Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
= README.en
$Id$
== Name
ActiveSambaLdap
== Description
ActiveSambaLdap is a library and a management tool for Samba + LDAP environment.
ActiveSambaLdap provides object-oriented API to manipulate LDAP entry for Samba. ActiveSambaLdap also provides command-line tools to replace smbldap-tools written by Perl.
== Author
Kouhei Sutou kou@clear-code.com
== Licence
LGPL 2.1 or later. See license/lgpl-2.1.txt for details.
(Kouhei Sutou has a right to change the license including contributed patches.)
== Dependency libraries
== Install
% sudo gem install activesambaldap
== Mailing list
http://rubyforge.org/mailman/listinfo/asl-devel/
== Reference manual
http://asl.rubyforge.org/activesambaldap/
== Usage
=== Use with Rails
First, load ActiveSambaLdap gem.
Add the following line into config/environment.rb:
config.gem "activesambaldap", :lib => "active_samba_ldap"
Next, scaffold the environment of ActiveSambaLdap for Rails.
% script/generate scaffold_active_samba_ldap
Modify config/ldap.yml generated by scaffold_active_samba_ldap to adapt to your environment. See "Options in configuration file" section to find available options.
==== Populate
First, need to populate your Samba + LDAP environment. Access http://localhost:3000/samba after invoking Rails by script/server and so on. And populate your Samba + LDAP environment by following "Populate Samba + LDAP environment" link.
And you can development your applications with User/Computer/Group classes. You can develop like with ActiveRecord.
=== Use from command line
Use asl-* commands. You'll don't use asl-samba-* commands from command line because they are for smb.conf.
==== Configuration
First, modify configuration file to adapt to your environment. You can confirm default configuration files by invoking asl-* commands with --help option. For example, you can use asl-populate.
% asl-populate --help ... --config=CONFIG Specify configuration file Default configuration files: /etc/activesambaldap/config.yaml /etc/activesambaldap/bind.yaml /home/kou/.activesambaldap.conf /home/kou/.activesambaldap.bind ...
Configuration files are read from the above files to the below files. Configurations are overridden by latter configuration files. In the above example, configuration files are read by the following order:
The reason why bind.yaml and *.bind are read after config.yaml and *.conf is for security. You should write opened configurations (host name, port number and so on) into config.yaml and *.conf, closed configurations (user name, password and so on) into bind.yaml and *.bind. And you should set suitable permission to bind.yaml and *.bind.
==== Format of configuration file
Use YAML format. There are three sections:
update: # configurations for updating LDAP entries ...
reference: # configurations for referring LDAP entries ...
common: # configurations to share for updating/referring ...
For example:
common: sid: S-1-5-21-915876905-2926214379-2876160357 base: dc=samba,dc=local,dc=net host: localhost method: :tls
update: bind_dn: cn=admin,dc=local,dc=net password: admin
reference: allow_anonymous: true
It's best that you write 'password' configuration into bind.yaml *.bind.
You must configure 'base'. And you should configure 'sid'. You can find your SID by the following command:
% sudo net getlocalsid
It's inefficiency that sid isn't configured because 'net getlocalsid' is invoked each time.
==== Options in configuration file
The following options are available:
[base] Same as the option of ActiveLdap::Base.setup_connection. [host] Same as the option of ActiveLdap::Base.setup_connection. [port] Same as the option of ActiveLdap::Base.setup_connection. [scope] Same as the option of ActiveLdap::Base.setup_connection. [bind_dn] Same as the option of ActiveLdap::Base.setup_connection. [password] Same as the option of ActiveLdap::Base.setup_connection. [method] Same as the option of ActiveLdap::Base.setup_connection. [allow_anonymous] Same as the option of ActiveLdap::Base.setup_connection.
[sid] SID(Security Identifier) of your Samba server. [smb_conf] The path of smb.conf for your Samba server. [samba_domain] Domain name of your Samba server. [samba_netbios_name] NetBIOS name of your Samba server.
