openldap directory administration standard unix services and ldap

OpenLDAP Directory Administration

Standard Unix Services and

LDAP

Table of Contents● The Directory Namespace

● An FTP/HTTP Combination

● User Authentication with Samba

● FreeRadius

● Resolving Hosts

● Central Printer Management

The Directory Namespace● This chapter explores how standard Unix services can

make use of our directory

● We continue with the namespace developed in chapter 6 and 7

● We will eventually need to modify it

adminstrative groupsand pisixGroups

adminstrative groupsand pisixGroups

user accounts

user accounts

application data

application data

ou=group ou=people ou=services

dc=plainjoe,dc=org




● FreeRadius

● Resolving Hosts


An FTP/HTTP Combination● ProFTPD (http://www.proftpd.org/) + LDAP

● Apache (http://www.apache.org/) + LDAP

● Assume that ftp and web platform cannot make use of PAM or NSS

● Schema:

LDAPdirectory

ldap.plainjoe.orgwww.plainjoe.org

home directory and account information

http://www.plainjoe.org/~userupload files to~public_html

http://www.proftpd.org/

http://www.apache.org/

An FTP/HTTP Combination (cont.)ProFTPD

– Comes with a mod_ldap module (not same as Apache's)

– Compilation flag:

--with-modules=mod_ldap

– Listing built-in modules:

$ proftpd -lCompiled-in modules: mod_core.c mod_xfer.c mod_auth_unix.c ... mod_ldap.c ... mod_log.c mod_site.c mod_auth_pam.c mod_quotatab.c mod_ratio.c mod_tls.c mod_rewrite.c mod_radius.c mod_ifsession.c mod_cap.c

$ proftpd -lCompiled-in modules: mod_core.c mod_xfer.c mod_auth_unix.c ... mod_ldap.c ... mod_log.c mod_site.c mod_auth_pam.c mod_quotatab.c mod_ratio.c mod_tls.c mod_rewrite.c mod_radius.c mod_ifsession.c mod_cap.c

An FTP/HTTP Combination (cont.)ProFTPD (cont.)

– Sample start configuration:

ServerType standaloneDefaultServer onPort 21Umask 022User nobodyGroup nobodyDefaultRoot ~/public_html

# LDAP parameters will go in here

<Directory /*>AllowOverwrite on

</Directory>

ServerType standaloneDefaultServer onPort 21Umask 022User nobodyGroup nobodyDefaultRoot ~/public_html

# LDAP parameters will go in here

<Directory /*>AllowOverwrite on

</Directory>

An FTP/HTTP Combination (cont.)ProFTPD (cont.)

– LDAP Configuration:

LDAPDoAuth on “ou=people,dc=plainjoe,dc=org”LDAPServer ldap.plainjoe.org

# By default, anonymous binds are used# LDAPAuthBinds off (=anonymous bind, or simple bind via LDAPDNInfo# as DN. Use password must be stored in clear {text} or {crypt} format)# LDAPAuthBinds on (=authenticates connecting user by binding to the # directory server, locates DN of user, userPassword attribute is never# requested. Then bind to LDAP server again using user's DN & password# entered)

LDAPAuthBinds on

# How to inform proftpd to resolve UIDs and GIDs when listing files ?

LDAPDoGIDLookups on “ou=group,dc=plainjoe,dc=org”LDAPDoUIDLookups on “ou=people,dc=plainjoe,dc=org”

# Default search filters of (&(uidNumber=UNIX uid)# (objectclasses=posixAccount)) and (&(gidNumber=UNIX gid)# (objectclasses=posixGroup)) can be overriden via extra parameter

LDAPDoAuth on “ou=people,dc=plainjoe,dc=org”LDAPServer ldap.plainjoe.org

# By default, anonymous binds are used# LDAPAuthBinds off (=anonymous bind, or simple bind via LDAPDNInfo# as DN. Use password must be stored in clear {text} or {crypt} format)# LDAPAuthBinds on (=authenticates connecting user by binding to the # directory server, locates DN of user, userPassword attribute is never# requested. Then bind to LDAP server again using user's DN & password# entered)

