Setting up Samba4 against an OpenLDAP installation
Before you decide on using OpenLDAP as the backend for Samba4, you should take a look at the limitations of this approach described in Samba4/LDAP Backend. Note that you cannot point Samba4 to your existing OpenLDAP server and expect things to work. The instructions on this page are for configuring a 'captive' OpenLDAP server that is for use by Samba4 only.
This guide presumes you are running OpenLDAP git master from after 22 April 2010 (or a release after that date)
You will need the Cyrus SASL library and development headers installed
You need the 'deref' and 'rdnval' overlay. This may be in your packaged version, but if not you must rebuild.
To get OpenLDAP from GIT run:
git clone git://git.openldap.org/openldap.git
Building the OpenLDAP core
To build it run:
( CFLAGS="-fno-omit-frame-pointer" `dirname $0`/configure --with-cyrus-sasl --disable-bdb --disable-hdb --enable-overlays=mod --enable-modules || exit 1 make clean all AC_CFLAGS=-g || exit 1 )
To install it run:
su ( make install STRIP= || exit 1 )
Building and installing the extra overlays
To build it (after installing the OpenLDAP core above) run:
( ( cd contrib/slapd-modules/samba4 && make clean all AC_CFLAGS=-g) || exit 1 )
To install it run:
su ( ( cd contrib/slapd-modules/samba4 && make install STRIP=) || exit 1 )
Check out Samba4 from Samba.org's anonymous rsync server.
Note: These instructions are kept in line with movements in the GIT tree - use of an alpha tarball may not work with these instructions
rsync -a ftp.samba.org::ftp/pub/unpacked/samba_4_0_test/ SAMBA_4_0
Build samba4, with --enable-developer to get appropriate warnings and debug symbols:
( cd SAMBA_4_0/source ./autogen.sh ./configure --enable-developer make make install )
We set --use-ntvfs to simplify things at the moment, while the focus is on LDAP semantics not filesystem semantics, as it allows a non-root provision.
( samba-tool domain provision --realm=LDAP.SAMBA.EXAMPLE.COM --domain=LDAP \ --server-role='domain controller' --ldap-backend-type=openldap --slapd-path=/usr/local/libexec/slapd --use-ntvfs )
The ACL in this example slapd.conf sets restricted access to all entries. You can change this to allow direct access for administrative purposes, but for now this is a secure example, and avoids unintended writes to the database (ie, not via Samba).
Note if you have the error "LDAP error 8 LDAP_STRONG_AUTH_REQUIRED" it's because you didn't have cyrus sasl, install the libraries and the headers, recompile openldap and retry.
Start Samba4 on host linux1
samba -i -M single -d3