HOWTO LDAP SAMBA PDC Complete Config Listings

From Gentoo Linux Wiki

Jump to: navigation, search
This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Previous page Top Next Page

Contents


[edit] Complete Files

[edit] slapd.conf

File: /etc/openldap/slapd.conf 
#data schemas
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

# you may use one of "md5" "smd5" "sha" "ssha" "crypt" or "cleartext" as password hash
# or put something like {SASL}myuser@mydomain.com in the userPassword attribute
# to use another authentication backend through sasl.

# Use crypt to hash the passwords
password-hash {crypt}

# Define SSL and TLS properties (optional)
# These are located where ever we ended up copying our certs to
TLSCertificateFile /certs/openldap/ser-crt.pem
TLSCertificateKeyFile /certs/openldap/ser-key.pem
TLSCACertificateFile /certs/openldap/CA-cert.pem

# you should set the loglevel to 256 initially, this will give you
# some good hints when debugging problems. Read man slapd.conf what the loglevel
# directive will give you
#loglevel 256

# slapd gentoo init script does'nt make pid correctly
# so we define it here too

pidfile /var/run/openldap/slapd.pid

#Access control List information

# users can authenticate and change their password
access to attrs="userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange"
        by dn="cn=samba,ou=DSA,dc=mydomain,dc=org" write
        by dn="cn=smbldap-tools,ou=DSA,dc=mydomain,dc=org" write
        by dn="cn=nssldap,ou=DSA,dc=mydomain,dc=org" write
        by dn="uid=root,ou=People,dc=mydomain,dc=org" write
        by anonymous auth
        by self write
        by * none

# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
        by dn="cn=samba,ou=DSA,dc=mydomain,dc=org" write
        by dn="cn=smbldap-tools,dc=mydomain,dc=org" write
        by dn="uid=root,ou=People,dc=mydomain,dc=org" write
        by * read

# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
        by dn="cn=samba,ou=DSA,dc=mydomain,dc=org" write
        by dn="cn=smbldap-tools,dc=mydomain,dc=org" write
        by dn="uid=root,ou=People,dc=mydomain,dc=org" write
        by self write
        by * read

# some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption,sambaPrivilegeList
        by dn="cn=samba,ou=DSA,dc=mydomain,dc=org" write
        by dn="cn=smbldap-tools,ou=DSA,dc=mydomain,dc=org" write
        by dn="uid=root,ou=People,dc=mydomain,dc=org" write
        by self read
        by * none

# samba need to be able to create the samba domain account
access to dn.base="dc=mydomain,dc=org"
        by dn="cn=samba,ou=DSA,dc=mydomain,dc=org" write
        by dn="cn=smbldap-tools,ou=DSA,dc=mydomain,dc=org" write
        by dn="uid=root,ou=People,dc=mydomain,dc=org" write
        by * none

# samba need to be able to create new users account
access to dn="ou=Users,dc=mydomain,dc=org"
        by dn="cn=samba,ou=DSA,dc=mydomain,dc=org" write
        by dn="cn=smbldap-tools,ou=DSA,dc=mydomain,dc=org" write
        by dn="uid=root,ou=People,dc=mydomain,dc=org" write
        by * none

# samba need to be able to create new groups account
access to dn="ou=Groups,dc=mydomain,dc=org"
        by dn="cn=samba,ou=DSA,dc=mydomain,dc=org" write
        by dn="cn=smbldap-tools,ou=DSA,dc=mydomain,dc=org" write
        by dn="uid=root,ou=People,dc=mydomain,dc=org" write
        by * none

# samba need to be able to create new computers account
access to dn="ou=Computers,dc=mydomain,dc=org"
        by dn="cn=samba,ou=DSA,dc=mydomain,dc=org" write
        by dn="cn=smbldap-tools,ou=DSA,dc=mydomain,dc=org" write
        by dn="uid=root,ou=People,dc=mydomain,dc=org" write
        by * none

# this can be omitted but we leave it: there could be other branch
# in the directory
access to *
        by self read
        by * none


# for databases you can either use "bdb" or "ldbm". bdb is generally favoured by
# the openldap project as it is faster and more stable, it is somewhat difficult
# to setup when your server is under high load. Hint: create a DB_CONFIG file in
# your data directory (/var/lib/openldap-data/) and read the berkeley db documentation
# at sleepycat.com

database        ldbm
directory       /var/lib/openldap-data/
suffix          "dc=mydomain,dc=org"
rootdn          "cn=root,dc=mydomain,dc=org"
rootpw          secret
#index           objectClass     eq
index           objectClass,uid,uidNumber,gidNumber,memberUid    eq
index           sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq
index           cn,sn,uid,displayName    pres,sub,eq
index           memberUid,mail,givenname    eq,subinitial

[edit] system-auth

File: /etc/pam.d/system-auth 
#%PAM-1.0

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok nodelay
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so

account    sufficient   pam_unix.so
account    sufficient   pam_ldap.so
account    required     pam_deny.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_ldap.so

[edit] nsswitch.conf

File: /etc/nsswitch.conf 
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/nsswitch.conf,v 1.1 2005/05/17 00:52:41 vapier Exp $
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nisplus or nis+         Use NIS+ (NIS version 3)
#       nis or yp               Use NIS (NIS version 2), also called YP
#       ldap                    Use LDAP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       winbind                 Use SAMBA winbind
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases

# the following lines obviate the "+" entry in /etc/passwd, /etc/group and
# /etc/shadow.
passwd:      files ldap
group:       files ldap
shadow:      files ldap

# consult files/dns first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts:      files dns ldap

# Example - obey only what NIS+ tells us...
#  NIS+ is authoritative for the following maps.
#services:    nisplus [NOTFOUND=return] files
#networks:    nisplus [NOTFOUND=return] files
#protocols:   nisplus [NOTFOUND=return] files
#rpc:         nisplus [NOTFOUND=return] files
#ethers:      nisplus [NOTFOUND=return] files
#netmasks:    nisplus [NOTFOUND=return] files
#publickey:   nisplus
#bootparams:  nisplus [NOTFOUND=return] files

# Example - obey only what LDAP tells us...
#  LDAP is authoritative for the following maps.
#services:    ldap [NOTFOUND=return] files
#networks:    ldap [NOTFOUND=return] files
#protocols:   ldap [NOTFOUND=return] files
#rpc:         ldap [NOTFOUND=return] files
#ethers:      ldap [NOTFOUND=return] files

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
sendmailvars:   files

# Note: there is no support for netgroups on Solaris (yet)
netgroup:    ldap [NOTFOUND=return] files

Previous page Top Next Page

Retrieved from "http://www.gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC_Complete_Config_Listings"
Personal tools