Read Me

Automated Samba + LDAP for FreeBSD 7.1 [Rev 0.96.3-AMD64_ONLY]
--------------------------------------------------------
This shell script and the included packages from FreeBSD will fully automate 
the installation and configuration of:

Samba
OpenLDAP
Lighttpd
PHP
ISC-DHCP 
Bind9
Dovecot (IMAP, IMAPs, POP3 & POP3s)
Postfix (w/TLS) 

On first boot after running this script you will have a FULLY FUNCTIONAL Samba 
server with a OpenLDAP database backend and DHCP Server. 

You will also have a FULLY FUNCTIONAL email server with a OpenLDAP database
backend. When you add users to the system for Samba, they are also available as 
email accounts without out any further configuration. 

Once installed, you can manage users and groups with the command line tools 
(our tools and SMBLDAP-TOOLS from IDEALX are both installed with this script), 
the webGUI, or with the "Microsoft User Manager For Domains" from the Windows 
2000 Resource  Kit.  


Web Based Administration
-----------------------
We are currently in the process of developing the web based administration 
package. However, some of basic administration tools (Add/Remove/Modify Users) 
have been included with this release. To access the tools point your web 
browser to { https://<your_IP_address>:8443 } and log in with the user name of 
"admin" and the password that you entered during setup. 




SSL/TLS INFORMATION
-------------------
In this release we have implemented SSL/TLS via self-signed SSL certificates.

This is true for both the LIGHTTPD (WWW) server as well as the OpenLDAP server. 

The OpenLDAP server no longer listens on an external non-SSL port (it does 
still listen on the non-SSL port for the local host). This means that if you 
wish to connect to the OpenLDAP server (for example using Apache Directory 
Studio or the like), you must connect to: ldaps://<your_ip>:636 

The LIGHTTPD (WWW) server listens on both 80 (non-SSL) and 8443(SSL), but you 
are not taken to the same site for both. The (non-SSL) server root points to 
the Samba3-ByExample documents on your server, whereas the (SSL) server takes 
you to the (yet to be developed) server administration documents. Both of these 
sites remain password protected with the username of "admin" and the password 
you entered during setup. 

You have the option of using your own information in the certificates that we 
generate during the installation. Without this configuration file, the defaults 
(shown below) will be used. 

To use your own information during certificate generation, you need to create a 
configuration file in the your "/root/" directory called "SSLCertPrefs.cfg". 

This file must contain all of the options that are shown below:

sslCountry="US"
sslState="Missouri"
sslCity="Saint Louis"
sslCompany="Automated Samba + LDAP Install"
sslDeptartment="IT"
sslMyEmail="Adam@AGSweeney.com"



Prerequisites
-------------
A fresh installation of FreeBSD 7.1 (Minimal Installation) with a properly 
configured network and a working internet connection. If you wish to add 
anything to the system on top of the prepackaged "Minimal Installation", please 
do so ONLY after the script has been run.  


Disk Layout
-----------
You must have a "/home" directory that will be used for the storage of user 
data. This should be the largest partition on your disk. 

A typical disk layout in our lab for a machine with a single 250GB hard disk 
would look similar to the following: 

/       2048MB
/home    227GB
swap     499MB
/var     307MB
/tmp     204MB
/usr    2966MB


Network Settings
----------------
When you install FreeBSD 7.1 on your machine, you must assign a Fully Qualified 
Domain Name using a three part naming scheme such as "myserver.stl.local" 
(host.domain.root) and it MUST be in lowercase. 

It is important that it be lower case because the script mangles the name into 
uppercase for certain things. 


How To Run This Script
----------------------
Insert the CD-ROM into your CD Drive and mount it.

Example:
# mount /cdrom

Change directories to the CDROM mount point.

Example:
# cd /cdrom

Launch the launcher Script.
(This script will choose the right distribution (i386/AMD64) to install.)

Example:
# sh setup.sh


Script Run Time
---------------
On a reasonably fast machine, this process should only take about two minutes 
to complete. On our test machines it takes an average of 1.5 minutes to run. 


Installation
------------
During installation, you will be presented with two dialogs that you must 
choose  OK to continue; once at the start of the script and once at the end of 
the script. 

You will be also prompted for a new password (to be used by your SMB, LDAP and 
Web Servers) during installation that is used to populate a variable that we 
use throughout the script.  

