[Samba] ADS and not working IDMAP on OpenLdap backend

[Ivo.Hanuska at hella.com]

Halo everyone!

I am trying to implement IDMAP backend based on OpenLdap and it refuses to
work. After some diagnostics on both (Samba+Winbind and OpenLdap) sides I
found in my logs following error messages:

Jun  7 14:03:03 proxy slapd[5361]: send_ldap_result: err=21 matched=""
text="objectClass: value #0 invalid per syntax"
Jun  7 14:03:03 proxy slapd[5361]: conn=14 op=3 RESULT tag=103 err=21
text=objectClass: value #0 invalid per syntax
Jun  7 14:03:03 proxy winbindd[5685]: [2006/06/07 14:03:03, 0]
sam/idmap.c:idmap_init(138)
Jun  7 14:03:03 proxy winbindd[5685]:   idmap_init: failed to initialize
remote backend!

Which seems to me, that there might be some bug, or missconfiguration in
somewhere, but I am not able to find it. Of course wbinfo returns nothing
and samba itself is not working...

Could someone throw an eye on following configuration files and see "the
obvious" - reason why it is not working?

Debug information: Samba is running on SuSE linux Enterprise server 9.1 SP
3. Samba itself is version 3.0.20b-3.4-SUSE, OpenLDAP is version 2.2.24.
krb5 libs are Heimdal 0.6.1.rc3, nss_ldap is version 215.

smb.conf:

[global]
   workgroup = HAT
   printing = cups
   printcap name = cups
   printcap cache time = 750
   cups options = raw
   map to guest = Bad User
   username map = /etc/samba/smbusers
   security = ads
   encrypt passwords = yes
   ldap admin dn = cn=administrator,dc=xxx,dc=yyyyyy,dc=com
   ldap suffix = dc=xxx,dc=yyyyyy,dc=com
   ldap idmap suffix = ou=Idmap
   idmap backend = ldap:ldap://localhost/
   allow trusted domains = yes
   domain logons = no
   netbios name = %h
   server string = %h
   preferred master = auto
   acl compatibility = auto
   acl group control = no
   idmap uid = 10000-200000
   idmap gid = 10000-200000
   realm = xxx.yyyyyy.COM
   password server = czshatdc01.xxx.yyyyyy.com
   log level = 3
   winbind use default domain = Yes
   winbind enum users = No
   winbind enum groups = No
   winbind nested groups = Yes

nss_ldap libraries config (/etc/ldap.conf):

host    localhost
base    "dc=xxx,dc=yyyyyy,dc=com"
binddn  "cn=administrator,dc=xxx,dc=yyyyyy,dc=com"
bindpw  "testtest"
pam_password exop
nss_base_passwd "ou=People,dc=xxx,dc=yyyyyy,dc=com?one"
nss_base_shadow "ou=People,dc=xxx,dc=yyyyyy,dc=com?one"
nss_base_group  "ou=Groups,dc=xxx,dc=yyyyyy,dc=com?one"
ssl no

OpenLdap config (/etc/openldap/ldap.conf)

TLS_REQCERT     allow
host    127.0.0.1
base    dc=xxx,dc=yyyyyy,dc=com
binddn cn=administrator,dc=xxx,dc=yyyyyy,dc=com
bindpw testtest

Slapd config (/etc/openldap/slapd.conf)

loglevel 3052
database bdb
suffix "dc=xxx,dc=yyyyyy,dc=com"
rootdn "cn=Administrator,dc=xxx,dc=yyyyyy,dc=com"
rootpw "testtest"
directory /var/lib/ldap
checkpoint 1024 5
cachesize 10000

ldif  file with database structure:

dn: dc=xxx,dc=yyyyyy,dc=com
objectClass: dcObject
objectClass: organization
dc: hat
o: Hella
description: Posix and Samba LDAP Identity Database

dn: cn=administrator,dc=xxx,dc=yyyyyy,dc=com
objectClass: organizationalRole
cn: administrator
description: Directory Manager

dn: ou=Idmap,dc=xxx,dc=yyyyyy,dc=com
objectClass: organizationalUnit
ou: idmap


Thank you for any help, or even a hint.

Ivo Hanuska