Jitendrakumaryogi: Step by Step Installation & Configuration of LDAP+SAMBA on CentOS 5

Monday 23 September 2013

Step by Step Installation & Configuration of LDAP+SAMBA on CentOS 5

I am defining here installation and configuration of LDAP server and integrate with SAMBA services. If you will work windows at client side, Samba integration is necessary with LDAP otherwise NT Password will not be accepted by LDAP server. Here we will go step by step to configure LDAP and samba server.

I am using Cent OS 5.5 64 bit Operating system with kernel 2.6.18-194.el5.

I will use LDAP domain example.com for installation procedure.

1. My system IP address is 10.226.2.66 and hostname is ldapnoida.example.com. If you are not using name server, add hostname entry into /etc/hosts file.

# vim /etc/hosts

10.226.2.66 ldapnoida.example.com ldapnoida

2. I will install all packages from yum repository so please configure yum before installation the packages on server. I am not covering yum in this document. Here I will install openldap on server.

# yum install *openldap*

This command will install following LDAP packages on your system.

nss_ldap.i386

nss_ldap.x86_64

openldap.i386

openldap.x86_64

openldap-clients.x86_64

openldap-servers.x86_64

Available Packages

nss_ldap.i386

nss_ldap.x86_64

3.  Create LDAP password using slappasswd command. It gave here password root123 and generate cypted password as per below screenshot.I will paste this encrypted password in /etc/openldap/slapd.conf file.

4 . Open file /etc/openldap/slapd.conf and update the following fields on ldap server.


database        bdb

suffix          "dc=example,dc=com"

rootdn          "cn=Manager,dc=example,dc=com"



rootpw      {SSHA}+VQndTOziGTtICTQXuY8ExicsLjVlVxd

 5. Open file /etc/openldap/ldap.conf and update the following fields on ldap server.

 BASE dc=example,dc=com

URI  ldap://ldapnoida.example.com/ 

6. Open file /etc/ldap.conf and add the following lines into this.

base dc=example,dc=com

URI ldap://ldapnoida.example.com/ 

And comment the line 

#host 127.0.0.1

7.   Restart the LDAP service on server.

# /etc/init.d/ldap restart

8.     Copy the DB_CONFIG.example file for slapd DBS/HDB database into LDAP configuration file.

cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

9.     Restart the Ldap service and make ldap service on system boot.

    # service ldap restart

# chkconfig ldap on

 10.    Update migrate_common.ph file for LDAP directory structure creation.

[root@ldapnoida ~]# cd /usr/share/openldap/migration/

[root@ldapnoida migration]# vim migrate_common.ph

$DEFAULT_MAIL_DOMAIN ="example.com";

$DEFAULT_BASE ="dc=example,dc=com";

11.      LDAP imports the directory structure into LDIF format so we are creating base structure LDIF file to import into LDAP directory.

[root@ldapnoida migration]#./migrate_base.pl > base.ldif

[root@ldapnoida migration]#ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f  base.ldif

It will ask LDAP password. Type ldap password as defined above “root123” and it will generate basic LDAP directory structure. 

12.     Create a system user so that we can export system user into LDAP server.

root@ldapnoida  migration]# useradd jitendrakumar

root@ldapnoida migration ]#  passwd jitendrakumar



13.Migrate system account having uid above 500 into LDPP server.

[root@ldapnoida migration]# grep "x:[5-9][0-9][0-9]" /etc/passwd >passwd

[root@ldapnoida migration]# grep "x:[5-9][0-9][0-9]" /etc/group > group

[root@ldapnoida migration]#./migrate_passwd.pl passwd > passwd.ldif

[root@ldapnoida migration]#./migrate_group.pl group > group.ldif

[root@ldapnoida migration]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f passwd.ldif

[root@ldapnoida migration]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f group.ldif

14.  Installing SAMBA packages on server.

[root@ldapnoida migration]# yum install *samba*






15.   Copy the Samba schema into LDAP schema repository.



cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/

16.  Edit the file /etc/openldap/slapd.conf and include samba.schema location into ldap configuration file.

[root@ldapnoida migration]# vim /etc/openldap/slapd.conf

include         /etc/openldap/schema/samba.schema

17.     Restart the LDAP Service on server.

[root@ldapnoida migration]# service ldap restart



Stopping slapd:                                            [  OK  ]

Starting slapd:                                            [  OK  ]

[root@ldapnoida migration]#

18.     Download EPEL RPM package and install it on server.

[root@ldapnoida migration]# wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

--2013-09-20 14:58:00-- 
http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

Resolving dl.fedoraproject.org...209.132.181.27, 209.132.181.23, 209.132.181.24, ...

Connecting to dl.fedoraproject.org|209.132.181.27|:80...connected.

HTTP request sent, awaiting response... 200 OK

Length: 12232 (12K) [application/x-rpm]

Saving to: `epel-release-5-4.noarch.rpm'

100%[==============================================================================================================>]
12,232      --.-K/s   in 0.02s

2013-09-20 14:58:01 (739 KB/s) -
`epel-release-5-4.noarch.rpm' saved [12232/12232]

[root@ldapnoida migration]  rpm –Uvh epel-release-5-4.noarch.rpm

19.     Install smbldap-tools and phpldapadmin on server.

[root@ldapnoida migration]# yum –y install smbldap-tools

[root@ldapnoida migration]# yum –enablerepo=epel –y install phpldapadmin

20.     Configure Phpldapadmin on server to manage LDAP DIT through graphically. 




[root@ldapnoida ~]# vi /etc/httpd/conf.d/phpldapadmin.conf 



Alias /phpldapadmin /usr/share/phpldapadmin/htdocs

Alias /ldapadmin/usr/share/phpldapadmin/htdocs


<Directory /usr/share/phpldapadmin/htdocs> 

Order Deny,Allow 

Deny from all 

Allow from 127.0.0.1 10.226.0.0/16 # IP address you allow



</Directory> 



[root@ldapnoida ~]#/etc/rc.d/init.d/httpd restart 

To access phpldapadmin use URL “http://(yourhostname or IP address)/ldapadmin “

21. To access phpldapadmin console user following credentials.

User Name: cn=Manager,dc=example,dc=com

Password: root123

Password is LDAP rootdn password as defined above in document.








22.     Take the backup of smb.conf and create a new

smb.conf file from ldap enabled configuration file on ldap server. 

mv /etc/samba/smb.conf  /etc/samba/smb.conf.backup

cp /usr/share/doc/smbldap-tools-0.9.6/smb.conf /etc/samba/smb.conf

23.    Change the /etc/samba/smb.conf configuration file for LDAP.

[root@ldapnoida migration]# vim /etc/samba/smb.conf

      
workgroup = example

 
netbios name = ldap

     
unix password sync = yes

     
ldap passwd sync = yes

      
passwd program = /usr/sbin/smbldap-passwd -u "%u"

      
passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

       
Dos charset = CP932

     
Unix charset = UTF-8




 passdb backend = ldapsam:ldap://10.226.2.66/

       
ldap admin dn = cn=Manager,dc=example,dc=com

      
ldap suffix = dc=example,dc=com

      
ldap group suffix = ou=Group

      
ldap user suffix = ou=People

      
admin users = admin

24.    Create following directory and set their permissions.

[root@ldapnoida  ~]#mkdir /home/netlogon

[root@ldapnoida  ~]# mkdir /home/profiles

[root@ldapnoida  ~]# chmod 777 /home/profiles.

25.      Restarted samba service and make it permanent.

[root@ldapnoida  ~]# service smb restart

[root@ldapnoida  ~]# chkconfig smb on

26.    Set the SAMBA Password.

[root@ldapnoida  ~]# smbpasswd –W

27.      Change to following directory and set the permission of configure.pl script.

[root@ldapnoida migration]# cd /usr/share/doc/smbldap-tools-0.9.6/

[root@ldapnoida smbldap-tools-0.9.6]# chmod 755 configure.pl

[root@ldapnoida smbldap-tools-0.9.6]#./configure.pl













You can check SID with “net getlocalsid” command. If it is same press enter.