Please Note: Although not required, you need to be aware of the fact that using 
a password other than your root password will cause your actual root password 
on the server and the root password stored in the Samba/LDAP database to be out 
of sync with each other. While harmless, this can be confusing in some 
situations. 


UNIX GROUP MAPPINGS
-------------------
Versions of Samba-3 prior to 3.0.23 automatically create default group mapping 
for the Domain Admins, Domain Users and Domain Guests Windows groups, but do 
not map them to UNIX GIDs. This was a cause of administrative confusion and 
trouble. Commencing with Samba-3.0.23 this annomaly has been fixed - thus all 
Windows groups must now be manually and explicitly created and mapped to a 
valid UNIX GID by the Samba administrator.  

Note: We have already mapped the UNIX Groups during installation.

Here is the list of Group Mappings that we have already created:
----------------------------------------------------------------
pw add group -g 512 -n DomainAdmins
pw add group -g 513 -n DomainUsers
pw add group -g 514 -n DomainGuests
pw add group -g 515 -n DomainComputers
pw add group -g 544 -n Administrators
pw add group -g 545 -n Users
pw add group -g 546 -n Guests
pw add group -g 547 -n PowerUsers
pw add group -g 548 -n AccountOperators
pw add group -g 549 -n SystemOperators
pw add group -g 550 -n PrintOperators
pw add group -g 551 -n BackupOperators
pw add group -g 552 -n Replicators
----------------------------------------------------------------



Adding Users From The Command Line
----------------------------------
asldap-useradd -a -m -p '<password>' -G '<First Name>' -S '<Last Name>' 
<username> 

If you will be adding a lot of users or prefer a simple TUI interface for 
adding users, you may prefer our "asldap-adduser-tui" utility. 


Command Line Tools Included With This Release
---------------------------------------------
(These are all located in /usr/local/sbin/)

asldap-adduser-tui
------------------
This dialog based shell script automates the creation of SMB/LDAP users on your 
system. With this tool, you will be prompted for (4) items for information. 

1) The new users [FIRST NAME]
2) The new users [LAST NAME]
3) The new [USERNAME]
    (Note: This cannot contain spaces.)
4) The new [PASSWORD] for the new user.


asldap-passwd
-------------
This is a modified version of the IDEALX smbldap-passwd utility that accepts 
both username and password from the command line. This has been provided for 
future use by our web based administration package and is currently used by our 
"asldap-adduser-tui" utility. 

Command Line Usage: asldap-passwd <username> <password>


asldap-useradd
--------------
This is a modified version of the IDEALX smbldap-useradd utility that has been 
modified to accept a password (in addition to all of the original commands) 
when passed the "-p" option. 

Command Line Usage: asldap-useradd -a -m -p '<password>' <username>


asldap-backup-ftp
-----------------
This utility will export the contents of your LDAP database into an LDIF file 
for use with the "asldap-restore" utility that is also included with this 
installation. 

You must edit the configuration file "/etc/asldap-backup-ftp.cfg" and set your 
FTP server and user information at a minimum.  

The option to make a "Portable LDIF" (default) strips the part of the SID's 
that is unique to your server out of the LDIF file that is created.  

Our "asldap-restore" utility replaces that unique part of the SID with the 
unique SID from the server that the file is being restored to.  

There are no command line options for this utility. All options are set via the 
configuration file. 


asldap-restore
--------------
This utility is for restoring from our "GENERIC" "PORTABLE" LDIF backup created 
with the "asldap-backup-ftp" utility that we have provided.  

It is not intended to be used on "non-PORTABLE" LDIF backups at this time. 

This utility will import your users, assign new SID's (based on the SID of the 
server the LDIF is being restored to), create the user home directories if they 
do not already exist and set the proper permissions on the home directories. 

Command Line Usage: asldap-restore <filename>


chwebpass
----------
This simple utility is for changing the "serveradmin" password for your 
webserver. 


update-usermap
--------------
This utility is called by the administration website to update the usermap file 
when you add or remove users from the system. This allows the user to log in 
with either their "long" (LDAP "Display Name") or short (LDAP "User Name") 
name. 

This is a desirable behavior in most of my installations (my users can 
generally remember their "own" name, but sometimes forget their usernames).  

For users where the "Display Name" and the "Username" are the same, no updates 
to the usermap file are made.  

If you do not wish to have this behavior, you can edit the 
/usr/local/sbin/update-usermap file and comment out everything but the first 
line or edit the /usr/local/www_admin/usermanagement.php file and remove both 
references to the file. 


@EOF