LDAPAuthBinds on

# How to inform proftpd to resolve UIDs and GIDs when listing files ?

LDAPDoGIDLookups on “ou=group,dc=plainjoe,dc=org”LDAPDoUIDLookups on “ou=people,dc=plainjoe,dc=org”

# Default search filters of (&(uidNumber=UNIX uid)# (objectclasses=posixAccount)) and (&(gidNumber=UNIX gid)# (objectclasses=posixGroup)) can be overriden via extra parameter

An FTP/HTTP Combination (cont.)ProFTPD LDAP Parameters

Directive Default DescriptionLDAPAuthBinds on

LDAPDefaultAuthScheme crypt

LDAPDefaultGID None

LDAPDefaultUID None

LDAPDNInfo “” “”

LDAPDoAuth off Should mod_ldap be enabled for authentication?LDAPDoGIDLookups off

LDAPDoUIDLookups off

LDAPForceDefaultGID off

LDAPForceDefaultUID off

Should the connecting user be authenticated by binding to the directory server using the located DN and the user's password (on), or should the module hash the password locally and compare it with the userPassword attribute obtained from the directory (off) ?Specifies the hashing scheme for passwords that are not prefixed by a type string ({}). Possible values are crypt and clearSpecifies the default UNIX GID to be assigned to the user if the gidNumber attribute is unavailableSpecifies the default UNIX UID to be assigned to the user if the uidNumber attribute is unavailableDefines the DN and password to use when binding to the directory server for searches

should mod_ldap attempt to resolve GID numbers to names by querying the directory for matching posixGroup entries ?Should mod_ldap attempt to resolve UID numbers to names by querying the directory for matching posixAccount entries ?Forces the GID of all connected users to the LDAPDefaultGID, even if a gidNumber attribute can be obtainedForces UID of all connected users to the LDAPDefaultUID, even if a uidNumber attribute can be obtained

An FTP/HTTP Combination (cont.)ProFTPD LDAP Parameters (cont.)

Directive Default Description“”

LDAPNegativeCache off

LDAPQueryTimeout

LDAPSearchScope subtree Defines the LDAP search scope as onelevel or subtreeLDAPServer localhost

LDAPUseTLS off

LDAPHomedirOnDemandSuffix

Specifies additional subdirectories to be created in the event that LDAPHomedirOnDemand has been enabled. Multiple directories can be included in a whitespace-delimited listInstructs mod_ldap to cache negative responses to UID/GID resolution attempts

LDAP client library default

Specifies the maximum amount of time, in seconds, to wait for a search to complete

Specifies the hostname of the directory server. An alternative to port 389 can be defined using the syntax server:port. Multiple servers can be specified; separate server hostnames by spacesThis parameter is available only if mod_ldap.c has been modified to define USE_LDAPV3_TLS. If enabled, mod_ldap will use the StartTLS extension when contacting the LDAP server. If the directory does not support TLS, mod_ldap will downgrade to an unencrypted channel and simply report failure to the proftpd server

An FTP/HTTP Combination (cont.)Apache

– There is more than one LDAP module for Apache

– We will use mod_ldap_userdir here● Searches LDAP directory for posixAccountentry with matching

uid value

– Building the module is not covered here

– Configuration:

LoadModule ldap_userdir_module /usr/lib/apache/mod_ldap_userdir.so

<IfModule mod_ldap_userdir.c>LDAPUserDirServer ldap.plainjoe.orgLDAPUserDirSearchScope subtreeLDAPUserDirBaseDN ou=people,dc=plainjoe,dc=orgLDAPUserDir public_html

</IfModule>

LoadModule ldap_userdir_module /usr/lib/apache/mod_ldap_userdir.so

<IfModule mod_ldap_userdir.c>LDAPUserDirServer ldap.plainjoe.orgLDAPUserDirSearchScope subtreeLDAPUserDirBaseDN ou=people,dc=plainjoe,dc=orgLDAPUserDir public_html

</IfModule>

An FTP/HTTP Combination (cont.)Apache (cont.)