Enter domain name to append to mail address [ ] > example.com


28.     Open file /usr/share/doc/smbldap-tools-0.9.6/smbldap.conf and change the required parameters into this file.

[root@ldapnoida smbldap-tools-0.9.6]# pwd

/usr/share/doc/smbldap-tools-0.9.6

[root@ldapnoida smbldap-tools-0.9.6]# net getlocalsid

[2013/09/20 15:50:03, 0] param/loadparm.c:map_parameter(2794)

Unknown parameter encountered: "min passwd length"

[2013/09/20 15:50:03, 0] param/loadparm.c:lp_do_parameter(3541)

Ignoring unknown parameter "min passwd length"

SID for domain LDAP is: S-1-5-21-3088606343-1201082996-3680957859

[root@ldapnoida smbldap-tools-0.9.6]# vi smbldap.conf

SID="S-1-5-21-3088606343-1201082996-3680957859"

slaveLDAP="ldapnoida.example.com"

masterLDAP="ldapnoida.example.com"

suffix="dc=example,dc=com"

sambaUnixIdPooldn="sambaDomainName=$example,${suffix}"

userSmbHome="\\ldap\%U"

userProfile=\\ldap\profiles\%U

mailDomain="example.com"

29.     Open file /usr/share/doc/smbldap-tools-0.9.6/smbldap.conf and change the required parameters into this file.

[root@ldapnoida smbldap-tools-0.9.6]# vim smbldap_bind.conf

# $Id: smbldap_bind.conf 35 2011-02-23
09:07:36Z fumiyas $

#

############################

# Credential Configuration #

############################

# Notes: you can specify two differents configuration if you use a

# master ldap for writing access and a slave ldap server for reading access

# By default, we will use the same DN (so it will work for standard Samba

# release)

slaveDN="cn=Manager,dc=example,dc=com"

slavePw="root123"

masterDN="cn=Manager,dc=example,dc=com"

masterPw="root123"

30.     Restart the samba service and populate the LDAP DIT  on server.

[root@ldapnoida smbldap-tools-0.9.6]# service smb restart



[root@ldapnoida smbldap-tools-0.9.6]#  smbldap-populate



31.     Now I will create admin account and group for domain administrative account.

root@ldapnoida smbldap-tools-0.9.6]#  smbldap-groupadd –a admin



root@ldapnoida smbldap-tools-0.9.6]#  smbldap-useradd –am –g admin admin

32.      We can reset password of admin user with following command.


root@ldapnoida smbldap-tools-0.9.6]#  smbldap-passwd admin

18 comments:

sachin27 September 2013 at 13:35
jabardast he bhai........
ReplyDelete
Replies
sachin4 October 2013 at 15:17
How to enable ldap logging on server... Please let us know
ReplyDelete
Replies
Unknown4 October 2013 at 15:17
Waah ustaad waah .....is tareh to hum dimaag lagana hi bhool jaayenge !! :p
ReplyDelete
Replies
Unknown4 October 2013 at 16:00
Open file /etc/phpldapadmin/config.php and comment out these lines.

$servers->newServer('ldap_pla');
$servers->setValue('server','name','Jitendra LDAP Server');
$servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','port',389);

And you can login on phpldapadmin portal.
ReplyDelete
Replies
sachin7 October 2013 at 12:02
how to check logs of ldap
ReplyDelete
Replies
Unknown7 October 2013 at 12:24
You can enable LDAP login on server by adding following entry into /etc/syslog.conf and restart syslog service.

vi /etc/syslog.conf

# Ldap Server Logs

local4.* /var/log/ldap.log

ReplyDelete
Replies
Unknown15 July 2014 at 16:02
how can we add windows client to samba domain.
ReplyDelete
Replies
Anonymous26 September 2014 at 11:17
MIn password age can be set for individual user????
ReplyDelete
Replies
Anonymous11 November 2014 at 14:20
This is working ONLY for windows XP clients. Kindly inform how to use it for Windows 7 clients. Any additional package needs to be installed?
ReplyDelete
Replies
Anonymous27 February 2015 at 03:04
Hello Jitendra, I am unable to connect to phpldapadmin using password and users I created. Can you please help.
ReplyDelete
Replies
Unknown26 March 2015 at 16:38
Getting issue while running following command i configured dns and ldap .
But still facing this issue plz help me out

