Samba4 OpenLDAP-Backend Quick-Howto ==================================== oliver@itc.li - August 2009 This Mini-Howto describes in a very simplified way how to setup Samba 4 (S4) (pre)Alpha 9 with the OpenLDAP (OL) -Backend. Use of OpenLDAP >= 2.4.17 is strongly recommended. 1.) Download and compile OpenLDAP. The use of (older) Versions shipped with Distributions often causes trouble, so dont use them. Configure-Example: #> ./configure --enable-overlays=yes --with-tls=yes --with-cyrus-sasl=yes #> make depend && make && make install 2.) Prepare S4 to use OL-Backend: run provision-backend first, then "final" provision (these 2-step process will be merged in the future) Simple provision-backend Example: #> setup/provision-backend --realm=ldap.local.site \ --domain=LDAP --ldap-admin-pass="linux" \ --ldap-backend-type=openldap \ --server-role='domain controller' \ --ol-slapd="/usr/local/libexec" After that, you should get the following output: -------- Your openldap Backend for Samba4 is now configured, and is ready to be started Server Role: domain controller Hostname: ldapmaster DNS Domain: ldap.local.site Base DN: DC=ldap,DC=local,DC=site LDAP admin user: samba-admin LDAP admin password: linux OpenLDAP-Daemon (slapd) was properly started with the following commandline: /usr/local/libexec/slapd -f /usr/local/samba/private/ldap/slapd.conf -h ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi Now run final provision with: --ldap-backend=ldapi --ldap-backend-type=openldap --password=linux --username=samba-admin --realm=ldap.local.site --domain=LDAP --server-role='domain controller' -------- Since this (pre)Alpha, you dont have to run slapd manually any more. slapd will be started automatically, listening on ldapi://-Socket, so the System should be ready for final provision now: 3.) Final provision: Use the Parameters displayed above to run final provision. (you can add --adminpass= to the parameters, otherwise a random password will be generated for cn=Administrator,cn=users,): #> setup/provision --ldap-backend=ldapi \ --ldap-backend-type=openldap --password=linux \ --username=samba-admin --realm=ldap.local.site \ --domain=LDAP --server-role='domain controller'\ --adminpass=linux At the End of the final provision you should get the following output (only partial here). Read it carefully: -------- OpenLDAP-Daemon (slapd) with PID: 8594 was terminated properly. Now start slapd with the following commandline, then Samba: /usr/local/libexec/slapd -f /usr/local/samba/private/ldap/slapd.conf -h ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi Please install the phpLDAPadmin configuration located at /usr/local/samba/private/phpldapadmin-config.php into /etc/phpldapadmin/config.php Once the above files are installed, your Samba4 server will be ready to use Server Role: domain controller Hostname: ldapmaster NetBIOS Domain: LDAP DNS Domain: ldap.local.site DOMAIN SID: S-1-5-21-2459431290-2604616279-469083388 Admin password: linux -------- slapd in "provision-mode" should be terminated automatically after final provision ends. 4.) Run OL and S4: After you completed the other necessary steps (krb and named-specific), start first OL with the commandline displayed in the output under (3), then S4. 5.) Special Setup-Types: a) OpenLDAP-Online Configuration (olc): Use the provision-backend Parameter --ol-olc=yes. In that case, the olc will be setup automatically under ../private/slapd.d/. olc is accessible via "cn=samba-admin,cn=samba" and Base-DN "cn=config" olc is intended primarily for use in conjunction with MMR Attention: You have to start OL with the commandline displayed in the output under (3), but you have to set a listening port of slapd manually: (e.g. -h ldap://ldapmaster.ldap.local.site:9000) Attention: You _should_not_ edit the olc-Sections "config" and "ldif", as these are vital to the olc itself. b) MultiMaster-Configuration (MMR): At this time (S4 (pre)Alpha9) the only possible Replication setup. Use the provision-backend Parameter: --ol-mmr-urls= 389!). e.g.: --ol-mmr-urls="ldap://ldapmaster1.ldap.local.site:9000 \ ldap://ldapmaster2.ldap.local.site:9000" Attention: You have to start OL with the commandline displayed in the output under (3), but you have to set a listening port of slapd manually (e.g. -h ldap://ldapmaster1.ldap.local.site:9000) The Ports must be different from 389, as these are occupied by S4.