LDAP and Samba Server Configuration

This tutorial shows how to setup a LDAP server so you can work with LDAP and SAMBA accounts. I assume you have an up-to-date Debian based system running.

Before starting:

• Backup your configuration files first!!!
• There are people using db4.8 instead 4.2, try it at your own risk.
• I don’t work with ldap-utils, but you may want to, that’s why I put it as last software to be installed.
• You can work with phpldapadmin or lam (LDAP Account Manager). I rather work with LAM, but I’m giving you another good choice.
• This tutorial aims Debian 5.0 (Lenny). On Debian 6 (Squeeze), which I like very much, there are several differences.

Step 1: Install the needed packages (You’ll need root privileges):

• aptitude install nss-updatedb libpam-ldap libnss-ldap lam phpldapadmin db4.2-util libdb4.2 libdb4.2-dev samba samba-doc ldap-utils smbldap-tools

Step 2: Answer the questions to get your server properly configured

• LDAP Server (IP address or Server address): ldap://ldap.mydomain.com/
• LDAP Domain Name: cn=mydomain,cn=com
• LDAP Version: 3
• Does your database requires login? Yes or No (it’s up to you. I would tell you to answer no 🙂 )
• Do you want root to be the database admin? no
• For any problems or changes, reconfigure your ldap: dpkg-reconfigure ldap-auth-config

Step 3: Now let’s go to work! LDAP comes first!

• Open your /etc/ldap/slapd.conf. Check your configuration file, it’s to be like that:

# Schema and <a class="zem_slink" title="LDAP" href="http://en.wikipedia.org/wiki/LDAP" rel="wikipedia">objectClass</a> definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include        /etc/ldap/schema/samba.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
#I like to log in this level
loglevel        256
modulepath    /usr/lib/ldap
moduleload    back_hdb
sizelimit 500
tool-threads 1
backend        hdb
database        hdb
suffix          "dc=mydomain,dc=com"
rootdn          "cn=admin,dc=mydomain,dc=com"
#This can be get by slappasswd -s mypassword-h {SSHA}
rootpw          {SSHA}9BDgFTNasdC+43tgw+(mdfçlsdko
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index sambaSID eq
index sambaPrimaryGroupSID eq
index objectClass,uid,uidnumber,gidnumber eq
index cn,mail,surname,givenname eq,sub
lastmod         on
checkpoint      512 30
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=mydomain,dc=com" write
by anonymous auth
by self write
by * none

access to dn.base="" by * read

access to *
by dn="cn=admin,dc=mydomain,dc=com" write
by * read

• Ops!!! Don’t forget to put samba.schema on its proper directory.

cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema
gunzip /etc/ldap/schema/samba.schema.gz

• Now take a look  into /etc/ldap/ldap.conf:

#host ip or dns record. Ex:. ldap.mydomain.com
HOST 10.10.25.8
BASE    dc=mydomain,dc=com
#URI    ldap://10.10.25.8/ ldap://10.10.250.8:666/
SERVER 10.10.25.8
ROOTBINDDN cn=admin,dc=mydomain,dc=com
BINDDN cn=admin,dc=mydomain,dc=com
BINDPW {SSHA}9TbskdjuT+PYIAzSs09f+NgkJV9Rr/
SIZELIMIT    10000
#TIMELIMIT    15
#DEREF        never

• Go to /etc/pam.d/ and edit every file mentioned here:
• common-account:

account required pam_unix.so
account sufficient pam_ldap.so

• common-auth:

auth sufficient pam_ldap.so
auth required pam_unix.so try_first_pass nullok_secure

• common-password:

password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_unix.so try_first_pass

• common-session:

session    required    pam_unix.so
session optional pam_mkhomedir.so umask=0077

• Type invoke-rc.d slapd restart

Pages: 1 2 3