Directives for mod_ldap_userdirDirective Default Description

LDAPUserDir public_html The expected name of the subdirectoryLDAPUserDirServer None The hostname of the LDAP directory serverLDAPUserDirDNInfo None

LDAPUserDirBaseDN “” “”

LDAPUserDirFilter ()

LDAPUserDirSearchScope subtree

LDAPUserDirUseTLS off

The DN and password to be used to bind to the directory. The password should be given in clear textThe base search suffix to use when searching the directoryThe RFC2254-compliant LDAP search filter to use when querying the directoryThe scope of the LDAP search; can be a onelevel or subtreeWhether to use the StartTLS extended operation (on) or an unencrypted connection (off) when searching the directory




● FreeRadius

● Resolving Hosts


User Authentication with Samba● http://www.samba.org/

● Implements server portion of SMB/CIFS protocol (Server Message Block/Common Internet File System)

● Full Samba coverage is not the scope of this course

● To support challenge/response authentication mothods used by MS Windows clients, Samba requires a list of hashed passwords separate from the passwords in /etc/shadow, smbpasswd file:

username:uid:LM_HASH:account_flags:timestamp

● Disadvantages of smbpasswd for large sites:

– Lookups are performed sequentially

– Single smbpasswd file replicated to multipe servers is a clumsy solution (eg. uids/gids must be identical, etc.)

– Format of smbpasswd file limits number of attributes (eg. location of user's roaming profile)

http://www.samba.org/

User Authentication with Samba (cont.)

Configuring Samba

– Covered here: Samba 2.2.7a (LDAP support must be enabled at compile time: --with-ldapsam)

– Samba 3 LDAP support is different (more powerful)

– sambaAccount object in LDAP directory

– smb.conf file (partial):

[global]netbios name = TASHTEGOworkgroup = PEQUOD

security = userencrypt passwords = yes

ldap admin dn =“cn=smbadmin,ou=people,dc=plainjoe,dc=org”

ldap server = ldap.plainjoe.orgldap ssl = start_tlsldap port = 389ldap suffix = “ou=people,dc=plainjoe,dc=org”ldap filter = “(&(uid=%U)

(objectclass=sambaAccount))”

...

[global]netbios name = TASHTEGOworkgroup = PEQUOD

security = userencrypt passwords = yes

ldap admin dn =“cn=smbadmin,ou=people,dc=plainjoe,dc=org”

ldap server = ldap.plainjoe.orgldap ssl = start_tlsldap port = 389ldap suffix = “ou=people,dc=plainjoe,dc=org”ldap filter = “(&(uid=%U)

(objectclass=sambaAccount))”

...


smb.conf LDAP Parameters

– Make sure the NTLM hashes are not retrievable by an anonymous user

– Password for LDAP bind is not stored in smb.conf, but in the secrets.tdb file:

Directive Default Descriptionldap admin dn “”

ldap filter

ldap port 636

ldap server localhost The FQDN of the directory serverldap ssl on

The DN used by smbd when connecting to the LDAP server. This DN should be able to read all attribute values for sambaAccount entries, including lmPassword and ntPassword

(&(uid=%u)(objectclass=sambaAccount))

The RFC2254-compliant search filter to use when locating a user's Samba account informationThe TCP port to use when contacting the LDAP server

The parameter that specifies how smbd connects to the LDAP server. Possible values are off (do not use encryption), on (use LDAPS), or start_tls (use the StartTLS command)

