Samba: working with ldap
Posted by valqk on
Install samba and nss-ldap:
Configure the libnss so users/groups from ldap can be visible in unix.
During installations you will be asked question on the libnss-ldap setup.
I use ldap+tls. Here's my final /etc/libnss-ldap.conf (I have removed all commented options):
You also need to setup secret file as described in the admin line.
Then you setup your /etc/nsswitch.conf
Add users/groups in ldap and test if you see them:
After that you can start the caching daemon nscd so ldap don't get overloaded by queries.
After that you can setup your samba to work with ldap:
I've used LDAP Account Manager to manage my ldap.
apt install samba libnss-ldap nscd
Configure the libnss so users/groups from ldap can be visible in unix.
During installations you will be asked question on the libnss-ldap setup.
I use ldap+tls. Here's my final /etc/libnss-ldap.conf (I have removed all commented options):
You also need to setup secret file as described in the admin line.
# The distinguished name of the search base.
base dc=example,dc=com
# Another way to specify your LDAP server is to provide an
uri ldap://ldap1.example.com/
ldap_version 3
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/libnss-ldap.secret (mode 600)
# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
# of an editor to create the file.
rootbinddn cn=admin,dc=example,dc=com
# Search timelimit in seconds (0 for indefinite; default 0)
timelimit 10
# Bind/connect timelimit (0 for indefinite; default 30)
bind_timelimit 30
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /etc/ssl/certs/ldap1.ca.crt
tls_cacertdir /etc/ssl/certs
Then you setup your /etc/nsswitch.conf
passwd: files ldap
group: files ldap
Add users/groups in ldap and test if you see them:
#> getent passwd
#> getent group
After that you can start the caching daemon nscd so ldap don't get overloaded by queries.
#>systemctl start nscd
After that you can setup your samba to work with ldap:
# LDAP Settings
passdb backend = ldapsam:ldap://ldap1.example.com
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=example,dc=com
# or off if TLS/SSL is not configured
ldap ssl = start tls
ldap passwd sync = yes
I've used LDAP Account Manager to manage my ldap.
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments