Jitendrakumaryogi: September 2013

I am defining here installation and configuration of LDAP server and integrate with SAMBA services. If you will work windows at client side, Samba integration is necessary with LDAP otherwise NT Password will not be accepted by LDAP server. Here we will go step by step to configure LDAP and samba server.

I am using Cent OS 5.5 64 bit Operating system with kernel 2.6.18-194.el5.

I will use LDAP domain example.com for installation procedure.

1. My system IP address is 10.226.2.66 and hostname is ldapnoida.example.com. If you are not using name server, add hostname entry into /etc/hosts file.

# vim /etc/hosts

10.226.2.66 ldapnoida.example.com ldapnoida

2. I will install all packages from yum repository so please configure yum before installation the packages on server. I am not covering yum in this document. Here I will install openldap on server.

# yum install *openldap*

This command will install following LDAP packages on your system.

nss_ldap.i386

nss_ldap.x86_64

openldap.i386

openldap.x86_64

openldap-clients.x86_64

openldap-servers.x86_64

Available Packages

nss_ldap.i386

nss_ldap.x86_64

3.  Create LDAP password using slappasswd command. It gave here password root123 and generate cypted password as per below screenshot.I will paste this encrypted password in /etc/openldap/slapd.conf file.

4 . Open file /etc/openldap/slapd.conf and update the following fields on ldap server.


database        bdb

suffix          "dc=example,dc=com"

rootdn          "cn=Manager,dc=example,dc=com"



rootpw      {SSHA}+VQndTOziGTtICTQXuY8ExicsLjVlVxd

 5. Open file /etc/openldap/ldap.conf and update the following fields on ldap server.

 BASE dc=example,dc=com

URI  ldap://ldapnoida.example.com/ 

6. Open file /etc/ldap.conf and add the following lines into this.

base dc=example,dc=com

URI ldap://ldapnoida.example.com/ 

And comment the line 

#host 127.0.0.1

7.   Restart the LDAP service on server.

# /etc/init.d/ldap restart

8.     Copy the DB_CONFIG.example file for slapd DBS/HDB database into LDAP configuration file.

cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

9.     Restart the Ldap service and make ldap service on system boot.

    # service ldap restart

# chkconfig ldap on

 10.    Update migrate_common.ph file for LDAP directory structure creation.

[root@ldapnoida ~]# cd /usr/share/openldap/migration/

[root@ldapnoida migration]# vim migrate_common.ph

$DEFAULT_MAIL_DOMAIN ="example.com";

$DEFAULT_BASE ="dc=example,dc=com";

11.      LDAP imports the directory structure into LDIF format so we are creating base structure LDIF file to import into LDAP directory.

[root@ldapnoida migration]#./migrate_base.pl > base.ldif

[root@ldapnoida migration]#ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f  base.ldif

It will ask LDAP password. Type ldap password as defined above “root123” and it will generate basic LDAP directory structure. 

12.     Create a system user so that we can export system user into LDAP server.

root@ldapnoida  migration]# useradd jitendrakumar

root@ldapnoida migration ]#  passwd jitendrakumar



13.Migrate system account having uid above 500 into LDPP server.

[root@ldapnoida migration]# grep "x:[5-9][0-9][0-9]" /etc/passwd >passwd

[root@ldapnoida migration]# grep "x:[5-9][0-9][0-9]" /etc/group > group

[root@ldapnoida migration]#./migrate_passwd.pl passwd > passwd.ldif

[root@ldapnoida migration]#./migrate_group.pl group > group.ldif

[root@ldapnoida migration]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f passwd.ldif

[root@ldapnoida migration]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f group.ldif

14.  Installing SAMBA packages on server.

[root@ldapnoida migration]# yum install *samba*






15.   Copy the Samba schema into LDAP schema repository.



cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/

16.  Edit the file /etc/openldap/slapd.conf and include samba.schema location into ldap configuration file.

[root@ldapnoida migration]# vim /etc/openldap/slapd.conf

include         /etc/openldap/schema/samba.schema

17.     Restart the LDAP Service on server.

[root@ldapnoida migration]# service ldap restart



Stopping slapd:                                            [  OK  ]

Starting slapd:                                            [  OK  ]

[root@ldapnoida migration]#

18.     Download EPEL RPM package and install it on server.

[root@ldapnoida migration]# wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

--2013-09-20 14:58:00-- 
http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

Resolving dl.fedoraproject.org...209.132.181.27, 209.132.181.23, 209.132.181.24, ...

Connecting to dl.fedoraproject.org|209.132.181.27|:80...connected.

HTTP request sent, awaiting response... 200 OK

Length: 12232 (12K) [application/x-rpm]

Saving to: `epel-release-5-4.noarch.rpm'

100%[==============================================================================================================>]
12,232      --.-K/s   in 0.02s

2013-09-20 14:58:01 (739 KB/s) -
`epel-release-5-4.noarch.rpm' saved [12232/12232]

[root@ldapnoida migration]  rpm –Uvh epel-release-5-4.noarch.rpm

19.     Install smbldap-tools and phpldapadmin on server.

[root@ldapnoida migration]# yum –y install smbldap-tools

[root@ldapnoida migration]# yum –enablerepo=epel –y install phpldapadmin

20.     Configure Phpldapadmin on server to manage LDAP DIT through graphically. 




[root@ldapnoida ~]# vi /etc/httpd/conf.d/phpldapadmin.conf 



Alias /phpldapadmin /usr/share/phpldapadmin/htdocs

Alias /ldapadmin/usr/share/phpldapadmin/htdocs


<Directory /usr/share/phpldapadmin/htdocs> 

Order Deny,Allow 

Deny from all 

Allow from 127.0.0.1 10.226.0.0/16 # IP address you allow



</Directory> 



[root@ldapnoida ~]#/etc/rc.d/init.d/httpd restart 

To access phpldapadmin use URL “http://(yourhostname or IP address)/ldapadmin “

21. To access phpldapadmin console user following credentials.

User Name: cn=Manager,dc=example,dc=com

Password: root123

Password is LDAP rootdn password as defined above in document.








