Introduction
This document explains in detail how to build a Linux architecture (OpenLDAP, DNS, File and Mail
Servers).
Architecture
Topology
DNS
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services,
or any resource connected to the Internet or a private network. It associates various information
with domain names assigned to each of the participating entities. Most prominently, it translates
domain names, which can be easily memorized by humans, to the numerical IP addresses needed for
the purpose of computer services and devices worldwide. The Domain Name System is an essential
component of the functionality of most Internet services because it is the Internet's primary
directory service.
More information at this link.
OpenLDAP
OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP)
developed by the OpenLDAP Project. It is released under its own BSD-style license called the
OpenLDAP Public License.
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard
application protocol for accessing and maintaining distributed directory information services over an
Internet Protocol (IP) network. Directory services play an important role in developing intranet and
Internet applications by allowing the sharing of information about users, systems, networks, services,
and applications throughout the network. As examples, directory services may provide any organized
set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a
telephone directory is a list of subscribers with an address and a phone number.. Several common
Linux distributions include OpenLDAP Software for LDAP support. The software also runs on BSDvariants, as well as AIX, Android, HP-UX, OS X, Solaris, Microsoft Windows (NT and derivatives, e.g.
2000, XP, Vista, Windows 7, etc.), and z/OS.
More infos at :
[Link]
[Link]
[Link]
Postfix Mail server
Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail,
intended as an alternative to the widely used Sendmail MTA.
�The main features are :
Standards-compliant support for SMTPUTF8, SMTP, LMTP, STARTTLS encryption including
DANE protocol support and "perfect" forward secrecy, SASL authentication, MIME
encapsulation and transformation, DSN delivery status notifications, IPv4, and IPv6.
Configurable SMTP-level access policy that automatically adapts to overload
"Virtual" domains with distinct address-namespaces.
UNIX-system interfaces for command-line submission, for delivery to command, and for
direct delivery to message stores in mbox and maildir format.
Light-weight content inspection based on regular expressions.
A large number of database lookup mechanisms including Berkeley DB, CDB, OpenLDAP
LMDB, Memcached, LDAP and multiple SQL database implementations.
A sophisticated scheduler that implements parallel deliveries, with configurable concurrency
and back-off strategies.
A scalable zombie blocker that reduces SMTP server load due to botnet spam
More infos at :
[Link]
[Link]
Dovecot
Dovecot is an open-source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with
security in mind. Timo Sirainen originated Dovecot and first released it in July 2002. Dovecot
developers primarily aim to produce a lightweight, fast and easy-to-set-up open-source mailserver.
According to Openemailsurvey, Dovecot has an installed base of over 2.9 million email servers all
over the world and a global market share of 57% of all IMAP servers. While Dovecot software can be
used in commercial use without any license fees, a commercial version is also available as Dovecot
Pro. The commercial version is provided by Dovecot Oy along with support and enterprise add-ons
such as the object storage and full-text search plugins. Since March 2015, Dovecot Oy has been part
of the Open-Xchange Family.
More infos at :
[Link]
[Link]
Roundcube Webmail
Roundcube Webmail is a free and open source webmail solution with a desktop-like user interface
which is easy to install/configure and that runs on a standard Linux/Apache/PHP/MySQL server. It
displays mails from an IMAP server and needs a SMTP server (or PHP well configured) to send emails.
Some of his features are :
Drag-&-drop message management
Full support for MIME and HTML messages
Sophisticated privacy protection
Compose messages with attachments
Multiple sender identities
Full featured address book with groups and LDAP connectors
Check more informations at : [Link]
Implementation
Installation and configuration of Centos 6 VMs
We will use Centos 6.5 distrubution for our servers. We will download pre-made virtual machines for
this on this website : [Link]
The direct access to the VM we have downloade dis at the following link :
[Link]
The servers have each 512 Mo of Virtual memory and a 12 Go of disk.
Important : Because we have downloaded a foreign virtual machine, well have to change the
keyboard layout with the following command :
# Loadkeys en
�It will change the keyboard in an english layout .
Installation and configuration of Bind DNS Server
You should first update your distro packages by issuing the following commands :
# yum update
To install Bind, use the following command :
# yum install bind bind-utils nano y
To configure the DNS server :
# nano /etc/[Link]
Your "options" section should be configured as follows,
�options {
#listen-on port 53 { [Link]; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { localhost;};
recursion yes;
forwarders {
[Link] ;
[Link] ;
};
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/[Link]";
managed-keys-directory "/var/named/dynamic";
};
Above, listen-on must be commented to listen on all available interfaces. Furthermore, we have
changed the allow-query directive to "any" in order to allow users proper access to hosted zones.
We allowed recursion and added forwarders to make the DNS server reply to requests for zones
which are on Internet.
Next, we'll want to add a new zone for our first domain, you should add the following to your
[Link] below the existing zones.
zone "[Link]" IN {
type master;
file "[Link]";
allow-update { none; };
};
Configure BIND Zones
Firstly, we'll need to open the zone file, using the name you specified in the configuration
above.
�# nano -w /var/named/[Link]
$TTL 86400
@ IN SOA [Link]. [Link]. (
2013042201 ;Serial
3600
;Refresh
1800
;Retry
604800 ;Expire
86400
;Minimum TTL
)
; Specify our nameserver
IN
NS
[Link].
; Resolve nameserver hostnames to IP
ldap-server
IN
A
[Link]
; Define hostname -> IP pairs which you wish to resolve
;www
IN
A
[Link]
Start BIND Server
We can now start named for the first time. This may take several minutes while named generates the
[Link] file, which only occurs on first execution.