# smbpasswd -w secretSetting stored password for “cn=smbadmin,ou=people,dc=plainjoe,dc=org” in secrets.tdb

# smbpasswd -w secretSetting stored password for “cn=smbadmin,ou=people,dc=plainjoe,dc=org” in secrets.tdb


Configuring OpenLDAP

– LDAP server must support the appropriate schema

– sambaAccount schema, samba.schema

– slapd.conf:

include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/samba.schema

include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/samba.schema


sambaAccount Object Class

objectClass:sambaAccount

uid:rid:

cn:lmPassword:ntPassword:pwdLastSet:logonTime:logoffTime:kickoffTime:userWorkstations:primaryGroupID:domain:pwdCanChange:pwdMustChange:acctFlags:displayName:smbHome:homeDrive:scriptPath:profilePath:description:

objectClass:sambaAccount

uid:rid:

cn:lmPassword:ntPassword:pwdLastSet:logonTime:logoffTime:kickoffTime:userWorkstations:primaryGroupID:domain:pwdCanChange:pwdMustChange:acctFlags:displayName:smbHome:homeDrive:scriptPath:profilePath:description:

optional attributes

required attributes


Access Control Rules

– New access rules to prevent normal users from retrieving LanMan/NT password hashes

# Previous ACLsaccess to attrs=userPassword

by self writeby * auth

# Don't let users snoop Windows passwordsaccess to attrs=lmPassword,ntPassword

by dn=”cn=smbadmin,ou=people,dc=plainjoe,dc=org” writeby * none

# Allow smbadmin to add new entries and modify existing onesaccess to dn.subtree=”ou=people,dc=plainjoe,dc=org”

by dn=”cn=smbadmin,ou=people,dc=plainjoe,dc=org” writeby * read

# Previous ACLsaccess to dn.subtree=”ou=group,dc=plainjoe,dc=org”

by * read

# Previous ACLsaccess to attrs=userPassword

by self writeby * auth

# Don't let users snoop Windows passwordsaccess to attrs=lmPassword,ntPassword

by dn=”cn=smbadmin,ou=people,dc=plainjoe,dc=org” writeby * none

# Allow smbadmin to add new entries and modify existing onesaccess to dn.subtree=”ou=people,dc=plainjoe,dc=org”

by dn=”cn=smbadmin,ou=people,dc=plainjoe,dc=org” writeby * read

# Previous ACLsaccess to dn.subtree=”ou=group,dc=plainjoe,dc=org”

by * read


The smbadmin Account

– Since Samba will bind to LDAP using this account, the account must possess a userPassword attribute. However, it is not necessary to have a UID, so we can use the person structural object class

– Corresponding LDIF:

dn: cn=smbadmin,ou=people,dc=plainjoe,dc=orgobjectClass: personcn: smbadminsn: smbadminuserPassword: {SSHA}xDG3/Cfj7ATgJ9yP0exS2lGD+infJqCj

dn: cn=smbadmin,ou=people,dc=plainjoe,dc=orgobjectClass: personcn: smbadminsn: smbadminuserPassword: {SSHA}xDG3/Cfj7ATgJ9yP0exS2lGD+infJqCj

objectClass:person

cn:sn:

userPassword:telephoneNumber:seeAlso:description:

objectClass:person

cn:sn:

userPassword:telephoneNumber:seeAlso:description:optional

attributes

required attributes


Adding and Using a sambaAccount

– Add user:

– List user:

# smbpasswd -a kristi -s testpassLDAP search “(&(uid=kristi)(objectclass=sambaAccount))” returned 0 entries.Added user kristi

# smbpasswd -a kristi -s testpassLDAP search “(&(uid=kristi)(objectclass=sambaAccount))” returned 0 entries.Added user kristi

dn: uid=kristi,ou=people,dc=plainjoe,dc=orgobjectClass: inetOrgpersonobjectClass: posixAccountobjectClass: sambaAccount...uid: kristipwdLastSet: 1040186720logonTime: 0logoffTime: 2147483647kickoffTime: 2147483647pwdCanChange: 0pwdMustChange: 2147483647rid: 2570primaryGroupID: 1201lmPassword: ...ntPassword: ...acctFlags: [UX ]

dn: uid=kristi,ou=people,dc=plainjoe,dc=orgobjectClass: inetOrgpersonobjectClass: posixAccountobjectClass: sambaAccount...uid: kristipwdLastSet: 1040186720logonTime: 0logoffTime: 2147483647kickoffTime: 2147483647pwdCanChange: 0pwdMustChange: 2147483647rid: 2570primaryGroupID: 1201lmPassword: ...ntPassword: ...acctFlags: [UX ]




