Questions Regarding LDAP

Given the template:

dn: uid=user,ou=Users,dc=graysonpeddie,dc=lan
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user # has to match what is in the first line
sn: LastName
givenName: Firstname
cn: FirstName LastName
displayName: FirstName LastName
gecos: FirstName LastName
uidNumber: 10000 # Unique Number
gidNumber: 5000 # Must be associated with the group that exists in LDAP
userPassword: {CRYPT}x # change password 
loginShell: /bin/bash
homeDirectory: /home/example.com/user

I do have a question. I learned from this LDAP tutorial page below that uid must be unique and it must match what is in line 1 and 5.

My question is, should the cn for the user be unique? I want to challenge myself and get my hands dirty in learning LDAP and I am using OpenLDAP.

Are there any resources where I can understand the technical aspects of LDAP such as objectClass?

My challenge is to see if I can move away from Active Directory in my homelab setup as I plan on not having Windows in my home environment. Just macOS and Linux.

Update: Better I type instead of copying-and-pasting so I can learn from my mistakes.

The CN doesn’t have to be unique. Instead of openldap you can use this linux based AD. Then you can use the RSAT tools to manage your AD and group policy.

If only there’s a Linux equivalent for RSAT.

Okay, I have the following setup in my LDAP server:

dc=graysonpeddie,dc=lan
  ou=Home
    ou=Users
      Users with uid= go here...
    ou=Groups
      Groups go here...
  ou=Services
    ou=Users
      Service users go here...
    ou=Groups
      Groups go here...

And I’m following the tutorial for adding Kerberos to my LDAP server.

I’ve been making good progress and I’m getting close to completing my setup; however, I need to add Kerberos principles to existing users.

dn: olcDatabase={1}mdb,cn=config
add: olcAccess
olcAccess: {4}to dn.subtree=“ou=Users,ou=Home,dc=graysonpeddie,dc=lan”
    by dn.exact=”uid=KDC,ou=Users,ou=Services,dc=graysonpeddie,dc=lan” read
    by dn.exact=”uid=KAd,ou=Users,ou=Services,dc=graysonpeddie,dc=lan” write
    by * break
-
add: olcAccess
olcAccess: {5}to dn.subtree=“ou=Users,ou=Services,dc=graysonpeddie,dc=lan”
    by dn.exact=”uid=KDC,ou=Users,ou=Services,dc=graysonpeddie,dc=lan” read
    by dn.exact=”uid=KAd,ou=Users,ou=Services,dc=graysonpeddie,dc=lan” write
    by * break

When I execute this command:

ldapmodify -Y EXTERNAL -H ldapi:/// -f add_krb5_aclprinciples.ldif

I get the following error message:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
	additional info: <olcAccess> handler exited with 1

If only OpenLDAP could not be so vague as to tell me what the problem is so I can add principles to existing users. If anyone with OpenLDAP experience could tell me what I did wrong?

People like to put it down because you can assemble a bunch of tools to do the same thing, but Zentyal works really well for the little bit that I’ve used it.

And yes, it would be EXTREMELY nice if Microsoft would give us RSAT tools that work in Linux. They have their own distro of Linux, you would think they (MS) might be interested in this for in house duties, and then it might spill out for the rest of us to use.

Not sure what benefit this would have. If you are using ldap for only user management for linux and windows then just use the gui of Zentyal. You can’t do much else like use group policy for linux so what is the point?

If you are trying to manage a windows environment anyway and don’t want to pay the cost of windows server, don’t need extra features like syncing to azure for 365 and so on. Then I would say just use windows anyway to manage GPO and AD.

Thanks everyone. I realize this is not the best place to ask in here. I just don’t care for Windoze anyway. I want to get far out of the comfort zone and go for a challenge, but then not everyone wants a challenge anyway.

Update: Actually, I don’t think I need Kerberos. OpenLDAP with TLS for encryption is fine for me.

Update 2: OpenLDAP with TLS is more than enough for me. I have no need for Kerberos. Thank you all! I’m more than satisfied with migrating away from Windows Server Active Directory and I do not have a need for Samba 4.

Well, I decided to stick with Samba with Windows RSAT. I despise how Microsoft added the new Windows Spotlight feature to Windows 10 and I just don’t really care for it. The only purpose of the Windows 10 VM is to use RSAT, not look at beautiful pictures that came from Bing.

Oh well.

In a serious note, I really want RSAT to be ported over to Linux. I mean, just the limited set of RSAT tools such as Active Directory Users and Groups, DNS, and Group Policy for configuring password policy and that’s about it. I just don’t see how Group Policy has to do with Linux and Mac except Windows.

Because it was never built for Mac and Linux. Windows created all this so they can centrally manage workstations and users.

Mac and Linux is rarely used because of the lack central management in businesses. They both tried to retro fit themselves so they can have at least some sort of user management but that is as far as it goes.

You’re not going to see any porting of RSAT to linux. As mentioned above, linux already barely gets by just in user management. Let alone the full integration of all the rest of the tools in RSAT.

Yeah that makes sense. And the fact that PolicyKit in Linux does not let me specify an admin username when interacting with GUI applications that require admin privileges. The only way I can do that is through the command like with su and sudo (su - adminuser then sudo whatevercommandhere).

It makes sense that LDAP is not Linux strongest suit due to the popularity of Windows.

Anyway, thanks. I wanted to go with the pure Linux setup, but in the end, I’ll just manage Samba 4 with Windows RSAT.

Not to drag this out, but what version of Windows did you use for the VM? If possible, always use the LTSC version. For home lab, this will need to be an eval version because you can’t “legally” get a key for LTSC, just like you can’t legally get the KMS host keys.

Also if you hate Win10 that much, you should probably load up a win11 eval and fool with it. All the RSAT are available, but they moved them around to make it easier. The only way I could find the installed was to search for “optional features”, it wasn’t shown in the system menu (win11edu). There are a bunch of other things that might cause you to rip your hair out. It might be a fun contrast of how good win10 really was and make you look forward to win12 9or whatever they call it).

Thankfully I’m not that Windows adverse so I just figure out what I need to do. Once you clear enough stuff out of your profile, it isn’t that bad. But you need to know to clean all that stuff out, and that cleaning it will not survive a sysprep. You’d need to use other tools to permanently remove some of this stuff, like the MiniWin that Chris Titus (and many others) have been working on. It’s an “open source” tool to hack parts out of a windows iso to create a slim iso. Open Source in quotes because you are dealing with Windows commands, so the command may be know, but the back end function is still closed Windows code doing the work.

Thanks. I despise all the latest versions of Windows except for Vista and 7 and I know Windows Vista and 7 is end-of-life. I chose Windows 10 x32 because it requires only 1GB of RAM. However, looks and aesthetics don’t matter anyway. I’m fine with my current setup and I’m happy to just block Windows 10 from accessing the Internet except for accessing my Samba 4 AD DC through RSAT.

My intention of going for OpenLDAP is for going all exclusively in Linux. At least I learned that Linux is quite limited in the LDAP front compared to Windows.