[root@samba samba]# smbldap-populate
Populating LDAP directory for domain datametica.com (S-1-5-21-2203322374-4166617578-3146684263)
(using builtin directory structure)

entry dc=datametica,dc=com already exist.
entry ou=People,dc=datametica,dc=com already exist.
entry ou=Group,dc=datametica,dc=com already exist.
adding new entry: ou=,dc=datametica,dc=com
failed to add entry: invalid DN at /usr/sbin/smbldap-populate line 500, line 22.
entry ou=Idmap,dc=datametica,dc=com already exist.
entry uid=root,ou=People,dc=datametica,dc=com already exist.
adding new entry: uid=nobody,ou=People,dc=datametica,dc=com
failed to add entry: objectClass: value #4 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 87.
adding new entry: cn=Domain Admins,ou=Group,dc=datametica,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 99.
adding new entry: cn=Domain Users,ou=Group,dc=datametica,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 110.
adding new entry: cn=Domain Guests,ou=Group,dc=datametica,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 121.
adding new entry: cn=Domain Computers,ou=Group,dc=datametica,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 132.
adding new entry: cn=Administrators,ou=Group,dc=datametica,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 177.
adding new entry: cn=Account Operators,ou=Group,dc=datametica,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 199.
adding new entry: cn=Print Operators,ou=Group,dc=datametica,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 210.
adding new entry: cn=Backup Operators,ou=Group,dc=datametica,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 221.
adding new entry: cn=Replicators,ou=Group,dc=datametica,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 232.
adding new entry: sambaDomainName=datametica.com,dc=datametica,dc=com
failed to add entry: invalid DN at /usr/sbin/smbldap-populate line 500, line 240.
ReplyDelete
Replies
Anonymous4 June 2015 at 12:12
what about if we have both I eman window 8 and ubantu ? then what should I do?
ReplyDelete
Replies
Anonymous20 May 2016 at 15:30
when I am running command "ldapadd -x -W -D cn=Manager,dc=domain,dc=com -f base.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)"

error is "ldap_bind: Invalid credentials (49)"

Why I am getting this error .

My configure file olcRootPW: hash password
one space between : and hash password.
ReplyDelete
Replies
Editor18 February 2020 at 12:27

Thank you for sharing this Information.
I also found Various useful links related to Devops, Docker & Kubernetes

Kubernetes Kubectl Commands CheatSheet

Introduction to Kubernetes Networking

Basic Concept of Kubernetes

Kubernetes Interview Question and Answers

Kubernetes Sheetsheat

Docker Basic Tutorial

Linux Sar Command Tutorial

Linux Interview Questions and Answers

Docker Interview Question and Answers

OpenStack Interview Questions and Answers
ReplyDelete
Replies
dysfunction1 December 2020 at 01:26
Have you ever considered about adding a little bit more than just your articles? I mean, what you say is fundamental and everything. Nevertheless just imagine if you added some great graphics or videos to give your posts more, "pop"! Your content is excellent but with pics and videos, this website could certainly be one of the best in its niche. Terrific blog!
ReplyDelete
Replies
erectile dysfunction causes1 December 2020 at 05:52
I know this if off topic but I'm looking into starting my own blog and was curious what all is needed to get setup? I'm assuming having a blog like yours would cost a pretty penny? I'm not very internet smart so I'm not 100% sure. Any recommendations or advice would be greatly appreciated. Many thanks
ReplyDelete
Replies

Add comment

Jitendrakumaryogi

Monday 23 September 2013

Step by Step Installation & Configuration of LDAP+SAMBA on CentOS 5

18 comments:

About Me

Blog Archive