# service named restart
Once named has started successfully, we'll want to ensure that it is enabled as a startup service, by
running the following:
# chkconfig named on
By now, we should have a fully operational primary nameserver. You can verify that BIND is working
correctly by running the following command,
# dig @[Link] [Link]
If you receive a response which includes an answer and authority section, your nameserver has been
configured correctly.
Installation of OpenLDAP
To install OpenLDAP Server, issue the following command :
# yum -y install openldap openldap-servers openldap-clients
The LDAP Servers configuration files are :
[Link] The LDAP default configuration is stored under a file in
/etc/openldap/slapd.d/cn=[Link] that is created in the LDIF format. This is the LDAP Input
Format (LDIF), a specific format that allows you to enter information in to the LDAP directory.
olcDatabase{2}[Link] You can also modify the settings like number of connections the
server can support, timeouts and other database settings under the file
/etc/openldap/slapd.d/cn=config/olcDatabase{2}[Link]. This is the file that also contains
the parameters like LDAP root user and the base DN.
Modify the olcDatabase={2}[Link] file, and change the olcRootDN entry. The following is the default
entry.
# grep olcRootDN /etc/openldap/slapd.d/cn=config/olcDatabase={2}[Link]
olcRootDN: cn=Manager,dc=my-domain,dc=com
Change the above line to this.
olcRootDN: cn=Manager,dc=dimitrios,dc=local
Now use slappasswd command to create a hash for the root password you want to use. Once the
password is generated, open the olcDatabase{2}[Link] file, include the olcRootPW parameter, and
copy the hashed password as shown below. Execute the following command and specify a password.
This will generate the hash for the given password.
# slappasswd
New password: dimitrios
Re-enter new password: dimitrios
{SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6
Take the hash output of the above command and add it to the oclRootPW parameter in the
olcDatabase{2}[Link] file as shown below.
# vi /etc/openldap/slapd.d/cn=config/olcDatabase{2}[Link]
olcRootPW: {SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6
Now setup the olcSuffix and to set the domain that you want. Simply modify the line that
starts with olcSuffix in the file olcDatabase={2}[Link] as shown below.
�# vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}[Link]
olcSuffix: dc=dimitrios,dc=local
Use slaptest command to verify the configuration file as shown below. This should display testing
succeeded message as shown below.
# slaptest -u
config file testing succeeded
You might get the following messages during the above command, which you can ignore for now.
54a39508 ldif_read_file: checksum error on
"/etc/openldap/slapd.d/cn=config/olcDatabase={1}[Link]"
54a39508 ldif_read_file: checksum error on
"/etc/openldap/slapd.d/cn=config/olcDatabase={2}[Link]"
Use the following commands next :
# cd /etc/sysconfig
# perl -npe 's/#SLAPD_/SLAPD_/' -i ldap
Start the ldap server as shown below.
# service slapd start
To verify the ldap server is configured successfully, you can use the below command and verify that
the domain entry is present.
# ldapsearch -x -b "dc=dimitrios,dc=local"
Base LDAP Structure in [Link]
The use of OU (organizational unit) objects can help you in providing additional structure to the LDAP
database. If you are planning on adding in different types of entries, such as users, groups,
computers, printers and more to the LDAP directory, it makes it easier to put every entry type into its
own container.
To create these OUs, you can create an initial LDIF file as shown in the below example.
# nano /root/[Link]
dn: dc=dimitrios,dc=local
dc: dimitrios
o: [Link]
objectclass: dcObject
objectclass: organization
objectclass: top
�dn: ou=Users, dc=dimitrios,dc=local
ou: Users
objectclass: organizationalUnit
dn: ou=Groups, dc=dimitrios,dc=local
ou: Groups
objectclass: organizationalUnit
dn: ou=Maps, dc=dimitrios,dc=local
ou: Maps
objectclass: organizationalUnit
Now we can import the base structure in to the LDAP directory using the ldapadd command
as shown below.
# ldapadd -x -W -D "cn=Manager, dc=dimitrios,dc=local" -f /root/[Link]
Enter LDAP Password:
Enter the password used with ldappasswd (dimitrios).
You should see 4 entries added. To verify the OUs are successfully created, use the following
ldapsearch command.
# ldapsearch -x -W -D "cn=Manager,dc=dimitrios,dc=local" -b "dc=dimitrios,dc=local" "(objectclass=*)"
Enter LDAP Password:
You should see the 4 entries.
Adding the automount is done as shown below :
# cat <<EOF >/root/[Link]
dn: nisMapName=[Link],ou=Maps,dc=dimitrios,dc=local
nisMapName: [Link]
objectclass: nisMap
dn: cn=/home,nisMapName=[Link],ou=Maps,dc=dimitrios,dc=local
cn: /home
objectClass: nisObject
nisMapName: [Link]
nisMapEntry: [Link]
dn: nisMapName=[Link],ou=Maps,dc=dimitrios,dc=local
nisMapName: [Link]
objectClass: nisMap
dn: cn=/,nisMapName=[Link],ou=Maps,dc=dimitrios,dc=local
cn: /
objectClass: nisObject
nisMapName: [Link]
nisMapEntry: -fstype=nfs,rw,hard,intr [Link]:/export/home/&
EOF
# ldapadd a f /root/[Link] H ldap:/// -D "cn=Manager,dc=dimitrios,dc=local" W
�As with the prior ldapadd, you will be prompted for the password and then the records will be
added.
At this point, pause and test the OpenLDAP server in isolation. You should receive two records from
the following command - one for [Link] and one for [Link]:
# ldapsearch -x -H ldap:/// -b dc=dimitrios,dc=local "(objectclass=nisMap)"
Adding computers to domain
Creating user accounts
We will be creating 2 user accounts for our tests.