● FreeRadius

● Resolving Hosts


FreeRadius● Not discussed in this course




● FreeRadius

● Resolving Hosts


Resolving Hosts● Most widespread mechanism for hostname resolution is

DNS (Domain Name System)

● LDAP is not really a replacement for a specialized directory service such as DNS

● LDAP can be used as a back-end storage system for zone files

● A patch for BIND9 exists: (http://www.vernaas.no/ldap/bind-sdb/)

http://www.vernaas.no/ldap/bind-sdb/

Resolving Hosts (cont.)Overview

dc=plainjoe,dc=org

ou=services

ou=group

ou=people

ou=hosts

DNS zone(plainjoe.org)

Directory

LDAP search

Name query

Resolving Hosts (cont.)How to Get It to Work ?

– Copy ldap.c to bind source directory

– Copy ldap.h to the include directory of BIND source tree

– Edit bin/named/Makefile.in, add:

– you may need to add the path to the LDAP include files and liraries to DDRIVER_INCLUDES and DDRIVER_LIBS

– Edit bin/named/main.c and add the lines

DDRIVER_OBJS = ldapdb.@*@DDRIVER_SRCS = ldapdb.cDDRIVER_LIBS = -lldap -llber

DDRIVER_OBJS = ldapdb.@*@DDRIVER_SRCS = ldapdb.cDDRIVER_LIBS = -lldap -llber

#include <xxdb.h>#include <ldapdb.h>#include <xxdb.h>#include <ldapdb.h>

xxdb_init();ldapdb_init();xxdb_init();ldapdb_init();

xxdb_clear();ldapdb_clear();xxdb_clear();ldapdb_clear();

Resolving Hosts (cont.)How to Get It to Work ? (cont.)

– Given the following zone file:

plainjoe.org. IN SOA dns1.plainjoe.org. root.dns.plainjoe.org. (3 ; serial10800 ; Refresh after 3 hours3600 ; Retry after 1 hour604800 ; Expire after 1 week86400 ) ; Minimum TTL of 1 day

; Name serversplainjoe.org. IN NS dns1.plainjoe.org.

; Addresses for local printerslocalhost.plainjoe.org IN A 127.0.0.1dns1.plainjoe.org. IN A 192.168.1.10ldap.plainjoe.org. IN A 192.168.1.70ahab.plainjoe.org. IN A 192.168.1.80

plainjoe.org. IN SOA dns1.plainjoe.org. root.dns.plainjoe.org. (3 ; serial10800 ; Refresh after 3 hours3600 ; Retry after 1 hour604800 ; Expire after 1 week86400 ) ; Minimum TTL of 1 day

; Name serversplainjoe.org. IN NS dns1.plainjoe.org.

; Addresses for local printerslocalhost.plainjoe.org IN A 127.0.0.1dns1.plainjoe.org. IN A 192.168.1.10ldap.plainjoe.org. IN A 192.168.1.70ahab.plainjoe.org. IN A 192.168.1.80


– There is a structural dNSZone object class that allows you to store DNS records in the directory

objectClass:dNSZone

zoneName:relativeDomainName:

DNSTTL:DNSClass:ARecord:MDRecord:PTRRecord:MXRecord:NSRecord:SOARecord:CNAMERecord:NAPTRRecord:KXRecord:DNAMERecord:HINFORecord:MINFORecord:TXTRecord:SIGRecord:KEYRecord:AAAARecord:LOCRecord:NXTRecord:SRVRecord:CERTRecord:A6Record:

objectClass:dNSZone

zoneName:relativeDomainName:

DNSTTL:DNSClass:ARecord:MDRecord:PTRRecord:MXRecord:NSRecord:SOARecord:CNAMERecord:NAPTRRecord:KXRecord:DNAMERecord:HINFORecord:MINFORecord:TXTRecord:SIGRecord:KEYRecord:AAAARecord:LOCRecord:NXTRecord:SRVRecord:CERTRecord:A6Record:

optional attributes

required attributes


– LDIF entry for A record for host ahab.plainjoe.org:

