Samba: working with ldap
Posted by valqk on
Install samba and nss-ldap:
Configure the libnss so users/groups from ldap can be visible in unix.
During installations you will be asked question on the libnss-ldap setup.
I use ldap+tls. Here's my final /etc/libnss-ldap.conf (I have removed all commented options):
You also need to setup secret file as described in the admin line.
Then you setup your /etc/nsswitch.conf
Add users/groups in ldap and test if you see them:
After that you can start the caching daemon nscd so ldap don't get overloaded by queries.
After that you can setup your samba to work with ldap:
I've used LDAP Account Manager to manage my ldap.
apt install samba libnss-ldap nscd
Configure the libnss so users/groups from ldap can be visible in unix.
During installations you will be asked question on the libnss-ldap setup.
I use ldap+tls. Here's my final /etc/libnss-ldap.conf (I have removed all commented options):
You also need to setup secret file as described in the admin line.
# The distinguished name of the search base.
base dc=example,dc=com
# Another way to specify your LDAP server is to provide an
uri ldap://ldap1.example.com/
ldap_version 3
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/libnss-ldap.secret (mode 600)
# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
# of an editor to create the file.
rootbinddn cn=admin,dc=example,dc=com
# Search timelimit in seconds (0 for indefinite; default 0)
timelimit 10
# Bind/connect timelimit (0 for indefinite; default 30)
bind_timelimit 30
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /etc/ssl/certs/ldap1.ca.crt
tls_cacertdir /etc/ssl/certs
Then you setup your /etc/nsswitch.conf
passwd: files ldap
group: files ldap
Add users/groups in ldap and test if you see them:
#> getent passwd
#> getent group
After that you can start the caching daemon nscd so ldap don't get overloaded by queries.
#>systemctl start nscd
After that you can setup your samba to work with ldap:
# LDAP Settings
passdb backend = ldapsam:ldap://ldap1.example.com
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=example,dc=com
# or off if TLS/SSL is not configured
ldap ssl = start tls
ldap passwd sync = yes
I've used LDAP Account Manager to manage my ldap.