1. No category

IPBrick - Member of AD domain

IPBrick - Member of AD domain
IPBrick
iPortalMais
March 2009
2
c
Copyright iPortalMais
All rights reserved. March 2009. The information in this document can be
changed without further notice. The declarations, technical data, configurations
and recommendations of this document are supposedly precise and reliable, but
they are presented with no expressed or implicit warranty.
IPBrick AD integration
iPortalMais - 2007
Contents
1 Active Directory - LDAP
1.1 Introduction . . . . . . . . . . . . . .
1.2 Microsoft Services For Unix . . . . .
1.2.1 Installing SFU . . . . . . . . .
1.2.2 SFU Configuration . . . . . .
1.3 Active Directory - Schema SNAP-IN
1.4 Windows 2003 Server Support Tools
1.5 LDAP Schema update . . . . . . . .
1.5.1 AD Schema Registration . . .
1.5.2 Anonymous Access to LDAP .
1.5.3 AD users management . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
5
6
6
7
10
10
11
11
12
13
2 IPBrick configuration
15
2.1 AD Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2 IPBrick Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 16
iPortalMais - 2007
IPBrick AD integration
4
IPBrick AD integration
CONTENTS
iPortalMais - 2007
Chapter 1
Active Directory - LDAP
1.1
Introduction
When installed, the IPBrick uses the local LDAP to users authentication (Advanced Configurations - IPBrick - Authentication). It means that these users are
created in IPBrick, so IPBrick is acting as the network PDC1 . If the company
already have a PDC (Windows 2003 Active Directory for example) and a IPBrick
is being installed, it could be necessary a IPBrick integration with the Active
Directory. The integration level depends on the services that will be running in
IPBrick:
• No integration: If the IPBrick is a communication server without services
that need users authentication, no integration will be needed. Example: Mail
relay, proxy, VoIP, firewall, webserver.
• Partial integration: If the IPBrick need to authenticate users, you must
change the authentication type to AD Domain Member (IPBrick Master).
It’s called a partial integration because the IPBrick only will need to query
the Windows LDAP for the authentication process (follow only the Chapter 1.2 and Chapter 2). These are some services/applications running in
IPBrick that need this type of integration:
– Proxy with authentication;
– PPTP VPN;
– Intranet applications running on IPBrick (Calendar, Contacts etc)
• Total integration: In a total integration the IPBrick besides the LDAP
queries for authentication, will have physically a users account. However
the LDAP server must be extended in order to support all the IPBrick requirements, as:
– UNIX attributes: NIS domain, UID, GID, login shell and home directory;
1
Primary Domain Controller
iPortalMais - 2007
IPBrick AD integration
6
Active Directory - LDAP
– Automount information LDAP attributes;
– Mail server LDAP attributes (qmail-ldap).
Examples when a total integration is needed:
– The IPBrick will be the internal mail server: Windows Exchange service
will be replaced by IPBrick qmail service.
– You will use the documentation management system developed by iPortalMais - iPortalDoc
If the goal is to do a Total integration with AD, follow all the steps presented
in this Manual.
1.2
1.2.1
Microsoft Services For Unix
Installing SFU
If you have installed a Windows 2003 Server (R1), you need to install the SFU
version 3.5 that can be obtained from Microsoft Website at:
http://www.microsoft.com/windowsserversystem/sfu/
http://www.microsoft.com/windowsserversystem/sfu/downloads/default.asp
You must login with a MSN passport, the same account information that enables you to login to msn messenger. The file size is about 217.6 MB and it is an
auto-executable zip file.
To proceed with installation you need to login in Windows with a user present
in ’Schema Admins’ group. To install, you must follow these steps:
1. Download the file to the server;
2. Uncompress it to c:\tempsfu;
3. Now you must close all MMC consoles as well as any Active Directory managment windows you might have open;
4. Execute c:\tempsfu\setup.exe (you can delete this file later)
5. Select all the default options - Do not write anything in any of the fields!
6. For the modifications to take place, you must reboot the server. This can be
done at the end.
If you have installed a Windows 2003 Server (R2), the SFU is included with
version 4.0 so we just need to activate the service:
• Click Start, select Control Panel, and click Add or Remove Programs;
• Click Add/Remove Windows Components. Next, select the Active Directory
Services component and click Details;
• Check Identity Management for UNIX and click OK. Click Next to begin
installation.
IPBrick AD integration
iPortalMais - 2007
1.2 Microsoft Services For Unix
1.2.2
7
SFU Configuration
SFU had tabs to the Active Directory that allow the edition and management
of unix properties, like User Identification (UID) and Group Identification (GID)
of objects like groups, users and machines.
It’s necessary to specify the Unix Attributes for:
• Users
– NIS Domain: It’s the AD domain;
– UID: User identification;
– Login Shell: Default is /bin/sh;
– Home Directory: Users home directory in Unix;
– Primary group name/GID: The user group.
