oreilly.comSafari Books Online.Conferences.


LDAP Server Administration with GOsa
Pages: 1, 2

LDAP Customization with GOsa

Now it's time to show how to use GOsa to administer an LDAP database. Many modern MTAs know how to work with LDAP. Let's take Postfix as an example. To enable your Postfix virtual domains to use LDAP, modify your to add the following:

virtualsource_server_host =
virtualsource_server_port = 389
virtualsource_bind = no
virtualsource_timeout = 5
virtualsource_search_base = dc=gonicus,dc=de
virtualsource_query_filter = \ (&(|(mail=%s)(gosaMailAlternateAddress=%s))
virtualsource_result_attribute = uid,gosaMailForwardingAddress
virtualsource_lookup_wildcards = no
virtual_maps = ldap:virtualsource

To make Samba use the LDAP server as data storage, edit your smb.conf configuration file in the [global] section to resemble:

passdb backend = ldapsam:<a href="ldap://localhost">ldap://localhost</a>
ldap suffix = dc=gonicus,dc=de
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=ldapadmin,dc=gonicus,dc=de
ldap ssl = no

Both examples use the domain name as an example, written as dc=gonicus,dc=de. Change this for your specific setup.

The GOsa distribution includes schema files for the OpenLDAP server in gosa-2.1.3/contrib/openldap/*.schema. They have files for all supported services. There's also a configuration file for the server at gosa-2.1.3/contrib/openldap/slapd.conf. You may need to refer to it while writing your configuration.

At the time of writing, GOsa also has OpenLDAP schemas for the DHCP and DNS services and for Samba and PureFTP. Besides that, GOsa supports the whole range of go products, such as goServer, which includes support for NFS, NTP, LDAP, Syslog, Cups, IMAP, and other protocols. Most of this accounting information lives in the general GOSA schema at gosa-2.1.3/contrib/openldap/gosa.schema.

I'd prefer not to detail the problem of configuring your software for LDAP, there are many articles written on this topic. O'Reilly's LDAP System Administration by Gerald Carter explains how to interconnect your software with LDAP data storage. Craig Hunt's recent Cooking with sendmail shows how to add LDAP support to an existing sendmail configuration.

To use GOsa schemas for OpenLDAP, modify slapd.conf to add includes of the schemas:

include /usr/local/etc/ldap/schema/samba.schema
include /usr/local/etc/ldap/schema/pureftpd.schema
include /usr/local/etc/ldap/schema/gosa.schema

Remember to configure the suffix of your LDAP configuration. By default it is dc=gonicus,dc=de:

suffix "dc=gonicus,dc=de"

Then set the rootdn and rootpw for the system:

rootdn "cn=ldapadmin,dc=gonicus,dc=de"
rootpw {crypt}OuorOLd3VqvC2

The default is ldapadmin with the password tester. Do not leave it the same for your configuration, lest someone unwanted have access to your LDAP server.

The sample OpenLDAP configuration file (gosa-2.1.3/contrib/openldap/slapd.conf) from the GOsa distribution has some access rule sets, which limit changing rights for unauthorized users. This is not necessary for the sample setup, but you should definitely configure them on production servers.

To prepare a basic LDAP setup, refer to the LDIF file included at gosa-2.1.3/contrib/demo.ldif. It creates a basic structure of an LDAP database structure.

Unfortunately, GOsa has not yet finished LDAP server support, so you'll need to use an LDAP client to create or modify the LDAP database structure. I prefer phpLDAPadmin and web2ldap. Both of them are available in the FreeBSD Ports, and they provide hierarchical tree viewers and advanced search functionality, letting you intuitively browse and administer your LDAP directory.

After you've configured your LDAP server, you're ready to configure your services. As I mentioned above, there are a lot of different materials devoted to integrating authentication and authorization schemas with LDAP servers, so I won't cover them here. Most of the supported software has internal support for LDAP, except for the regular Unix (POSIX and shadow) accounts.

To enable LDAP queries for your regular Unix accounts, you need to start from PAM. First you need to install LDAP support for PAM. It's possible through pam_ldap, available from FreeBSD Ports at /usr/ports/security/pam_ldap. The pam_ldap module looks for the ldap.conf configuration file, normally found in /etc or /usr/local/etc. The configuration file is pretty simple:

BASE dc=gonicus,dc=de HOST localhost

BASE is the search base in the LDAP tree and HOST is an IP address or FQDN of the LDAP server.

Next, configure the PAM configuration file, normally found at /etc/pam.conf:

login auth sufficient
login auth sufficient
login auth requisite
login auth  required  try_first_pass
login account required
login password required
login session required

Here's a sample LDAP record (in LDIF) for a user named white:

dn: uid=white,ou=Users,dc=gonicus,dc=de
uid: white 
cn: Alexander E.  Prohorenko
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: uidObject
loginShell: /usr/local/bin/bash
uidNumber: 1001
gidNumber: 20 
homeDirectory: /home/white
gecos: Alexander Prohorenko,,,,

With LDAP support configured in your software and GOsa configuration files added to the LDAP server, you are ready to use GOsa.

Figure 4 shows a regular user administration procedure: browsing the accounts.

Figure 4
Figure 4. Browsing accounts. Click on the image for a full-size screenshot.

Figure 5 shows the modification of an account.

Figure 5
Figure 5. Modifying an account. Click on the image for a full-size screenshot.

As you can see, the process looks pretty easy. It doesn't require any filesystem synchronization or updates. The system processes the changes as soon as you click on OK.

The developers of GOsa also made it possible for everyone to try the possibilities of their system using the demonstration mode on the preinstalled server. Point your browser to and use demo and gosa to log in. You can register a personal account with full write access to data placed in "Department of Your_Login". You can also create subdepartments, users, groups, and so on to test the system.

Security Concerns

At the time of writing, GOsa (version 2.1.3, described in this article) didn't appear in any security bulletins. For safety's sake, I recommend protecting the directory containing GOsa scripts from the outside world. If you look at the Debian package, though, the GOsa directory used for the webroot is /usr/share/gosa/html, so that web users cannot see anything outside of the html directory. The upcoming GOsa 2.3 release uses PHP's secure mode for additional testing.

The first release did have an arbitrary PHP code injection flaw reported on Bugtraq. The second version has been more secure and stable, though.


GOsa appears to be a nice tool to manage different services and system accounts on a multiple servers. If you're already running (or planning to run) an LDAP-configured network, GOsa will save a lot of your time and will increase your productivity.

Alexander Prohorenko is a certified professional, who holds Sun Certified System Administrator and Sun Certified Java Programmer certifications.

Return to

Sponsored by: