Directory Layers in the ClearOS Directory Architecture
Have you ever wondered what was going on when initializing directory is shown in the web-based interface? In turns out, there's a lot going on! This document provides a more in-depth view of the directory architecture in ClearOS.
There are 4 distinct layers in the ClearOS directory architecture and all are discussed in detail below.
Layer | Drivers |
---|---|
System Mode (Master/Slave) | - Simple Mode - Central Management |
LDAP Server | - OpenLDAP |
Accounts (Users and Groups) | - OpenLDAP Directory Server - Samba Directory (Samba 4) |
Windows LDAP Layer | - Windows Networking (Samba) |
If you have a fresh install of ClearOS Professional Edition running in a VM, you can follow along with this document.
System Mode - Master/Slave
Before the directory architecture is initialized, there's an important configuration option that needs to be selected - the mode:
- master
- slave
- standalone
As you can imagine, a directory will be configured slightly differently depending on the mode. On a ClearOS Professional Edition, this option is selected by the user in the first boot install wizard. On a ClearOS Community Edition, this option is automatically set to standalone mode (the only available option in that edition).
File | Description |
---|---|
/var/clearos/mode/mode.conf | A simple state file with master/slave information |
LDAP Server
The foundation of the ClearOS directory architecture is provided by the LDAP layer. There's no users or groups yet, this layer just provides a way to initialize and configure an LDAP server. Here's a sample of the API to give you an idea:
- get_base_dn()
- get_bind_dn()
- import()
- initialize_master()
- initialize_slave()
- initialize_standalone()
On a ClearOS Professional Edition, the basic LDAP system is initialized when the mode (master/slave/standalone) is chosen. On a ClearOS Community Edition, the LDAP system is automatically initialized in standalone mode.
If you have a ClearOS Professional Edition, you can see what's in OpenLDAP at this point by running:
slapcat -n3
You will see the basic structure of LDAP, but not much else. In fact, some of the defaults that you see (e.g. the “Users” container and some default user accounts) should not exist at this point! This will be cleaned up one day, but just be aware that those accounts are not active at this point.
Files
File | Description |
---|---|
/var/clearos/ldap/initialized | A flag indicating the basic LDAP server was initialized |
/var/clearos/openldap/config.php | The configuration (e.g. bind DN) for the LDAP server |
Accounts - Users and Groups
The next layer in the directory architecture is the accounts systems. This is the point where users and groups are initialized.
Files
File | Description |
---|---|
/var/clearos/accounts/initialized | A flag indicating the accounts system was initialize |
/var/clearos/accounts/config | Basic configuration information about the accounts system |
Windows LDAP Layer
The final layer in the directory architecture is all about Windows. As you can imagine, there are a bunch of LDAP attributes attached to users and groups that are required for interoperating in a Windows environment. Samba to the rescue! This is a delicate part of the directory initialization process – a lot of things need to get done for Samba. To give you an idea, here's a sample of the /var/log/system log file:
Apr 24 12:39:37 system samba: initializing master/standalone LDAP Apr 24 12:39:37 system samba: archiving old state files Apr 24 12:39:37 system samba: configuring smb.conf Apr 24 12:39:43 system samba: initializing SIDs Apr 24 12:39:45 system samba: adding sambaDomainName LDAP attribute Apr 24 12:39:46 system samba: adding Idmap LDAP attribute Apr 24 12:39:46 system samba: updating built-in user: cn=Windows Administrator,ou=Users,... Apr 24 12:39:46 system samba: updating built-in user: cn=Guest Account,ou=Users,... Apr 24 12:39:46 system samba: adding built-in group domain_admins Apr 24 12:40:04 system samba: updating members for domain_admins Apr 24 12:40:05 system samba: adding built-in group domain_users Apr 24 12:40:06 system samba: adding built-in group domain_guests Apr 24 12:40:07 system samba: updating members for domain_guests Apr 24 12:40:08 system samba: adding built-in group domain_computers Apr 24 12:40:09 system samba: adding built-in group administrators Apr 24 12:40:10 system samba: adding built-in group users Apr 24 12:40:11 system samba: updating built-in group guests Apr 24 12:40:12 system samba: adding built-in group power_users Apr 24 12:40:13 system samba: adding built-in group account_operators Apr 24 12:40:14 system samba: adding built-in group server_operators Apr 24 12:40:16 system samba: adding built-in group print_operators Apr 24 12:40:17 system samba: adding built-in group backup_operators Apr 24 12:40:18 system samba: populating domain_users group Apr 24 12:40:19 system samba: adding samba mappings to group allusers Apr 24 12:40:20 system samba: storing LDAP credentials Apr 24 12:40:27 system samba: adding samba directory: /var/samba/netlogon Apr 24 12:40:27 system samba: adding samba directory: /var/samba/profiles Apr 24 12:40:27 system samba: adding samba directory: /var/samba/drivers Apr 24 12:40:27 system samba: adding samba directory: /var/samba/drivers/IA64 Apr 24 12:40:27 system samba: adding samba directory: /var/samba/drivers/W32ALPHA Apr 24 12:40:27 system samba: adding samba directory: /var/samba/drivers/W32MIPS Apr 24 12:40:27 system samba: adding samba directory: /var/samba/drivers/W32PPC Apr 24 12:40:27 system samba: adding samba directory: /var/samba/drivers/W32X86 Apr 24 12:40:27 system samba: adding samba directory: /var/samba/drivers/WIN40 Apr 24 12:40:27 system samba: adding samba directory: /var/samba/drivers/x64 Apr 24 12:40:27 system samba: updating secrets Apr 24 12:40:27 system samba: starting winbind Apr 24 12:40:28 system samba: finished directory initialization... whew
Files
File | Description |
---|---|
/var/clearos/samba/initialized_openldap | A flag indicating Samba has been initialized in LDAP |
/var/clearos/samba/initialized | A flag indicating non-LDAP components of Samba has been initialized |