• Groups
– NIS Domain: It’s the AD domain;
– GID: Group identification;
– Members: Group members.
This attribute definition is done in Active Directory at Users and Computers.
Groups example
Next we have a example to the user ’administrador’ that is a Domain Admin
user:
First in Domain Admins group:
iPortalMais - 2007
IPBrick AD integration
8
Active Directory - LDAP
Figure 1.1: Domain Admins properties
Users example
Only after the definition of Unix Attributes for groups, it’s possible to define
the Unix Attributes for users, because each user have a Primary Group ID. To the
user ’administrador’ we have:
IPBrick AD integration
iPortalMais - 2007
1.2 Microsoft Services For Unix
9
Figure 1.2: ’administrador’ properties
⇒ Note: To have the groups in IPBrick including the users that
belong to those groups, it’s necessary that:
• The groups have the Unix Attributes defined;
• The users members of this groups have the Unix Attributes defined;
• The users should be added to groups in groups tab: UNIX Attributes, Members;
Additional information:
• GID Domain Users : Must be 513;
• GID Domain Admins : Must be 512;
iPortalMais - 2007
IPBrick AD integration
10
Active Directory - LDAP
• UID administrator : Must be 10000
• The other users will have the UID 100001, 100002 etc.
• If using other LDAP groups you can use GID 514, 515 etc.
1.3
Active Directory - Schema SNAP-IN
To enable working in LDAP schema in AD, you must activate the correct MMC
Snap-In. This must be done one time per server as follows:
start -> run
regsvr32 schmmgmt.dll
To access the snap-in, follow the steps:
1. Start -> Run : mmc
2. File -> Add/Remove Snap-in
3. Add
4. Active Directory Schema
5. Add
6. Close
7. Ok
1.4
Windows 2003 Server Support Tools
A tool named ADSI Edit will be necessary. ADSI Edit is part of Windows
2003 Server Support Tools. To use this tool you must install Windows 2003 Server
Support Tools, and then:
1. press START -> Run : mmc
2. File -> Add/Remove Snap-in
3. Add
4. ADSI Edit
5. Add
6. Close
7. Ok
If you want to work locally at the server, you must:
IPBrick AD integration
iPortalMais - 2007
1.5 LDAP Schema update
11
1. Right click at ADSI Edit
2. Select Connect To...
3. Then you should check:
• Connection Point: Domain and/or Configuration
• Computer: Default or Domain domain.com
NOTE: Until the end of this chapter, we’ll work with Connection Point checked
for Domain or Configuration.
If you dont have the standard ADSI Edit, you can download it at
http://tinyurl.com/yhgn9u and follow this steps:
• Extract all files to a folder;
• Copy the adsiedit.dll to c:\windows
• At Start - Run insert regsvr32 adsiedit
• Start using the ADSIEdit executing the file adsiedit.msc
1.5
LDAP Schema update
You must register the schema of Automount and Qmail service at Windows
LDAP. It’s necessary because these schema attributes dont exist in the base Windows LDAP schema. It will be used a application called ldifde to add these new
LDAP attributes. A LDIF2 file is a LDAP standard that represents the directory
content or some update requests for the LDAP service.
1.5.1
AD Schema Registration
1. In some versions of Windows 2000/2003 we need to modify a variable in
order to have permission to update AD schema. To do this you must use the
registry editor (Start ->Run -> regedt32 );
2. Find the following key
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
NTDS
Parameters
- Schema Update Allowed
3. If present, edit the variable named (Schema Update Allowed)
2
LDAP Data Interchange Format
iPortalMais - 2007
IPBrick AD integration
12
Active Directory - LDAP
4. Click at Binary and change its value to 1.
Now that the schema update is allowed we can proceed:
1. If you got a Windows 2003 Release 1 download the auto_r1.ldif file present
in the IPBrick site - Documentation section. Download the auto_r2.ldif
file if it’s a Windows 2003 Release 2.
2. Open the file in a text editor and change <DOMAIN_BASE_DN> to the domain
you’re using. As an example, if you are using a domain named domain.com
you should have: DC=domain,DC=com. You can use the ADSI Edit tool to
know the base DN.
3. Go to Start - Run and hit cmd. At command line you must execute the
following command to add these attributes to AD (change the DC=domain,
DC=com to your domain and the LDIF file path):
ldifde -i -k -c CN=Schema,CN=Configuration,DC=domain,DC=com CN=Schema,
CN=Configuration,DC=domain,DC=com -s localhost -f auto_r2.ldif
1.5.2
Anonymous Access to LDAP
Its mandatory to allow anonymous access to LDAP information. This can be
done trought ADSI Edit in the Configuration connection point.