22.     Take the backup of smb.conf and create a new

smb.conf file from ldap enabled configuration file on ldap server. 

mv /etc/samba/smb.conf  /etc/samba/smb.conf.backup

cp /usr/share/doc/smbldap-tools-0.9.6/smb.conf /etc/samba/smb.conf

23.    Change the /etc/samba/smb.conf configuration file for LDAP.

[root@ldapnoida migration]# vim /etc/samba/smb.conf

      
workgroup = example

 
netbios name = ldap

     
unix password sync = yes

     
ldap passwd sync = yes

      
passwd program = /usr/sbin/smbldap-passwd -u "%u"

      
passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

       
Dos charset = CP932

     
Unix charset = UTF-8




 passdb backend = ldapsam:ldap://10.226.2.66/

       
ldap admin dn = cn=Manager,dc=example,dc=com

      
ldap suffix = dc=example,dc=com

      
ldap group suffix = ou=Group

      
ldap user suffix = ou=People

      
admin users = admin

24.    Create following directory and set their permissions.

[root@ldapnoida  ~]#mkdir /home/netlogon

[root@ldapnoida  ~]# mkdir /home/profiles

[root@ldapnoida  ~]# chmod 777 /home/profiles.

25.      Restarted samba service and make it permanent.

[root@ldapnoida  ~]# service smb restart

[root@ldapnoida  ~]# chkconfig smb on

26.    Set the SAMBA Password.

[root@ldapnoida  ~]# smbpasswd –W

27.      Change to following directory and set the permission of configure.pl script.

[root@ldapnoida migration]# cd /usr/share/doc/smbldap-tools-0.9.6/

[root@ldapnoida smbldap-tools-0.9.6]# chmod 755 configure.pl

[root@ldapnoida smbldap-tools-0.9.6]#./configure.pl













You can check SID with “net getlocalsid” command. If it is same press enter.



Enter domain name to append to mail address [ ] > example.com


28.     Open file /usr/share/doc/smbldap-tools-0.9.6/smbldap.conf and change the required parameters into this file.

[root@ldapnoida smbldap-tools-0.9.6]# pwd

/usr/share/doc/smbldap-tools-0.9.6

[root@ldapnoida smbldap-tools-0.9.6]# net getlocalsid

[2013/09/20 15:50:03, 0] param/loadparm.c:map_parameter(2794)

Unknown parameter encountered: "min passwd length"

[2013/09/20 15:50:03, 0] param/loadparm.c:lp_do_parameter(3541)

Ignoring unknown parameter "min passwd length"

SID for domain LDAP is: S-1-5-21-3088606343-1201082996-3680957859

[root@ldapnoida smbldap-tools-0.9.6]# vi smbldap.conf

SID="S-1-5-21-3088606343-1201082996-3680957859"

slaveLDAP="ldapnoida.example.com"

masterLDAP="ldapnoida.example.com"

suffix="dc=example,dc=com"

sambaUnixIdPooldn="sambaDomainName=$example,${suffix}"

userSmbHome="\\ldap\%U"

userProfile=\\ldap\profiles\%U

mailDomain="example.com"

29.     Open file /usr/share/doc/smbldap-tools-0.9.6/smbldap.conf and change the required parameters into this file.

[root@ldapnoida smbldap-tools-0.9.6]# vim smbldap_bind.conf

# $Id: smbldap_bind.conf 35 2011-02-23
09:07:36Z fumiyas $

#

############################

# Credential Configuration #

############################

# Notes: you can specify two differents configuration if you use a

# master ldap for writing access and a slave ldap server for reading access

# By default, we will use the same DN (so it will work for standard Samba

# release)

slaveDN="cn=Manager,dc=example,dc=com"

slavePw="root123"

masterDN="cn=Manager,dc=example,dc=com"

masterPw="root123"

30.     Restart the samba service and populate the LDAP DIT  on server.

[root@ldapnoida smbldap-tools-0.9.6]# service smb restart



[root@ldapnoida smbldap-tools-0.9.6]#  smbldap-populate



31.     Now I will create admin account and group for domain administrative account.

root@ldapnoida smbldap-tools-0.9.6]#  smbldap-groupadd –a admin



root@ldapnoida smbldap-tools-0.9.6]#  smbldap-useradd –am –g admin admin

32.      We can reset password of admin user with following command.


root@ldapnoida smbldap-tools-0.9.6]#  smbldap-passwd admin

Jitendrakumaryogi

Monday 23 September 2013

Step by Step Installation & Configuration of LDAP+SAMBA on CentOS 5

About Me

Blog Archive