– Next step is to tell named service about the LDAP database:

– Note: zone2ldap tool included in BIND distribution (or Venaas' web site)

dn: relativeDomainName=ahab,ou=hosts,dc=plainjoe,dc=orgaRecord: 192.168.1.80objectClass: dNSZonerelativeDomainName: ahabdNSTTL: 86400zoneName: plainjoe.org

dn: relativeDomainName=ahab,ou=hosts,dc=plainjoe,dc=orgaRecord: 192.168.1.80objectClass: dNSZonerelativeDomainName: ahabdNSTTL: 86400zoneName: plainjoe.org

zone “plainjoe.org” in {type master;database “ldap ldap://192.168.1.70/ou=hosts,dc=plainjoe,dc=org

172800”;}

zone “plainjoe.org” in {type master;database “ldap ldap://192.168.1.70/ou=hosts,dc=plainjoe,dc=org

172800”;}




● FreeRadius

● Resolving Hosts


Central Printer Management● Network printers are devices associated with entries in

DNS and possess attributes used to support a non-DNS application

● Next step: design directory-based solution for managing printing configuration information:

– Adding printers

– Deploying printers

– Retiring printers

● See namespace on next slide

Central Printer Management (cont.)

LDAP Namespace for Directory-based Storage of Printer Configuration Data

dc=plainjoe,dc=org

ou=people ou=groupou=printers

ou=services

ou=hosts

printerconfiguratio

ndata

printerconfiguratio

ndata

commonprinters

commonprinters

printergroups

printergroups

host DNSconfiguration

ou=config ou=global ou=floor-1

ou=location


The Namespace

– The config OU sits at the root of the actual configuration tree

● Each printer has an entry (name, max print size job, ...)● Also contains DNS information● ou=config,ou=printers,dc=plainjoe,dc=org entry acts as base

suffix for the lp.plainjoe.org DNS zoneused by BIND9– If an administrator removes a printer's entry, it is immediately

removed from DNS as well

– Printers listed below ou=global entry should be available to all clients on the network

– ou=location tree has a similar function to the global tree● Holder for another group of organizational units● Each OU represents a group of printers

– Big difficulty = deciding on acceptable schema for representing printer capabilities and data


The Namespace (cont.)

– There is currently no standardized printer schema

– Closest: draft-fleming-ldap-printer-schema-XX.txt

– See also “Network Printing” from O'Reilly

– Some additional object classes and attributes needed to generate printcap entries for LPD and LPRng

– Problem: dNSZone and printerService objects are both structural classes

● Fortunately, BIND9 LDAP lookups do not use the objectClass● Use extensibleObject class in place of dNSZone● Other solution would be to define a new auxiliary object class

with all the attributes contained in a dNSZone object


Object Classes for Printing

objectClass:printerAbstract

printer-name:printer-natural-language-configured:printer-location:printer-info:printer-more-info:printer-make-and-model:printer-multiple-document-jobs-supported:printer-charset-configured:printer-charset-supported:printer-generated-natural-language-supported:printer-document-format-supported:printer-color-supported:printer-compression-supported:printer-pages-per-minute:printer-pages-per-minute-color:printer-finishings-supported:printer-number-up-supported:printer-sides-supported:printer-media-supported:printer-media-local-supported:printer-resolution-supported:printer-print-quality-supported:printer-job-priority-supported:printer-copies-supported:printer-job-k-octets-supported:printer-current-operator:printer-service-person:printer-delivery-orientation-supported:printer-stacking-order-supported:printer-output-features-supported:

