This tutorial shows how to setup a LDAP server so you can work with LDAP and SAMBA accounts. I assume you have an up-to-date Debian based system running.
Before starting:
- Backup your configuration files first!!!
- There are people using db4.8 instead 4.2, try it at your own risk.
- I don’t work with ldap-utils, but you may want to, that’s why I put it as last software to be installed.
- You can work with phpldapadmin or lam (LDAP Account Manager). I rather work with LAM, but I’m giving you another good choice.
- This tutorial aims Debian 5.0 (Lenny). On Debian 6 (Squeeze), which I like very much, there are several differences.
Step 1: Install the needed packages (You’ll need root privileges):
- aptitude install nss-updatedb libpam-ldap libnss-ldap lam phpldapadmin db4.2-util libdb4.2 libdb4.2-dev samba samba-doc ldap-utils smbldap-tools
Step 2: Answer the questions to get your server properly configured
- LDAP Server (IP address or Server address): ldap://ldap.mydomain.com/
- LDAP Domain Name: cn=mydomain,cn=com
- LDAP Version: 3
- Does your database requires login? Yes or No (it’s up to you. I would tell you to answer no
) - Do you want root to be the database admin? no
- For any problems or changes, reconfigure your ldap: dpkg-reconfigure ldap-auth-config
Step 3: Now let’s go to work! LDAP comes first!
- Open your /etc/ldap/slapd.conf. Check your configuration file, it’s to be like that:
# Schema and <a class="zem_slink" title="LDAP" href="http://en.wikipedia.org/wiki/LDAP" rel="wikipedia">objectClass</a> definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
#I like to log in this level
loglevel 256
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
backend hdb
database hdb
suffix "dc=mydomain,dc=com"
rootdn "cn=admin,dc=mydomain,dc=com"
#This can be get by slappasswd -s mypassword-h {SSHA}
rootpw {SSHA}9BDgFTNasdC+43tgw+(mdfçlsdko
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index sambaSID eq
index sambaPrimaryGroupSID eq
index objectClass,uid,uidnumber,gidnumber eq
index cn,mail,surname,givenname eq,sub
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=mydomain,dc=com" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=mydomain,dc=com" write
by * read
- Ops!!! Don’t forget to put samba.schema on its proper directory.
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema gunzip /etc/ldap/schema/samba.schema.gz
- Now take a look into /etc/ldap/ldap.conf:
#host ip or dns record. Ex:. ldap.mydomain.com
HOST 10.10.25.8
BASE dc=mydomain,dc=com
#URI ldap://10.10.25.8/ ldap://10.10.250.8:666/
SERVER 10.10.25.8
ROOTBINDDN cn=admin,dc=mydomain,dc=com
BINDDN cn=admin,dc=mydomain,dc=com
BINDPW {SSHA}9TbskdjuT+PYIAzSs09f+NgkJV9Rr/
SIZELIMIT 10000
#TIMELIMIT 15
#DEREF never
- Go to /etc/pam.d/ and edit every file mentioned here:
- common-account:
account required pam_unix.so account sufficient pam_ldap.so
- common-auth:
auth sufficient pam_ldap.so auth required pam_unix.so try_first_pass nullok_secure
- common-password:
password sufficient pam_unix.so nullok use_authtok md5 shadow password required pam_unix.so try_first_pass
- common-session:
session required pam_unix.so session optional pam_mkhomedir.so umask=0077
- Type invoke-rc.d slapd restart
Mto bom o tutorial, completo, abordando todos os pontos.
Parabéns!
Obrigado, Kadu!
(Thank you, Kadu!)