Samba: working with ldap

Posted by valqk on Monday, August 13. 2018

Install samba and nss-ldap:

apt install samba libnss-ldap nscd

Configure the libnss so users/groups from ldap can be visible in unix.
During installations you will be asked question on the libnss-ldap setup.
I use ldap+tls. Here's my final /etc/libnss-ldap.conf (I have removed all commented options):
You also need to setup secret file as described in the admin line.

# The distinguished name of the search base.
base dc=example,dc=com

# Another way to specify your LDAP server is to provide an
uri ldap://ldap1.example.com/
ldap_version 3

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/libnss-ldap.secret (mode 600)
# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
# of an editor to create the file.
rootbinddn cn=admin,dc=example,dc=com

# Search timelimit in seconds (0 for indefinite; default 0)
timelimit 10
# Bind/connect timelimit (0 for indefinite; default 30)
bind_timelimit 30

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /etc/ssl/certs/ldap1.ca.crt
tls_cacertdir /etc/ssl/certs

Then you setup your /etc/nsswitch.conf

passwd: files ldap
group: files ldap

Add users/groups in ldap and test if you see them:

#> getent passwd

#> getent group

After that you can start the caching daemon nscd so ldap don't get overloaded by queries.

#>systemctl start nscd

After that you can setup your samba to work with ldap:

# LDAP Settings
passdb backend = ldapsam:ldap://ldap1.example.com
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=example,dc=com
# or off if TLS/SSL is not configured
ldap ssl = start tls
ldap passwd sync = yes

I've used LDAP Account Manager to manage my ldap.

Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Name

Homepage

In reply to

Comment

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

Standard emoticons like :-) and ;-) are converted to images.

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enter the string from the spam-prevention image above:

Remember Information?