IPBrick - Member of AD domain IPBrick iportalmais

IPBrick - Member of AD domain IPBrick iportalmais March 2009

2 Copyright c iportalmais All rights reserved. March 2009. The information in this document can be changed without further notice. The declarations, technical data, configurations and recommendations of this document are supposedly precise and reliable, but they are presented with no expressed or implicit warranty. IPBrick AD integration iportalmais - 2007

Contents 1 Active Directory - LDAP 5 1.1 Introduction............................... 5 1.2 Microsoft Services For Unix...................... 6 1.2.1 Installing SFU.......................... 6 1.2.2 SFU Configuration....................... 7 1.3 Active Directory - Schema SNAP-IN................. 10 1.4 Windows 2003 Server Support Tools................. 10 1.5 LDAP Schema update......................... 11 1.5.1 AD Schema Registration.................... 11 1.5.2 Anonymous Access to LDAP.................. 12 1.5.3 AD users management..................... 13 2 IPBrick configuration 15 2.1 AD Data................................. 15 2.2 IPBrick Configuration......................... 16 iportalmais - 2007 IPBrick AD integration

4 CONTENTS IPBrick AD integration iportalmais - 2007

Chapter 1 Active Directory - LDAP 1.1 Introduction When installed, the IPBrick uses the local LDAP to users authentication (Advanced Configurations - IPBrick - Authentication). It means that these users are created in IPBrick, so IPBrick is acting as the network PDC 1. If the company already have a PDC (Windows 2003 Active Directory for example) and a IPBrick is being installed, it could be necessary a IPBrick integration with the Active Directory. The integration level depends on the services that will be running in IPBrick: No integration: If the IPBrick is a communication server without services that need users authentication, no integration will be needed. Example: Mail relay, proxy, VoIP, firewall, webserver. Partial integration: If the IPBrick need to authenticate users, you must change the authentication type to AD Domain Member (IPBrick Master). It s called a partial integration because the IPBrick only will need to query the Windows LDAP for the authentication process (follow only the Chapter 1.2 and Chapter 2). These are some services/applications running in IPBrick that need this type of integration: Proxy with authentication; PPTP VPN; Intranet applications running on IPBrick (Calendar, Contacts etc) Total integration: In a total integration the IPBrick besides the LDAP queries for authentication, will have physically a users account. However the LDAP server must be extended in order to support all the IPBrick requirements, as: UNIX attributes: NIS domain, UID, GID, login shell and home directory; 1 Primary Domain Controller iportalmais - 2007 IPBrick AD integration

6 Active Directory - LDAP Automount information LDAP attributes; Mail server LDAP attributes (qmail-ldap). Examples when a total integration is needed: The IPBrick will be the internal mail server: Windows Exchange service will be replaced by IPBrick qmail service. You will use the documentation management system developed by iportalmais - iportaldoc If the goal is to do a Total integration with AD, follow all the steps presented in this Manual. 1.2 Microsoft Services For Unix 1.2.1 Installing SFU If you have installed a Windows 2003 Server (R1), you need to install the SFU version 3.5 that can be obtained from Microsoft Website at: http://www.microsoft.com/windowsserversystem/sfu/ http://www.microsoft.com/windowsserversystem/sfu/downloads/default.asp You must login with a MSN passport, the same account information that enables you to login to msn messenger. The file size is about 217.6 MB and it is an auto-executable zip file. To proceed with installation you need to login in Windows with a user present in Schema Admins group. To install, you must follow these steps: 1. Download the file to the server; 2. Uncompress it to c:\tempsfu; 3. Now you must close all MMC consoles as well as any Active Directory managment windows you might have open; 4. Execute c:\tempsfu\setup.exe (you can delete this file later) 5. Select all the default options - Do not write anything in any of the fields! 6. For the modifications to take place, you must reboot the server. This can be done at the end. If you have installed a Windows 2003 Server (R2), the SFU is included with version 4.0 so we just need to activate the service: Click Start, select Control Panel, and click Add or Remove Programs; Click Add/Remove Windows Components. Next, select the Active Directory Services component and click Details; Check Identity Management for UNIX and click OK. Click Next to begin installation. IPBrick AD integration iportalmais - 2007

1.2 Microsoft Services For Unix 7 1.2.2 SFU Configuration SFU had tabs to the Active Directory that allow the edition and management of unix properties, like User Identification (UID) and Group Identification (GID) of objects like groups, users and machines. It s necessary to specify the Unix Attributes for: Users NIS Domain: It s the AD domain; UID: User identification; Login Shell: Default is /bin/sh; Home Directory: Users home directory in Unix; Primary group name/gid: The user group. Groups NIS Domain: It s the AD domain; GID: Group identification; Members: Group members. This attribute definition is done in Active Directory at Users and Computers. Groups example Next we have a example to the user administrador that is a Domain Admin user: First in Domain Admins group: iportalmais - 2007 IPBrick AD integration

