[Samba] example: Samba + OpenLDAP on FreeBSD (4.7)
Long-Sheng Kuo
lskuo at fgs.org.tw
Tue Feb 11 06:57:07 GMT 2003
Hello all,
This message is simple instructions to install Samba + OpenLDAP on
FreeBSD (4.7). Hope it would help someone.
1. To keep ports update, better install cvsupit in the beginning
mis3# cd /usr/ports/net/cvsupit
mis3# make install clean
Reference: FreeBSD Unleashed (by Urban and Tiemann), p. 425
2. To use Samba + OpenLDAP with the option "ldap ssl = start_tls" in
smb.conf, install the three following packages in order:
mis3# cd /usr/ports/security/openssl
mis3# make install clean
mis3# cd /usr/ports/net/openldap2
mis3# make install clean
mis3# cd /usr/ports/net/samba
mis3# make install clean
(a) Create a self-signed certificate (Openssl) in order to use the
"start_tls" option
mis3# cd /usr/local/openssl
mis3# mkdir openldapCA; cd openldapCA
mis3# ../misc/CA.sh -newca
Answer the questions prompted. The important things to keep in mind:
(1) PEM pass phrase couldn't be too long (that's according to
experience, probably 15/16 chars. Maybe I was wrong about this point.
However, when I first set a very long password, it couldn't work.)
(2) Common name must be used as fully qualified domain name. For
example: mis3.fgs.org.tw
mis3# openssl req -new -nodes -keyout newreq.pem -out newreq.pem
mis3# ../misc/CA.sh -sign
mis3# cp demoCA/cacert.pem .
mis3# mv newcert.pem servercrt.pem
mis3# mv newreq.pem privatekey.pem
mis3# chmod 600 privatekey.pem
Reference: http://www.openldap.org/faq/data/cache/185.html
(b) Configure OpenLDAP
(1) Open /usr/local/etc/openldap/lapd.conf (OpenLDAP client config.)
with text editor
HOST mis3.fgs.org.tw
BASE dc=fgs,dc=org,dc=tw
ssl start_tls
tal_checkpeer yes # this setting seems not necessary
TLS_CACERT /usr/local/openssl/openldapCA/cacert.pem
# Note: The host name and base settings are based on your own.
(2) mis3# cp /usr/local/share/examples/samba/LDAP/samba.schema
/usr/local/etc/openldap/schema/samba.schema
copy the schema of samba
(3) Open /usr/local/etc/openldap/slapd.conf (OpenLDAP server
config.) with text editor
# Add the following include
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
# The following is for TLS
TLSCACertificateFile /usr/local/openssl/openldapCA/cacert.pem
TLSCertificateFile /usr/local/openssl/openldapCA/servercrt.pem
TLSCertificateKeyFile /usr/local/openssl/openldapCA/privatekey.pem
# The following is for password hash method
password-hash {CRYPT}
# The following is for database setting. LDBM Database is fine.
suffix "dc=fgs,dc=org,dc=tw" # must be consistent with
"ldap suffix" option in smb.conf
rootdn "cn=Manager,dc=fgs,dc=org,dc=tw" # must be
consistent with the "ldap admin dn" option in smb.conf
# cn stands for Common Name. This can be changed. For example:
cn=Admin
rootpw secret_passwd # the password is set here. I
haven't figured out how to use hash password
# So be sure this file is only accessible by root
# Add some indices
index uid pres,eq
index rid eq
# Leave ACL setting as a second-stage task. :)
(4) To make sure mis3.fgs.org.tw can be reached, better edit /etc/hosts
# Add mis3.fgs.org.tw to this lookup file
192.168.1.2 mis3.fgs.org.tw mis3 mis3.fgs.org.tw.
# IP here is based on your own.
(5) The way to start/stop OpenLDAP server
(1) Manually:
mis3# /usr/local/libexec/slapd start
mis3# /usr/local/libexec/slapd stop
(2) Start from boot
mis3# cp /usr/local/etc/rc.d/slapd.sh.sample slapd.sh
# then next time when reboot, the server will be brought up
automatically.
(6) Verify if the server works
mis3# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# You should be able to see the suffix you just defined in
slapd.conf
(c) Configure Samba
It would be much easy to use SWAT for configuration. Make sure the
service of swat is open
In file /etc/inetd.conf, uncomment the last line (which should be
related to swat)
(1) For options related to OpenLDAP
ldap server = mis3.fgs.org.tw # better keep consistent with
the common name in CA
ldap ssl = start tls
ldap port = 389 # must be 389 for start tls
ldap suffix = "dc=fgs,dc=org,dc=tw"
ldap admin dn = "cn=Manager,dc=fgs,dc=org,dc=tw"
(2) To store the password of rootdn, which is the value of rootpw
in slapd.conf, into the database for samba,
mis3# smbpasswd -w secret_passwd
Note: Here "secret_passwd" is the plain text password, consistent with
that in slapd.conf. So better clear the command history ASAP. (I don't know
how to do it neatly. What I did is logout and login again.)
(3) To start/stop Samba from reboot
mis3# cp /usr/local/etc/rc.d/samba.sh.sample samba.sh # I
forgot if it is done by system. Check it out yourself.
mis3 # /usr/local/etc/rc.d/samba.sh start
mis3 # /usr/local/etc/rc.d/samba.sh stop
(4) To add samba users, make sure there are corresponding FreeBSD
user accounts generated in advance.
mis3# smbpasswd -a <useraccount>
Check if the account written into LDAP database: dump the LDAP
database
mis3# slapcat -l <logfilename> -f
/usr/local/etc/openldap/slapd.conf -b "<suffix>"
e.g.
mis3# slapcat -l dump.ldif -f
/usr/local/etc/openldap/slapd.conf -b "dc=fgs,dc=org,dc=tw"
mis3# less dump.ldif
Then you should see the account added.
(5) To add machine accounts, make sure there are corresponding
FreeBSD account names appended $.
This can be done by adding an account w/o $ appended. Then
mis3# vipw -d /etc
Then add $ by yourself.
mis3# smbpasswd -m -a <machine_account> # no
$ appended
mis3# slapcat -l dump.ldif -f
/usr/local/etc/openldap/slapd.conf -b "dc=fgs,dc=org,dc=tw"
mis3# less dump.ldif
Then you should see the machine added.
------------------------------- the end --------------------------
Once I try Samba as PDC and BDC successfully, I'll summarize it. Now
that's all I achieved.
Long-Sheng Feb. 11, 03
More information about the samba
mailing list