Samba4/LDAP Backend/OpenLDAP

From SambaWiki

Jump to: navigation, search

Contents

Setting up Samba4 against an OpenLDAP installation

Required reading

Before you decide on using OpenLDAP as the backend for Samba4, you should take a look at the limitations of this approach described in Samba4/LDAP Backend. Note that you cannot point Samba4 to your existing OpenLDAP server and expect things to work. The instructions on this page are for configuring a 'captive' OpenLDAP server that is for use by Samba4 only.

Getting OpenLDAP

This guide presumes you are running OpenLDAP git master from after 22 April 2010 (or a release after that date)

Installing Dependencies

You will need the Cyrus SASL library and development headers installed

Getting OpenLDAP

You need the 'deref' and 'rdnval' overlay. This may be in your packaged version, but if not you must rebuild.

To get OpenLDAP from GIT run:

git clone git://git.openldap.org/openldap.git

Building the OpenLDAP core

To build it run:

(
 CFLAGS="-fno-omit-frame-pointer" `dirname $0`/configure --with-cyrus-sasl --disable-bdb --disable-hdb --enable-overlays=mod --enable-modules || exit 1
 make clean all AC_CFLAGS=-g || exit 1
)

To install it run:

su 
( 
 make install STRIP= || exit 1
)

Building and installing the extra overlays

To build it (after installing the OpenLDAP core above) run:

(
 ( cd contrib/slapd-modules/samba4 && make clean all AC_CFLAGS=-g) || exit 1
)

To install it run:

su 
( 
 ( cd contrib/slapd-modules/samba4 && make install STRIP=) || exit 1
)

Getting Samba4

Check out Samba4 from Samba.org's anonymous rsync server.

Note: These instructions are kept in line with movements in the GIT tree - use of an alpha tarball may not work with these instructions

rsync -a ftp.samba.org::ftp/pub/unpacked/samba_4_0_test/ SAMBA_4_0

Build Samba4

Build samba4, with --enable-developer to get appropriate warnings and debug symbols:

(
 cd SAMBA_4_0/source
 ./autogen.sh
 ./configure --enable-developer
 make
 make install
)


Setup OpenLDAP

Provision Samba4:

We set --use-ntvfs to simplify things at the moment, while the focus is on LDAP semantics not filesystem semantics, as it allows a non-root provision.

(

 samba-tool domain provision --realm=LDAP.SAMBA.EXAMPLE.COM --domain=LDAP \
  --server-role='domain controller' --ldap-backend-type=openldap --slapd-path=/usr/local/libexec/slapd --use-ntvfs
)

The ACL in this example slapd.conf sets restricted access to all entries. You can change this to allow direct access for administrative purposes, but for now this is a secure example, and avoids unintended writes to the database (ie, not via Samba).

Note if you have the error "LDAP error 8 LDAP_STRONG_AUTH_REQUIRED" it's because you didn't have cyrus sasl, install the libraries and the headers, recompile openldap and retry.

Start Samba4

Start Samba4 on host linux1

samba -i -M single -d3
Personal tools