8 Active Directory - LDAP Figure 1.1: Domain Admins properties Users example Only after the definition of Unix Attributes for groups, it s possible to define the Unix Attributes for users, because each user have a Primary Group ID. To the user administrador we have: IPBrick AD integration iportalmais - 2007

1.2 Microsoft Services For Unix 9 Figure 1.2: administrador properties Note: To have the groups in IPBrick including the users that belong to those groups, it s necessary that: The groups have the Unix Attributes defined; The users members of this groups have the Unix Attributes defined; The users should be added to groups in groups tab: UNIX Attributes, Members; Additional information: GID Domain Users : Must be 513; GID Domain Admins : Must be 512; iportalmais - 2007 IPBrick AD integration

10 Active Directory - LDAP UID administrator : Must be 10000 The other users will have the UID 100001, 100002 etc. If using other LDAP groups you can use GID 514, 515 etc. 1.3 Active Directory - Schema SNAP-IN To enable working in LDAP schema in AD, you must activate the correct MMC Snap-In. This must be done one time per server as follows: start -> run regsvr32 schmmgmt.dll To access the snap-in, follow the steps: 1. Start -> Run : mmc 2. File -> Add/Remove Snap-in 3. Add 4. Active Directory Schema 5. Add 6. Close 7. Ok 1.4 Windows 2003 Server Support Tools A tool named ADSI Edit will be necessary. ADSI Edit is part of Windows 2003 Server Support Tools. To use this tool you must install Windows 2003 Server Support Tools, and then: 1. press START -> Run : mmc 2. File -> Add/Remove Snap-in 3. Add 4. ADSI Edit 5. Add 6. Close 7. Ok If you want to work locally at the server, you must: IPBrick AD integration iportalmais - 2007

1.5 LDAP Schema update 11 1. Right click at ADSI Edit 2. Select Connect To... 3. Then you should check: Connection Point: Domain and/or Configuration Computer: Default or Domain domain.com NOTE: Until the end of this chapter, we ll work with Connection Point checked for Domain or Configuration. If you dont have the standard ADSI Edit, you can download it at http://tinyurl.com/yhgn9u and follow this steps: Extract all files to a folder; Copy the adsiedit.dll to c:\windows At Start - Run insert regsvr32 adsiedit Start using the ADSIEdit executing the file adsiedit.msc 1.5 LDAP Schema update You must register the schema of Automount and Qmail service at Windows LDAP. It s necessary because these schema attributes dont exist in the base Windows LDAP schema. It will be used a application called ldifde to add these new LDAP attributes. A LDIF 2 file is a LDAP standard that represents the directory content or some update requests for the LDAP service. 1.5.1 AD Schema Registration 1. In some versions of Windows 2000/2003 we need to modify a variable in order to have permission to update AD schema. To do this you must use the registry editor (Start ->Run -> regedt32 ); 2. Find the following key HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Parameters - Schema Update Allowed 3. If present, edit the variable named (Schema Update Allowed) 2 LDAP Data Interchange Format iportalmais - 2007 IPBrick AD integration

12 Active Directory - LDAP 4. Click at Binary and change its value to 1. Now that the schema update is allowed we can proceed: 1. If you got a Windows 2003 Release 1 download the auto_r1.ldif file present in the IPBrick site - Documentation section. Download the auto_r2.ldif file if it s a Windows 2003 Release 2. 2. Open the file in a text editor and change <DOMAIN_BASE_DN> to the domain you re using. As an example, if you are using a domain named domain.com you should have: DC=domain,DC=com. You can use the ADSI Edit tool to know the base DN. 3. Go to Start - Run and hit cmd. At command line you must execute the following command to add these attributes to AD (change the DC=domain, DC=com to your domain and the LDIF file path): ldifde -i -k -c CN=Schema,CN=Configuration,DC=domain,DC=com CN=Schema, CN=Configuration,DC=domain,DC=com -s localhost -f auto_r2.ldif 1.5.2 Anonymous Access to LDAP Its mandatory to allow anonymous access to LDAP information. This can be done trought ADSI Edit in the Configuration connection point. 1. Rigth click over the following entrance and select Properties; CN=Configuration, CN=Services, CN=Windows NT, CN=Directory Service 2. Edit the variable named dsheuristics: If not set change it to - 0000002 If set to 001 change it to - 0010002 3. Click OK 4. Click OK Then you must configure the Access Lists at OU=auto.home: 1. At ADSI Edit confirm that the connection point is Domain; 2. Select the OU=auto.home entry and right click; 3. Select Properties and choose Security; 4. Add an entry with the following information: Add : ANONYMOUS LOGON : Add : Read IPBrick AD integration iportalmais - 2007