objectClass:printerAbstract

printer-name:printer-natural-language-configured:printer-location:printer-info:printer-more-info:printer-make-and-model:printer-multiple-document-jobs-supported:printer-charset-configured:printer-charset-supported:printer-generated-natural-language-supported:printer-document-format-supported:printer-color-supported:printer-compression-supported:printer-pages-per-minute:printer-pages-per-minute-color:printer-finishings-supported:printer-number-up-supported:printer-sides-supported:printer-media-supported:printer-media-local-supported:printer-resolution-supported:printer-print-quality-supported:printer-job-priority-supported:printer-copies-supported:printer-job-k-octets-supported:printer-current-operator:printer-service-person:printer-delivery-orientation-supported:printer-stacking-order-supported:printer-output-features-supported:

objectClass:printerLRP

printer-name:

printer-aliases:

objectClass:printerLRP

printer-name:

printer-aliases:

objectClass:nprinterPortPrinterInfo

nprintDeviceName:nprintDeviceFlags:nprintFilter:

objectClass:nprinterPortPrinterInfo

nprintDeviceName:nprintDeviceFlags:nprintFilter:

objectClass:nprintNetworkPrinterInfo

nprintDNSName:nprintHardwareQueueName:nprintQueuePort:

objectClass:nprintNetworkPrinterInfo

nprintDNSName:nprintHardwareQueueName:nprintQueuePort:

objectClass:printerService

printer-uri:printer-xri-supported:

objectClass:printerService

printer-uri:printer-xri-supported:parent optional

required


Example Networked Printer Configuration

Example Non-networked Printer Configuration

dn: printer-uri=lpr://hp2100,ou=config,ou=printers,dc=plainjoe,dc=orgaRecord: 192.168.1.220printer-name: hp2100nprintHarwareQueue: rawprinter-uri: lpr://hp2100relativedomainName: hp2100objectClass: printerServiceobjectClass: nprintNetworkPrinterInfoobjectClass: extensibleObjectprinter-job-k-octets-supported: 10000zoneName: lp.plainjoe.org

dn: printer-uri=lpr://hp2100,ou=config,ou=printers,dc=plainjoe,dc=orgaRecord: 192.168.1.220printer-name: hp2100nprintHarwareQueue: rawprinter-uri: lpr://hp2100relativedomainName: hp2100objectClass: printerServiceobjectClass: nprintNetworkPrinterInfoobjectClass: extensibleObjectprinter-job-k-octets-supported: 10000zoneName: lp.plainjoe.org

dn: printer-uri=lpr://bjc240,ou=config,ou=printers,dc=plainjoe,dc=orgprinter-name: bjc240nprintHarwareQueue: rawprinter-uri: lpr://bjc240objectClass: printerServiceobjectClass: printerLPRobjectClass: nprintPortPrinterInfonprintDeviceName: /dev/lp0printer-aliases: canon

dn: printer-uri=lpr://bjc240,ou=config,ou=printers,dc=plainjoe,dc=orgprinter-name: bjc240nprintHarwareQueue: rawprinter-uri: lpr://bjc240objectClass: printerServiceobjectClass: printerLPRobjectClass: nprintPortPrinterInfonprintDeviceName: /dev/lp0printer-aliases: canon

No nprintDNSName attribute: can bedetermined from relativeDomainNameand zoneName attributes


More Configuration ...

– Entries below ou=global and ou=location contain only a printer's name, eg.

– nprintHostPrinter AUXILIARY object class allows to extend existing entry for a network host to define membership in a printing group

dn: printer-name=hp2100,ou=global,ou=printers,dc=plainjoe,dc=orgprinter-name: hp2100objectClass: printerService

dn: printer-name=bitsink,ou=floor-1,ou=location,dc=plainjoe,dc=orgprinter-name: bitsinkobjectClass: printerService

dn: printer-name=hp2100,ou=global,ou=printers,dc=plainjoe,dc=orgprinter-name: hp2100objectClass: printerService

dn: printer-name=bitsink,ou=floor-1,ou=location,dc=plainjoe,dc=orgprinter-name: bitsinkobjectClass: printerService

objectClass:nprintHostPrinter

nprintPrinterName:nprintLocation:

objectClass:nprintHostPrinter

nprintPrinterName:nprintLocation:

optional


More Configuration ... (cont.)

