Ldapsam Editposix: Difference between revisions

From SambaWiki
No edit summary
 
No edit summary
Line 1: Line 1:
(First submitted by idra@samba.org)
This is a new page

== Samba and the Editposix/Trusted Ldapsam extension ==

WARNING THIS INFORMATION IS BASED ON A NON RELEASED
DEVELOPMENT BRANCH, THINGS MAY CHANGE BEFORE RELEASE

The ldapsam:trusted optimization has been developed as
a performance optimization for server that uses ldap
as user and group account storage.

This optimization _requires_ that all users and groups
posix account are saved on your ldap tree.

The ldapsam:editposix extension is base on this optimization.

This extension has been created with the aim of making it
easier to configure samba for use with an ldap server, by
providing means to add the posix accounts and groups on
the LDAP server without the need to use external scripts.

To further help admins we introduced the <b>net sam provision<b>
command that helps creating the basic accounts and groups
need to make smbd run.

A running winbind daemon is required to use ldapsam:editposix
EVEN ON A SAMBA PDC.

Using the ldap idmap backend is strongly advised too.

== Basic LDAP configuration ==

We will not get into the specific of LDAP configuration.
To use editposix you need a very basic tree.

Here it is an example base ldif to be loaded on your server
to create the basic tree structure:

dn: dc=samba,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: samba.org
dc: samba

dn: cn=admin,dc=samba,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: secret

dn: ou=users,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=idmap,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: idmap

dn: ou=computers,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: computers

Download it _here_. (this is a place holder,
is it possible to upload files on mediawiki ?)

== Configuring smb.conf ==

you need to properly configure smb.conf before running any daemon
or command.

Here is the bare minimum options to set in smb.conf:

encrypt passwords = true
passdb backend = ldapsam

ldapsam:trusted=yes
ldapsam:editposix=yes

ldap admin dn = cn=admin,dc=samba,dc=org
ldap delete dn = yes
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap user suffix = ou=users
ldap suffix = dc=samba,dc=org

idmap backend = ldap:"ldap://localhost"

idmap uid = 5000-50000
idmap gid = 5000-50000


== A quick setup ==

Do not run any daemon until told, use a fresh install or
wipe out any previously created tdb before starting.

To quickly set up and test this feature follow these steps as root:

Configure and run your ldap server, you may use the above base ldif
as a starting point. Make sure the defined ldap admin works
correctly.

Configure smb.conf

Add the ldap admin password to the samba secrets database:
# smbpasswd -w secret

Start winbindd only.
# /etc/init.d/winbindd start

provision the tree:
# net sam provision

Give a password to the newly created Administrator user enabling it.
# smbpasswd Administrator
New SMB password:
Retype new SMB password:

Now start also nmbd and smbd:
# /etc/init.d/nmbd start
# /etc/init.d/smbd start








----
[[Category:Category Configuration]]
[[Category:Category Documentation]]

Revision as of 23:30, 4 March 2006

(First submitted by idra@samba.org)

Samba and the Editposix/Trusted Ldapsam extension

WARNING THIS INFORMATION IS BASED ON A NON RELEASED DEVELOPMENT BRANCH, THINGS MAY CHANGE BEFORE RELEASE

The ldapsam:trusted optimization has been developed as a performance optimization for server that uses ldap as user and group account storage.

This optimization _requires_ that all users and groups posix account are saved on your ldap tree.

The ldapsam:editposix extension is base on this optimization.

This extension has been created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without the need to use external scripts.

To further help admins we introduced the net sam provision command that helps creating the basic accounts and groups need to make smbd run.

A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC.

Using the ldap idmap backend is strongly advised too.

Basic LDAP configuration

We will not get into the specific of LDAP configuration. To use editposix you need a very basic tree.

Here it is an example base ldif to be loaded on your server to create the basic tree structure:

dn: dc=samba,dc=org objectClass: top objectClass: dcObject objectClass: organization o: samba.org dc: samba

dn: cn=admin,dc=samba,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: secret

dn: ou=users,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: users

dn: ou=groups,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: groups

dn: ou=idmap,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: idmap

dn: ou=computers,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: computers

Download it _here_. (this is a place holder, is it possible to upload files on mediawiki ?)

Configuring smb.conf

you need to properly configure smb.conf before running any daemon or command.

Here is the bare minimum options to set in smb.conf:

  encrypt passwords = true
  passdb backend = ldapsam
  ldapsam:trusted=yes
  ldapsam:editposix=yes
  ldap admin dn = cn=admin,dc=samba,dc=org
  ldap delete dn = yes
  ldap group suffix = ou=groups
  ldap idmap suffix = ou=idmap
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  ldap suffix = dc=samba,dc=org
  idmap backend = ldap:"ldap://localhost"
  idmap uid = 5000-50000
  idmap gid = 5000-50000


A quick setup

Do not run any daemon until told, use a fresh install or wipe out any previously created tdb before starting.

To quickly set up and test this feature follow these steps as root:

Configure and run your ldap server, you may use the above base ldif as a starting point. Make sure the defined ldap admin works correctly.

Configure smb.conf

Add the ldap admin password to the samba secrets database:

  1. smbpasswd -w secret

Start winbindd only.

  1. /etc/init.d/winbindd start

provision the tree:

  1. net sam provision

Give a password to the newly created Administrator user enabling it.

  1. smbpasswd Administrator

New SMB password: Retype new SMB password:

Now start also nmbd and smbd:

  1. /etc/init.d/nmbd start
  2. /etc/init.d/smbd start