1.5 LDAP Schema update 13 Advanced Select the line ANONYMOUS LOGON and Edit... Change Apply into: This object and all child objects Confirm all with OK Atention: Anonymous logon permissions should be defined only for OU=auto.home and his childs. 1.5.3 AD users management The users database it s the Domain Controller LDAP (Active Directory). The IPBrick servers configured in order to authenticate at AD domain use the LDAP authentication services. For that reason we did the AD LDAP schema update to support the LINUX/UNIX authentication services. The additional information needed for each LDAP user is: UID and GID - User and group identifier UNIX password - User password sincronized to Windows password Automount - Physical account location (homedir) (work area and server) The first two items are installed with Microsoft Services For Unix. Create users 1. Create users in Active Directory (a) Fill the Name and Email - used in internal contacts (b) In Unix Attributes option, insert the user in NIS domain (c) Identify the primary user group - If you have doubts choose Domain Users 2. In the Master IPBrick, by the interface web access to IPBrick - Users Management (a) Choose syncronize in AD (b) Select the users that you want to syncronize (you can filter the users view selecting a group) (c) For each user choose the server (local or remote) and work area (d) Syncronize (e) Update settings ATTENTION: The Windows 2003 AD date must match with the date defined in IPBrick iportalmais - 2007 IPBrick AD integration

14 Active Directory - LDAP Remove users Remove the user information from IPBrick servers. 1. In the Master IPBrick: (a) Access to IPBrick Web interface IPBrick - Users Management. (b) Find the user(s) and click in the name; (c) Hit Delete and Confirm (d) Update settings 2. In the Windows AD: (a) Remove the Unix Attributes information by selecting in NIS Domain the option <none> IPBrick AD integration iportalmais - 2007

Chapter 2 IPBrick configuration 2.1 AD Data An easy way to find the necessary Base DNs needed is using the ADSI Edit tool refered in 1.4. After connecting to server (refered in 1.4), a window like Figure 2.1 appears and the domain in use is visible (dc=iporatal2003,dc=local). Figure 2.1: ASDI Edit - Domain In Figure 2.2 the users BASE DN is visible. In this case is the username administrador. The BASE DN for that user is: cn=administrador,cn=users,dc=iporatal2003,dc=local and the users BASE DN is cn=users,dc=iporatal2003,dc=local. In groups (Figure 2.2), the BASE DN is cn=builtin,dc=iporatal2003,dc=local. iportalmais - 2007 IPBrick AD integration

16 IPBrick configuration Figure 2.2: ASDI Edit - Users Figure 2.3: ASDI Edit - Groups 2.2 IPBrick Configuration In IPBrick the configuration should be in agreement to the AD. It will be done in the following menu: IPBrick AD integration iportalmais - 2007

2.2 IPBrick Configuration 17 Advanced Configurations - IPBrick - Authentication Modify the authentication type to AD Domain Member (IPBrick Master). In the Figure 2.4 example, the junction will be done to a AD with the following definitions: Services for Unix Version: v3.5 (used for Windows 2003 R1. You must choose v4.0 if you use Windows 2003 R2) AD Server IP Adress: 192.168.69.28 Netbios Domain: iporatal2003 Realm: iporatal2003.local Domain Administrator: administrador; Password: Base DN: dc=iporatal2003,dc=local; Administrator DN: cn=administrador,cn=users,dc=iporatal2003,dc=local; Users search base DN: cn=users,dc=iporatal2003,dc=local; Groups search base DN: ou=builtin,dc=iporatal2003,dc=local An easy way to list all the users and groups is to set the Users and Groups search base DN to the Base DN. In example dc=iporatal2003,dc=local.! Attention: This data must be as the AD configuration. The data present here is just an example. Contact the AD administrator to know the correctly BASE DN s, or you can obtain that in thought information using ADSI Edit.! Attention: IPBrick must always resolve names at Windows 2003 AD because usually it s the internal DNS server of the company. So at Advanced Configurations - Support Services - DNS - Name Resolution, first IPBrick must resolve names at Windows IP, and the second line can be the IPBrick (127.0.0.1). If needed you can order the addresses. iportalmais - 2007 IPBrick AD integration

18 IPBrick configuration Figure 2.4: IPBrick like AD member IPBrick AD integration iportalmais - 2007