In conclude, our setup should meet the following requirement:<\/p>\n
\nStoring user DB in LDAP could have a lot of benefit, such as, as a replacement for NIS and propagate the user DB to other SAMBA BDC if you want to do so.<\/p>\n
You should install OpenLDAP and included proper schema, setup necessary ACL, install pam_ldap (optional) and nss_ldap (must). For details, please refer to the following posts as reference:<\/p>\n
Your OpenLDAP should already included the following schema:<\/p>\n
You should include samba schema, \/usr\/doc\/samba-3.5.10\/examples\/LDAP\/samba.schema, into your LDAP.<\/p>\n
As recently, OpenLDAP has changed the configuration backend from file into LDAP. You can’t simply put ‘include \/usr\/doc\/samba-3.5.10\/examples\/LDAP\/samba.schema’ into slapd.conf to make the schema available.<\/p>\n
Following steps help to convert the samba.schema file into LDIF and let you import into the configuration backend.<\/p>\n
\r\ninclude \/usr\/local\/openldap\/etc\/openldap\/schema\/core.schema\r\ninclude \/usr\/local\/openldap\/etc\/openldap\/schema\/cosine.schema\r\ninclude \/usr\/local\/openldap\/etc\/openldap\/schema\/inetorgperson.schema\r\ninclude \/usr\/local\/openldap\/etc\/openldap\/schema\/nis.schema\r\ninclude \/usr\/doc\/samba-3.5.10\/examples\/LDAP\/samba.schema\r\n<\/pre>\n<\/li>\n
\r\n\/usr\/local\/openldap\/sbin\/slaptest -f samba-config.conf -F .\/tmp.d\r\n<\/pre>\n<\/li>\n
\r\ndn: cn=samba,cn=schema,cn=config\r\n...\r\ncn: samba\r\n<\/pre>\nand remove the following in the LDIF file<\/p>\n
\r\nstructuralObjectClass: olcSchemaConfig\r\nentryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95\r\ncreatorsName: cn=config\r\ncreateTimestamp: 20080827045234Z\r\nentryCSN: 20080827045234.341425Z#000000#000#000000\r\nmodifiersName: cn=config\r\nmodifyTimestamp: 20080827045234Z\r\n<\/pre>\n<\/li>\n
\r\nldapadd -h 127.0.0.1 -D 'cn=Manager,cn=config' -w xxxx -f '.\/tmp.d\/cn=config\/cn=schema\/cn={4}samba.ldif'\r\n<\/pre>\n<\/li>\n<\/ul>\nSetup Index<\/h2>\n
You may take the following index configuration in cn=config as reference<\/p>\n
\r\nolcDbIndex: objectClass pres,eq\r\nolcDbIndex: uid pres,eq,sub\r\nolcDbIndex: mail pres,eq,sub\r\nolcDbIndex: cn pres,eq,sub\r\nolcDbIndex: sn pres,eq,sub\r\nolcDbIndex: displayName pres,eq,sub\r\nolcDbIndex: uidNumber eq\r\nolcDbIndex: gidNumber eq\r\nolcDbIndex: loginShell eq\r\nolcDbIndex: memberUid eq,pres,sub\r\nolcDbIndex: uniqueMember eq,pres\r\nolcDbIndex: sambaSID eq\r\nolcDbIndex: sambaPrimaryGroupSID eq\r\nolcDbIndex: sambaGroupType eq\r\nolcDbIndex: sambaSIDList eq\r\nolcDbIndex: sambaDomainName eq\r\nolcDbIndex: default sub\r\n<\/pre>\nCreate Samba Manager in LDAP<\/h2>\n\n- You should create a security object in LDAP for Samba to access and update the LDAP\n
\r\ndn: cn=sambaManager,ou=systemObject,dc=example,dc=net\r\nobjectClass: top\r\nobjectClass: simpleSecurityObject\r\nobjectClass: organizationalRole\r\ncn: sambaManager\r\nuserPassword: {SSHA}fdshfjhfjkwefsfdsf\r\n<\/pre>\n<\/li>\n - Setup ACL in LDAP for sambaManager, suggested ACL\n
\r\ndn: olcDatabase={1}bdb, cn=config\r\nchangetype: modify\r\nreplace: olcAccess\r\nolcAccess: to attrs=userpassword by self write\r\n by dn=\"cn=libnssManager,ou=systemObject,dc=....\" read\r\n by dn=\"cn=sambaManager,ou=systemObject,dc=...\" write\r\n by anonymous auth\r\n by * none\r\nolcAccess: to attrs=SambaLMPassword,SambaNTPassword by self write\r\n by dn=\"cn=sambaManager,ou=systemObject,dc=...\" write\r\n by * none\r\nolcAccess: to * by self write \r\n by dn=\"cn=sambaManager,ou=systemObject,dc=...\" write\r\n by dn=\"cn=libnssManager,ou=systemObject,dc=...\" read\r\n by dn=\"cn=pamManager,ou=systemObject,dc=...\" read\r\n by dn=\"cn=squidCacheManger,ou=systemObject,dc=...\" read\r\n by dn=\"cn=readOnlyAccess,ou=systemObject,dc=...\" read\r\n by users read\r\n by anonymous auth\r\n by * none\r\n<\/pre>\n<\/li>\n<\/ul>\nsmbldap-tools<\/h1>\n