– Entry for workstation queso.plainjoe.org:

– generate_printcap.pl script

dn: relativeDomainName=queso,ou=hosts,dc=plainjoe,dc=orgaRecord: 192.168.1.74nprintLocation: floor-1objectClass: dNSZoneobjectClass: nprintHostPrinterrelativeDomainName: quesodNSTTL: 86400nprinterName: draft-printerzoneName: plainjoe.org

dn: relativeDomainName=queso,ou=hosts,dc=plainjoe,dc=orgaRecord: 192.168.1.74nprintLocation: floor-1objectClass: dNSZoneobjectClass: nprintHostPrinterrelativeDomainName: quesodNSTTL: 86400nprinterName: draft-printerzoneName: plainjoe.org


Printing Information and Entries for queso.plainjoe.org

ou=printersou=hosts

relativeDomainName=quesorelativeDomainName: quesonprintLocation: floor-1nprintPrinterName: draft-printer

ou=global

printer-name:hp2100ou=config

printer-uri:lpr://hp2100

printer-uri:lpr://bjc240

printer-uri:lpr://draft-printer

printer-uri:lpr://bitsink

ou=location

ou=floor-1

printer-name:bitsink


Resulting printcap File

# printer-uri=lpr://hp2100,ou=config,ou=printers,dc=plainjoe,dc=org# objectClass: nprintNetworkPrinterInfohp2100:\

:sh:\:mx#10000:\:lf=/var/spool/lpd/hp2100/lpd-err:\:sd=/var/spool/lpd/hp2100:\:lp=/dev/null:\:rm=hp2100.lp.plainjoe.org:\:rp=raw:

# printer-uri=lpr://bitsink,ou=config,ou=printers,dc=plainjoe,dc=org # objectClass: nprintNetworkPrinterInfobitsink:\

:sh:\:mx#0:\:lf=/var/spool/lpd/bitsink/lpd-err:\:sd=/var/spool/lpd/bitsink:\:lp=/dev/null:\:rm=bitsink.lp.plainjoe.org:\:rp=bitsink:

# printer-uri=lpr://draft-printer,ou=config,ou=printers,dc=plainjoe,dc=org# objectClass: nprintPortPrinterInfodraft-printer:\

:sh:\:mx#0:\:lf=/var/spool/lpd/draft-printer/lpd-err:\:sd=/var/spool/lpd/draft-printer:\:lp=/dev/lp0:\:sd=/var/spool/lpd/draft-printer:\:if=/opt/printers/filters/hpif.sh:

# printer-uri=lpr://hp2100,ou=config,ou=printers,dc=plainjoe,dc=org# objectClass: nprintNetworkPrinterInfohp2100:\

:sh:\:mx#10000:\:lf=/var/spool/lpd/hp2100/lpd-err:\:sd=/var/spool/lpd/hp2100:\:lp=/dev/null:\:rm=hp2100.lp.plainjoe.org:\:rp=raw:

# printer-uri=lpr://bitsink,ou=config,ou=printers,dc=plainjoe,dc=org # objectClass: nprintNetworkPrinterInfobitsink:\

:sh:\:mx#0:\:lf=/var/spool/lpd/bitsink/lpd-err:\:sd=/var/spool/lpd/bitsink:\:lp=/dev/null:\:rm=bitsink.lp.plainjoe.org:\:rp=bitsink:

# printer-uri=lpr://draft-printer,ou=config,ou=printers,dc=plainjoe,dc=org# objectClass: nprintPortPrinterInfodraft-printer:\

:sh:\:mx#0:\:lf=/var/spool/lpd/draft-printer/lpd-err:\:sd=/var/spool/lpd/draft-printer:\:lp=/dev/lp0:\:sd=/var/spool/lpd/draft-printer:\:if=/opt/printers/filters/hpif.sh:

openldap directory administration standard unix services and ldap

Documents

directory server

proftpd cont

orghome directory

ldap server

default unix uid

default unix gid

ldap configuration

ldap module