+LDAP user authentication.

    Unfortunatly I’m hitting a problem when i reach the “ldapaddgroup admin” stage. I get a message saying “Error adding group admin to LDAP” and when i check the ldapscriptlog i get “ldap_bind: Invalid credentials (49)”. I have checked the ldap.secret file contains the LDAP admin password. I have tried purge removing the packages and following the guide three times and it always fails like this.

    Not being familiar with LDAP it leaves me at a loss as to what could be wrong or how to continue debugging.

    Any help or advice on this would be greatly appreciated, I’ve been banging my head of the desk so much over this that im worried about perminant brain injury.

    Thanks,
    Bob

  • @Bob:
    I was stuck at the same step for a *very* long time. The issue gave strange errors regarding SASL support, however the real problem was with the ldap.secret file. I had opened up vim and typed out the password (thinking of myself as intelligent for avoiding it in the history file). However it turns out vim addded a null character to the end of the file.

    In short :
    sudo truncate –size n /etc/ldap.secret
    Where n = length of your password

    In case you need to confirm this as your issue, check the output of ls -l /etc/ldap.secret and see the size. It should be one more than your password size

  • vmil

    Hi Dan,
    Making such infrastructure, which consists of 3 main servers, to work is a bit tedious process. Here is the point where I am stuck
    When I try to login to the client machine, when I type a wrong password I get login incorrect. When I type the correct password I get Authentication failure.
    Also, how do I test each individual component that works?

    • Dan Bishop

      Unfortunately, that’s a known bug at the moment 🙁 Hopefully it will be fixed in 11.10, I’ll be updating the guide for its release…

  • Sky

    Hi Dan, I’m also having the same issues as a few other people when trying the command:
    $ sudo ldapaddgroup admin
    Error adding group admin to LDAP

    I checked my log and I get this:

    $ cat /var/log/ldapscripts.log
    >> 01/19/12 – 20:07 : Command : /usr/sbin/ldapaddgroup admin
    ldap_bind: Invalid credentials (49)
    ldap_bind: Invalid credentials (49)
    Error adding group admin to LDAP

    I have followed this AWESOME site to get this up and running to the letter and I keep getting stuck at this point. I’m not sure how else to debug my situation. If you have any ideas that would be great. I also installed webmin to watch things go on and the webmin module LDAP Users and Groups gives me this error when I try to load it:

    No LDAP client configuration file was found on your system, so the LDAP login must be set on the Module Config page. Click here to adjust the module configuration.

    Maybe that helps?

    Thanks a bunch and keep up the good work!

    -Sky

  • Sky

    Dan,
    I found my error right I after I posted this. Hopefully it helps out some other folks. In the file:

    /etc/ldapscripts/ldapscripts.conf

    I had changed:

    BINDDN=”cn=admin,dc=danbishop,dc=org”

    to my admin name like this:

    BINDDN=”cn=sky,dc=danbishop,dc=org”

    Changing back to admin from sky as the cn did the trick!

    -Sky

  • Sky

    Dan,
    so I got this all set at up to this point but after running:

    sudo ldapadduser sky 10001

    the original administrator I created is locked out of sudo. after a login and logout with the new user sky (me) that user is locked out of sudo. I enabled root doing sudo -i before anything else in case I bricked the installation, which I did. And I’m wondering if there is a bug you know of or if there is a way to add the users created here (sky) to sudo and give them those priv again?

    -Sky