1. Rigth click over the following entrance and select Properties;
CN=Configuration, CN=Services, CN=Windows NT, CN=Directory Service
2. Edit the variable named dsHeuristics:
• If not set change it to - 0000002
• If set to 001 change it to - 0010002
3. Click OK
4. Click OK
Then you must configure the Access Lists at OU=auto.home:
1. At ADSI Edit confirm that the connection point is Domain;
2. Select the OU=auto.home entry and right click;
3. Select Properties and choose Security;
4. Add an entry with the following information:
• Add : ANONYMOUS LOGON : Add : Read
IPBrick AD integration
iPortalMais - 2007
1.5 LDAP Schema update
13
• Advanced
• Select the line ANONYMOUS LOGON and Edit...
• Change Apply into: This object and all child objects
• Confirm all with OK
Atention: Anonymous logon permissions should be defined only for
OU=auto.home and his childs.
1.5.3
AD users management
The users database it’s the Domain Controller LDAP (Active Directory). The
IPBrick servers configured in order to authenticate at AD domain use the LDAP
authentication services. For that reason we did the AD LDAP schema update to
support the LINUX/UNIX authentication services. The additional information
needed for each LDAP user is:
• UID and GID - User and group identifier
• UNIX password - User password sincronized to Windows password
• Automount - Physical account location (homedir) (work area and server)
The first two items are installed with Microsoft Services For Unix.
Create users
1. Create users in Active Directory
(a) Fill the Name and Email - used in internal contacts
(b) In Unix Attributes option, insert the user in NIS domain
(c) Identify the primary user group - If you have doubts choose ’Domain
Users’
2. In the Master IPBrick, by the interface web access to IPBrick - Users Management
(a) Choose syncronize in AD
(b) Select the users that you want to syncronize (you can filter the users
view selecting a group)
(c) For each user choose the server (local or remote) and work area
(d) Syncronize
(e) Update settings
ATTENTION: The Windows 2003 AD date must match with the
date defined in IPBrick
iPortalMais - 2007
IPBrick AD integration
14
Active Directory - LDAP
Remove users
Remove the user information from IPBrick servers.
1. In the Master IPBrick:
(a) Access to IPBrick Web interface IPBrick - Users Management.
(b) Find the user(s) and click in the name;
(c) Hit Delete and Confirm
(d) Update settings
2. In the Windows AD:
(a) Remove the Unix Attributes information by selecting in NIS Domain
the option <none>
IPBrick AD integration
iPortalMais - 2007
Chapter 2
IPBrick configuration
2.1
AD Data
An easy way to find the necessary Base DNs needed is using the ADSI Edit
tool refered in 1.4.
After connecting to server (refered in 1.4), a window like Figure 2.1 appears
and the domain in use is visible (dc=iporatal2003,dc=local).
Figure 2.1: ASDI Edit - Domain
In Figure 2.2 the users BASE DN is visible. In this case is the username
administrador. The BASE DN for that user is:
cn=administrador,cn=users,dc=iporatal2003,dc=local and the users BASE
DN is cn=users,dc=iporatal2003,dc=local.
In groups (Figure 2.2), the BASE DN is cn=builtin,dc=iporatal2003,dc=local.
iPortalMais - 2007
IPBrick AD integration
16
IPBrick configuration
Figure 2.2: ASDI Edit - Users
Figure 2.3: ASDI Edit - Groups
2.2
IPBrick Configuration
In IPBrick the configuration should be in agreement to the AD. It will be done
in the following menu:
IPBrick AD integration
iPortalMais - 2007
2.2 IPBrick Configuration
17
Advanced Configurations - IPBrick - Authentication
Modify the authentication type to AD Domain Member (IPBrick Master).
In the Figure 2.4 example, the junction will be done to a AD with the following
definitions:
• Services for Unix Version: v3.5 (used for Windows 2003 R1. You must choose
v4.0 if you use Windows 2003 R2)
• AD Server IP Adress: 192.168.69.28
• Netbios Domain: iporatal2003
• Realm: iporatal2003.local
• Domain Administrator: administrador;
• Password:
• Base DN: dc=iporatal2003,dc=local;
• Administrator DN: cn=administrador,cn=users,dc=iporatal2003,dc=local;
• Users search base DN: cn=users,dc=iporatal2003,dc=local;
• Groups search base DN: ou=builtin,dc=iporatal2003,dc=local
An easy way to list all the users and groups is to set the Users and Groups
search base DN to the Base DN. In example dc=iporatal2003,dc=local.
! Attention:
This data must be as the AD configuration. The
data present here is just an example. Contact the AD administrator
to know the correctly BASE DN’s, or you can obtain that in thought
information using ADSI Edit.
! Attention:
IPBrick must always resolve names at Windows
2003 AD because usually it’s the internal DNS server of the company. So at Advanced Configurations - Support Services| - DNS - Name
Resolution|, first IPBrick must resolve names at Windows IP, and the
second line can be the IPBrick (127.0.0.1). If needed you can order the
addresses.
iPortalMais - 2007
IPBrick AD integration
18
IPBrick configuration
Figure 2.4: IPBrick like AD member
IPBrick AD integration
iPortalMais - 2007

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz