Introduction

This document explains in detail how to build a Linux architecture (OpenLDAP, DNS, File and Mail
Servers).
Architecture
Topology

DNS
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services,
or any resource connected to the Internet or a private network. It associates various information
with domain names assigned to each of the participating entities. Most prominently, it translates
domain names, which can be easily memorized by humans, to the numerical IP addresses needed for
the purpose of computer services and devices worldwide. The Domain Name System is an essential
component of the functionality of most Internet services because it is the Internet's primary
directory service.
More information at this link.

OpenLDAP
OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP)
developed by the OpenLDAP Project. It is released under its own BSD-style license called the
OpenLDAP Public License.
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard
application protocol for accessing and maintaining distributed directory information services over an
Internet Protocol (IP) network. Directory services play an important role in developing intranet and
Internet applications by allowing the sharing of information about users, systems, networks, services,
and applications throughout the network. As examples, directory services may provide any organized
set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a
telephone directory is a list of subscribers with an address and a phone number.. Several common
Linux distributions include OpenLDAP Software for LDAP support. The software also runs on BSDvariants, as well as AIX, Android, HP-UX, OS X, Solaris, Microsoft Windows (NT and derivatives, e.g.
2000, XP, Vista, Windows 7, etc.), and z/OS.
More infos at :
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
https://en.wikipedia.org/wiki/OpenLDAP
http://www.openldap.org/

Postfix Mail server

Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail,
intended as an alternative to the widely used Sendmail MTA.

The main features are :

Standards-compliant support for SMTPUTF8, SMTP, LMTP, STARTTLS encryption including

DANE protocol support and "perfect" forward secrecy, SASL authentication, MIME
encapsulation and transformation, DSN delivery status notifications, IPv4, and IPv6.
Configurable SMTP-level access policy that automatically adapts to overload
"Virtual" domains with distinct address-namespaces.
UNIX-system interfaces for command-line submission, for delivery to command, and for
direct delivery to message stores in mbox and maildir format.
Light-weight content inspection based on regular expressions.
A large number of database lookup mechanisms including Berkeley DB, CDB, OpenLDAP
LMDB, Memcached, LDAP and multiple SQL database implementations.
A sophisticated scheduler that implements parallel deliveries, with configurable concurrency
and back-off strategies.
A scalable zombie blocker that reduces SMTP server load due to botnet spam

More infos at :
https://en.wikipedia.org/wiki/Postfix_%28software%29
http://www.postfix.org/features.html

Dovecot
Dovecot is an open-source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with
security in mind. Timo Sirainen originated Dovecot and first released it in July 2002. Dovecot
developers primarily aim to produce a lightweight, fast and easy-to-set-up open-source mailserver.
According to Openemailsurvey, Dovecot has an installed base of over 2.9 million email servers all
over the world and a global market share of 57% of all IMAP servers. While Dovecot software can be
used in commercial use without any license fees, a commercial version is also available as Dovecot
Pro. The commercial version is provided by Dovecot Oy along with support and enterprise add-ons
such as the object storage and full-text search plugins. Since March 2015, Dovecot Oy has been part
of the Open-Xchange Family.
More infos at :
https://en.wikipedia.org/wiki/Dovecot_%28software%29
http://dovecot.org/

Roundcube Webmail
Roundcube Webmail is a free and open source webmail solution with a desktop-like user interface
which is easy to install/configure and that runs on a standard Linux/Apache/PHP/MySQL server. It
displays mails from an IMAP server and needs a SMTP server (or PHP well configured) to send emails.
Some of his features are :

Drag-&-drop message management

Full support for MIME and HTML messages

Sophisticated privacy protection

Compose messages with attachments
Multiple sender identities
Full featured address book with groups and LDAP connectors

Check more informations at : https://roundcube.net/

Implementation
Installation and configuration of Centos 6 VMs
We will use Centos 6.5 distrubution for our servers. We will download pre-made virtual machines for
this on this website : http://virtualboxes.org/images/centos/
The direct access to the VM we have downloade dis at the following link :
http://sourceforge.net/projects/virtualboximage/files/CentOS/6.0/CentOS-6-x86_64.7z/download

The servers have each 512 Mo of Virtual memory and a 12 Go of disk.

Important : Because we have downloaded a foreign virtual machine, well have to change the
keyboard layout with the following command :
# Loadkeys en

It will change the keyboard in an english layout .

Installation and configuration of Bind DNS Server

You should first update your distro packages by issuing the following commands :
# yum update
To install Bind, use the following command :
# yum install bind bind-utils nano y

To configure the DNS server :

# nano /etc/named.conf
Your "options" section should be configured as follows,

options {
#listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { localhost;};
recursion yes;
forwarders {
8.8.8.8 ;
8.8.4.4 ;
};
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};

Above, listen-on must be commented to listen on all available interfaces. Furthermore, we have
changed the allow-query directive to "any" in order to allow users proper access to hosted zones.
We allowed recursion and added forwarders to make the DNS server reply to requests for zones
which are on Internet.
Next, we'll want to add a new zone for our first domain, you should add the following to your
named.conf below the existing zones.
zone "dimitrios.local" IN {
type master;
file "dimitrios.local.zone";
allow-update { none; };
};

Configure BIND Zones

Firstly, we'll need to open the zone file, using the name you specified in the configuration
above.

# nano -w /var/named/dimitrios.local.zone
$TTL 86400
@ IN SOA ldap-server.dimitrios.local. root.dimitrios.local. (
2013042201 ;Serial
3600
;Refresh
1800
;Retry
604800 ;Expire
86400
;Minimum TTL
)
; Specify our nameserver
IN
NS
ldap-server.dimitrios.local.
; Resolve nameserver hostnames to IP
ldap-server
IN
A
10.0.2.15
; Define hostname -> IP pairs which you wish to resolve
;www
IN
A
10.0.2.3

Start BIND Server

We can now start named for the first time. This may take several minutes while named generates the
rndc.key file, which only occurs on first execution.
# service named restart
Once named has started successfully, we'll want to ensure that it is enabled as a startup service, by
running the following:
# chkconfig named on
By now, we should have a fully operational primary nameserver. You can verify that BIND is working
correctly by running the following command,
# dig @10.0.2.15 dimitrios.local
If you receive a response which includes an answer and authority section, your nameserver has been
configured correctly.
Installation of OpenLDAP
To install OpenLDAP Server, issue the following command :
# yum -y install openldap openldap-servers openldap-clients

The LDAP Servers configuration files are :

config.ldif The LDAP default configuration is stored under a file in

/etc/openldap/slapd.d/cn=config.ldif that is created in the LDIF format. This is the LDAP Input
Format (LDIF), a specific format that allows you to enter information in to the LDAP directory.
olcDatabase{2}bdb.ldif You can also modify the settings like number of connections the
server can support, timeouts and other database settings under the file
/etc/openldap/slapd.d/cn=config/olcDatabase{2}bdb.ldif. This is the file that also contains
the parameters like LDAP root user and the base DN.

Modify the olcDatabase={2}bdb.ldif file, and change the olcRootDN entry. The following is the default
entry.
# grep olcRootDN /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcRootDN: cn=Manager,dc=my-domain,dc=com

Change the above line to this.

olcRootDN: cn=Manager,dc=dimitrios,dc=local

Now use slappasswd command to create a hash for the root password you want to use. Once the
password is generated, open the olcDatabase{2}bdb.ldif file, include the olcRootPW parameter, and
copy the hashed password as shown below. Execute the following command and specify a password.
This will generate the hash for the given password.

# slappasswd
New password: dimitrios
Re-enter new password: dimitrios
{SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6

Take the hash output of the above command and add it to the oclRootPW parameter in the
olcDatabase{2}bdb.ldif file as shown below.

# vi /etc/openldap/slapd.d/cn=config/olcDatabase{2}bdb.ldif

olcRootPW: {SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6

Now setup the olcSuffix and to set the domain that you want. Simply modify the line that
starts with olcSuffix in the file olcDatabase={2}bdb.ldif as shown below.

# vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix: dc=dimitrios,dc=local
Use slaptest command to verify the configuration file as shown below. This should display testing
succeeded message as shown below.
# slaptest -u
config file testing succeeded
You might get the following messages during the above command, which you can ignore for now.
54a39508 ldif_read_file: checksum error on
"/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
54a39508 ldif_read_file: checksum error on
"/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif"
Use the following commands next :
# cd /etc/sysconfig
# perl -npe 's/#SLAPD_/SLAPD_/' -i ldap
Start the ldap server as shown below.
# service slapd start
To verify the ldap server is configured successfully, you can use the below command and verify that
the domain entry is present.
# ldapsearch -x -b "dc=dimitrios,dc=local"
Base LDAP Structure in base.ldif

The use of OU (organizational unit) objects can help you in providing additional structure to the LDAP
database. If you are planning on adding in different types of entries, such as users, groups,
computers, printers and more to the LDAP directory, it makes it easier to put every entry type into its
own container.
To create these OUs, you can create an initial LDIF file as shown in the below example.
# nano /root/initial-dit.ldif
dn: dc=dimitrios,dc=local
dc: dimitrios
o: dimitrios.local
objectclass: dcObject
objectclass: organization
objectclass: top

dn: ou=Users, dc=dimitrios,dc=local

ou: Users
objectclass: organizationalUnit
dn: ou=Groups, dc=dimitrios,dc=local
ou: Groups
objectclass: organizationalUnit
dn: ou=Maps, dc=dimitrios,dc=local
ou: Maps
objectclass: organizationalUnit

Now we can import the base structure in to the LDAP directory using the ldapadd command
as shown below.
# ldapadd -x -W -D "cn=Manager, dc=dimitrios,dc=local" -f /root/initial-dit.ldif
Enter LDAP Password:

Enter the password used with ldappasswd (dimitrios).

You should see 4 entries added. To verify the OUs are successfully created, use the following
ldapsearch command.
# ldapsearch -x -W -D "cn=Manager,dc=dimitrios,dc=local" -b "dc=dimitrios,dc=local" "(objectclass=*)"
Enter LDAP Password:

You should see the 4 entries.

Adding the automount is done as shown below :

# cat <<EOF >/root/initial-autofs.ldif
dn: nisMapName=auto.master,ou=Maps,dc=dimitrios,dc=local
nisMapName: auto.master
objectclass: nisMap
dn: cn=/home,nisMapName=auto.master,ou=Maps,dc=dimitrios,dc=local
cn: /home
objectClass: nisObject
nisMapName: auto.master
nisMapEntry: auto.home
dn: nisMapName=auto.home,ou=Maps,dc=dimitrios,dc=local
nisMapName: auto.home
objectClass: nisMap
dn: cn=/,nisMapName=auto.home,ou=Maps,dc=dimitrios,dc=local
cn: /
objectClass: nisObject
nisMapName: auto.home
nisMapEntry: -fstype=nfs,rw,hard,intr files.dimitrios.local:/export/home/&
EOF
# ldapadd a f /root/initial-autofs.ldif H ldap:/// -D "cn=Manager,dc=dimitrios,dc=local" W

As with the prior ldapadd, you will be prompted for the password and then the records will be
added.
At this point, pause and test the OpenLDAP server in isolation. You should receive two records from
the following command - one for auto.master and one for auto.home:
# ldapsearch -x -H ldap:/// -b dc=dimitrios,dc=local "(objectclass=nisMap)"

Adding computers to domain

Creating user accounts

We will be creating 2 user accounts for our tests.