[password_hash_type] Algorithm for hashing password in LDAP. Available algorithms are +:crypt+, +:md5+, +:smd5+, +:sha+ and +:ssha+.
Password in LDAP is used for recognition in UNIX not Samba.
Default algorithm: +:ssha+
[users_suffix] Tree for user entries in LDAP. Specify relative path for base.
For example: "ou=Users"
[groups_suffix] Tree for group entries in LDAP. Specify relative path for base.
For example: "ou=Groups"
[computers_suffix] Tree for computer entries in LDAP. Specify relative path for base.
For example: "ou=Computers"
[idmap_suffix] Tree for idmap entries in LDAP. Specify relative path for base.
For example: "ou=Idmap"
[start_uid] UID (User Identifier) for making new user. Next new user's default UID is incremented after making new user.
Default: 10000
[start_gid] GID (Group Identifier) for making new group. Next new group's default GID is incremented after making new group.
Default: 10000
[user_login_shell] Default login shell for new user.
Default: "/bin/false"
[user_home_directory] Default home directory for new user. %U is substituted with the user name.
Default: "/home/%U" [user_home_directory_mode] Default permission of user's home directory.
Default: 0755 (octal notation)
[user_gecos] Default GECOS field value for new user. %U is substituted with user name.
[user_home_unc] Default path for user's home in Windows. The path should be specified by UNC (Universal Naming Convention). %U is substituted with user name.
Default: "\\NetBIOS name of your Samba server\%U".
[user_profile] Default path of user profile specified by UNC (Universal Naming Convention). %U is substituted by the user name.
Default: "\\NetBIOS name Samba server\profiles\%U"
[user_home_drive] Default drive name of user's home.
Default: "H:"
[user_logon_script] Default script name that is invoked when user logon.
Default: "logon.bat"
[skeleton_directory] Default skeleton directory for making user's home directory.
Default: "/etc/skel"
[default_user_gid] Default GID of group to which user belongs.
Default: "Domain Users" group
[default_computer_gid] Default GID of group to which computer belongs.
Default: "Domain Computers" group
==== Populate
You need to populate your Samba + LDAP environment by invoking asl-populate before administrate your Samba + LDAP with asl-*.
% sudo asl-populate
You can use the following command if you don't need to root authorization. (root authorization check may be needed...)
% fakeroot asl-populate
==== Administrate
Use asl-user*, asl-group*, asl-populate, asl-purge and asl-password. Use --help options for more detail.
==== Configuration of smb.conf
You need to configure you smb.conf like the following if you want to administrate with Srvtools[http://support.microsoft.com/kb/173673/] from Windows or make Samba server domain controller. Use asl-samba-* for those propose.
passdb backend = ldapsam:ldap://127.0.0.0 ldap admin dn = cn=admin,dc=local,dc=net ldap suffix = dc=samba,dc=local,dc=net ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap passwd sync = yes
admin users = "@Domain Admins" add user script = /.../asl-samba-useradd "%u" delete user script = /.../asl-samba-userdel "%u" add group script = /.../asl-samba-groupadd "%g" delete group script = /.../asl-samba-groupdel "%g" add user to group script = /.../asl-samba-groupmod "%g" --add-members "%u" delete user from group script = /.../asl-samba-groupmod "%g" --delete-members "%u" set primary group script = /.../asl-samba-usermod "%u" --gid "%g" add machine script = /.../asl-samba-computeradd "%u"
You need to set LDAP administrator password by the following command before invoke your Samba server.
% sudo /usr/bin/smbpasswd -W
== Trouble shootings
=== Groups aren't listed
You can list groups by the following command:
% net rpc group list --user=USER_NAME
If no groups listed by the above command after you execute asl-populate, please confirm the following:
Is your samba.schema old?
If your sambaSID entry in your samba.schema doesn't have the following configuration, your samba.schema may be old. Please update your samba.schema.
SUBSTR caseExactIA5SubstringsMatch
== Thanks
FAQs
Unknown package
We found that activesambaldap demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.