apt install samba libnss-ldap nscd
Configure the libnss so users/groups from ldap can be visible in unix.
During installations you will be asked question on the libnss-ldap setup.
I use ldap+tls. Here's my final /etc/libnss-ldap.conf (I have removed all commented options):
You also need to setup secret file as described in the admin line.
# The distinguished name of the search base.
# Another way to specify your LDAP server is to provide an
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/libnss-ldap.secret (mode 600)
# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
# of an editor to create the file.
# Search timelimit in seconds (0 for indefinite; default 0)
# Bind/connect timelimit (0 for indefinite; default 30)
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
Then you setup your /etc/nsswitch.conf
passwd: files ldap
group: files ldap
Add users/groups in ldap and test if you see them:
#> getent passwd
#> getent group
After that you can start the caching daemon nscd so ldap don't get overloaded by queries.
#>systemctl start nscd
After that you can setup your samba to work with ldap:
# LDAP Settings
passdb backend = ldapsam:ldap://ldap1.example.com
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=example,dc=com
# or off if TLS/SSL is not configured
ldap ssl = start tls
ldap passwd sync = yes
I've used LDAP Account Manager to manage my ldap.
TrackbacksTrackback specific URI for this entry
This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.