LDAP and Samba Server Configuration

This tutorial shows how to setup a LDAP server so you can work with LDAP and SAMBA accounts. I assume you have an up-to-date Debian based system running.

Before starting:

  • Backup your configuration files first!!!
  • There are people using db4.8 instead 4.2, try it at your own risk.
  • I don’t work with ldap-utils, but you may want to, that’s why I put it as last software to be installed.
  • You can work with phpldapadmin or lam (LDAP Account Manager). I rather work with LAM, but I’m giving you another good choice.
  • This tutorial aims Debian 5.0 (Lenny). On Debian 6 (Squeeze), which I like very much, there are several differences.

Step 1: Install the needed packages (You’ll need root privileges):

  • aptitude install nss-updatedb libpam-ldap libnss-ldap lam phpldapadmin db4.2-util libdb4.2 libdb4.2-dev samba samba-doc ldap-utils smbldap-tools

Step 2: Answer the questions to get your server properly configured

  • LDAP Server (IP address or Server address): ldap://ldap.mydomain.com/
  • LDAP Domain Name: cn=mydomain,cn=com
  • LDAP Version: 3
  • Does your database requires login? Yes or No (it’s up to you. I would tell you to answer no 🙂 )
  • Do you want root to be the database admin? no
  • For any problems or changes, reconfigure your ldap: dpkg-reconfigure ldap-auth-config

Step 3: Now let’s go to work! LDAP comes first!

  • Open your /etc/ldap/slapd.conf. Check your configuration file, it’s to be like that:
# Schema and <a class="zem_slink" title="LDAP" href="http://en.wikipedia.org/wiki/LDAP" rel="wikipedia">objectClass</a> definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include        /etc/ldap/schema/samba.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
#I like to log in this level
loglevel        256
modulepath    /usr/lib/ldap
moduleload    back_hdb
sizelimit 500
tool-threads 1
backend        hdb
database        hdb
suffix          "dc=mydomain,dc=com"
rootdn          "cn=admin,dc=mydomain,dc=com"
#This can be get by slappasswd -s mypassword-h {SSHA}
rootpw          {SSHA}9BDgFTNasdC+43tgw+(mdfçlsdko
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index sambaSID eq
index sambaPrimaryGroupSID eq
index objectClass,uid,uidnumber,gidnumber eq
index cn,mail,surname,givenname eq,sub
lastmod         on
checkpoint      512 30
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=mydomain,dc=com" write
by anonymous auth
by self write
by * none

access to dn.base="" by * read

access to *
by dn="cn=admin,dc=mydomain,dc=com" write
by * read
  • Ops!!! Don’t forget to put samba.schema on its proper directory.
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema
gunzip /etc/ldap/schema/samba.schema.gz
  • Now take a look  into /etc/ldap/ldap.conf:
#host ip or dns record. Ex:. ldap.mydomain.com
BASE    dc=mydomain,dc=com
#URI    ldap:// ldap://
ROOTBINDDN cn=admin,dc=mydomain,dc=com
BINDDN cn=admin,dc=mydomain,dc=com
BINDPW {SSHA}9TbskdjuT+PYIAzSs09f+NgkJV9Rr/
SIZELIMIT    10000
#DEREF        never
  • Go to /etc/pam.d/ and edit every file mentioned here:
    • common-account:
account required pam_unix.so
account sufficient pam_ldap.so
    • common-auth:
auth sufficient pam_ldap.so
auth required pam_unix.so try_first_pass nullok_secure
    • common-password:
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_unix.so try_first_pass
    • common-session:
session    required    pam_unix.so
session optional pam_mkhomedir.so umask=0077
  • Type invoke-rc.d slapd restart

Pages: 1 2 3

3 Responses to LDAP and Samba Server Configuration

  1. Pingback: Getting LDAP to work with Queuemetrics

  2. Kadu says:

    Mto bom o tutorial, completo, abordando todos os pontos.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: