Samba-LDAP on Debian: Difference between revisions
From DWIKI
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
==Software to install== | |||
===samba-common=== | |||
===samba-doc=== | |||
===slapd=== | |||
apt-get install slapd | |||
choose admin password | |||
dpkg-reconfigure slapd | |||
Go with the defaults | |||
===libpam-ldap=== | |||
apt-get install libpam-ldap | |||
Go with defaults, except for dc values. | |||
For Root login account use cn=admin instead of cn=manager. | |||
===libnss-ldap=== | |||
apt-get install libnss-ldap | |||
Go with defaults, except for dc values. | |||
For Root login account use cn=admin instead of cn=manager. Fix the base dc= line in /etc/libnss_ldap.conf. | |||
Update /etc/nsswitch.conf | |||
passwd: compat ldap | |||
group: compat ldap | |||
===smbldap-tools=== | |||
apt-get install smbldap-tools | |||
Run '''net getlocalsid''' and save the output. | |||
Read /usr/share/doc/smbldap-tools/README.Debian. | |||
In '''/etc/smbldap-tools/smbldap.conf''' configure: | |||
*SID | |||
*sambaDomain | |||
*suffix | |||
*sambaUnixIdPooldn | |||
*userSmbHome | |||
*userProfile | |||
*userHomeDrive | |||
*mailDomain | |||
/etc/pam.d/common-account | |||
account sufficient pam_ldap.so debug | |||
account required pam_unix.so debug | |||
/etc/pam.d/common-auth | |||
auth [success=1 default=ignore] pam_unix.so try_first_pass debug | |||
auth required pam_ldap.so use_first_pass debug | |||
auth required pam_permit.so | |||
/etc/pam.d/common-password | |||
password required pam_unix.so nullok obscure min=4 max=8 md5 | |||
password sufficient pam_ldap.so try_first_pass debug | |||
==BUGS== | |||
*libpam-ldap | |||
**debconf should be able to provide/suggest already used dc values like slapd debconf does | |||
**Root login account should be cn=admin? | |||
*libnss-ldap | |||
**debconf should be able to provide/suggest already used dc values like slapd debconf does | |||
**in fact it should use same config as libpam-ldap or at least look at it | |||
**debconf sets base dc=padl,dc=com | |||
*smbldap-tools | |||
**README.Debian mentions 3. Optionally add indexes to optimize SAMBA access. This is not optional, leaving it out causes smbldap-populate to fail miserably. | |||
**README.Debian tells to run '''net getlocalsid''' after changing samba config. This is wrong, since at that point the command will fail untill evertything is configured and working. This should be a job for debconf anyway. | |||
==Links== | |||
*[http://www.idealx.com/ smbldap-tools] | *[http://www.idealx.com/ smbldap-tools] | ||
*http://people.debian.org/~torsten/ldapnss.html | |||
*http://geco.phys.columbia.edu/~jrollins/howtos/ldap.html | |||
Revision as of 22:53, 1 January 2007
Software to install
samba-common
samba-doc
slapd
apt-get install slapd
choose admin password
dpkg-reconfigure slapd
Go with the defaults
libpam-ldap
apt-get install libpam-ldap
Go with defaults, except for dc values. For Root login account use cn=admin instead of cn=manager.
libnss-ldap
apt-get install libnss-ldap
Go with defaults, except for dc values. For Root login account use cn=admin instead of cn=manager. Fix the base dc= line in /etc/libnss_ldap.conf.
Update /etc/nsswitch.conf
passwd: compat ldap group: compat ldap
smbldap-tools
apt-get install smbldap-tools
Run net getlocalsid and save the output. Read /usr/share/doc/smbldap-tools/README.Debian. In /etc/smbldap-tools/smbldap.conf configure:
- SID
- sambaDomain
- suffix
- sambaUnixIdPooldn
- userSmbHome
- userProfile
- userHomeDrive
- mailDomain
/etc/pam.d/common-account
account sufficient pam_ldap.so debug account required pam_unix.so debug
/etc/pam.d/common-auth
auth [success=1 default=ignore] pam_unix.so try_first_pass debug auth required pam_ldap.so use_first_pass debug auth required pam_permit.so
/etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=8 md5 password sufficient pam_ldap.so try_first_pass debug
BUGS
- libpam-ldap
- debconf should be able to provide/suggest already used dc values like slapd debconf does
- Root login account should be cn=admin?
- libnss-ldap
- debconf should be able to provide/suggest already used dc values like slapd debconf does
- in fact it should use same config as libpam-ldap or at least look at it
- debconf sets base dc=padl,dc=com
- smbldap-tools
- README.Debian mentions 3. Optionally add indexes to optimize SAMBA access. This is not optional, leaving it out causes smbldap-populate to fail miserably.
- README.Debian tells to run net getlocalsid after changing samba config. This is wrong, since at that point the command will fail untill evertything is configured and working. This should be a job for debconf anyway.
