CentOS 5.x Samba Domain Controller With LDAP Backend

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Submitted by galexander (Contact Author) (Forums) on Fri, 2009-11-06 17:18. :: CentOS | Samba

CentOS 5.x Samba Domain Controller With LDAP Backend

This will show you how to set up a Samba Domain Controller with a local LDAP backend, using CentOS 5.x (tested on 5.3, still successfully running on 5.4).  Includes a web-interface for managing LDAP users/groups/etc.

 

Disable selinux:

It will only cause problems, I'm not going to mess with SELinux in this guide other than disabling it.

echo 0 >/selinux/enforce

Within /etc/sysconfig/selinux, set: 
SELINUX=disabled

 

Install some tools

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
yum update
yum install openldap-servers nss_ldap samba httpd openssl mod_ssl mysql mysql-server php php-xml php-ldap php-mysql php-pdo php-cli php-common smbldap-tools

Installing smbldap-tools this way should install all the dependent perl modules, however the version available on yum has some bugs, so we'll upgrade to the latest version afterwards, keeping the dependencies, but overwriting the smbldap-tools package:

rpm -Uvh http://download.gna.org/smbldap-tools/packages/smbldap-tools-0.9.5-1.noarch.rpm

 

Set up the hostname

For our purposes in this guide, we are calling the server's hostname "dc1" and the domain "DOMAINNAME". Note: If you want to use your fqdn for your Samba domain, wherever you see ,dc=DOMAINNAME below, replace it with ,dc=example,dc=com, assuming your fqdn is example.com. Also note that "root" will be the samba administrator username, if you don't like that, change it as well. Related lines are: cn=root and cn: root

Within /etc/hosts, add or replace your line (following the file's format, assuming 192.168.0.5 is your server's network-accessible IP): 

192.168.0.5 dc1.DOMAINNAME dc1

Set your hostname on the command line:

hostname dc1.DOMAINNAME

 

Generate a master password and set up ldap

slappasswd

Note the output of slappasswd, you will insert it into slapd.conf in a minute.

mv -f /etc/openldap/slapd.conf /etc/openldap/slapd.conf.dist

Insert the following text into /etc/openldap/slapd.conf:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema

allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

database bdb
suffix "dc=DOMAINNAME"
rootdn "cn=root,dc=DOMAINNAME"
rootpw {SSHA}TTzshhAbmZPPb8F2s7sgf9B+IrZt+nUD
password-hash {SSHA}
directory /var/lib/ldap

index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass pres,eq
index default sub

Note the rootpw line in the above text, that's where you paste your output from slappasswd.

cp /usr/share/doc/samba-3.*/LDAP/samba.schema /etc/openldap/schema/
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
chmod 600 /var/lib/ldap/DB_CONFIG

Insert the following text into /etc/openldap/init.ldif:

dn: dc=DOMAINNAME
objectclass: dcObject
objectclass: organization
o: CentOS Directory Server
dc: DOMAINNAME
dn: cn=root,dc=DOMAINNAME
objectclass: organizationalRole
cn: root

slapadd -l /etc/openldap/init.ldif
chown -R ldap:ldap /var/lib/ldap
chmod 600 /var/lib/ldap/*
slapcat

slapcat should produce something very similar to the following output:

dn: dc=DOMAINNAME
objectClass: dcObject
objectClass: organization
o: CentOS Directory Server
dc: DOMAINNAME
structuralObjectClass: organization
entryUUID: 717d1b1e-ce90-102d-88c3-df22563ebfee
creatorsName: cn=root,dc=DOMAINNAME
modifiersName: cn=root,dc=DOMAINNAME
createTimestamp: 20090506134920Z
modifyTimestamp: 20090506134920Z
entryCSN: 20090506134920Z#000000#00#000000
dn: cn=root,dc=DOMAINNAME
objectClass: organizationalRole
cn: root
structuralObjectClass: organizationalRole
entryUUID: 71858556-ce90-102d-88c4-df22563ebfee
creatorsName: cn=root,dc=DOMAINNAME
modifiersName: cn=root,dc=DOMAINNAME
createTimestamp: 20090506134920Z
modifyTimestamp: 20090506134920Z
entryCSN: 20090506134920Z#000001#00#000000

service ldap start
chkconfig ldap on
ldapsearch -x -b "dc=DOMAINNAME"

The output from ldapsearch should be very similar to the following:

# extended LDIF
#
# LDAPv3
# base <dc=domainname> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# DOMAINNAME
dn: dc=DOMAINNAME
objectClass: dcObject
objectClass: organization
o: CentOS Directory Server
dc: DOMAINNAME
# root, DOMAINNAME
dn: cn=root,dc=DOMAINNAME
objectClass: organizationalRole
cn: root
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
</dc=domainname>

This page is released into the public domain.
add comment | view as pdf view as pdf | print: this | all page(s) |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
slapadd -l throw errors
Submitted by binaryrogue (registered user) on Fri, 2009-11-13 08:05.

[root@centos openldap]# slapadd -l /etc/openldap/init.ldif
str2entry: entry -1 has multiple DNs "dc=example,dc=com" and "cn=admin,dc=example,dc=com"
slapadd: could not parse entry (line=9)

 

I'm stuck here. Please advise.

reply | view as pdf view as pdf
Re: slapadd -l throw errors
Submitted by Anonymous (not registered) on Sun, 2009-11-15 16:52.

I have a same problem.

 I have exactly same init.ldif file as in tutorial.

 any help?

Thanks! H.

reply | view as pdf view as pdf
Re: slapadd -l throw errors
Submitted by galexander (registered user) on Fri, 2009-11-13 18:06.
What does your /etc/openldap/init.ldif look like?
reply | view as pdf view as pdf
Re: Re: slapadd -l throw errors
Submitted by Anonymous (not registered) on Mon, 2009-11-16 13:41.

I get the error:

[root@linuxdc openldap]# slapadd -l /etc/openldap/init.ldif
str2entry: entry -1 has multiple DNs "dc=kaldom.local" and "cn=root,dc=kaldom.local"
slapadd: could not parse entry (line=9)

I have also tried with your example, and gets the answer.

My ldif file is as follows:

dn: dc=kaldom.local
objectclass: dcObject
objectclass: organization
o: CentOS Directory Server
dc: kaldom.local
dn: cn=root,dc=kaldom.local
objectclass: organizationalRole
cn: root

Some help here would be very appreciated.

reply | view as pdf view as pdf
Very informative how-to
Submitted by tsakf (not registered) on Sat, 2009-11-07 21:02.

I liked the article very much, so it's already added to my library.
 

reply | view as pdf view as pdf
Re: Very informative how-to
Submitted by pierre73 (not registered) on Wed, 2009-11-18 11:18.

You should pay attention to line spacing among LDAP entries in init.ldif.

The following init.ldif file worked for me:

dn: dc=EXAMPLE,dc=COM
objectclass: dcObject
objectclass: organization
o: EXAMPLE
dc: EXAMPLE

dn: cn=root,dc=EXAMPLE,dc=COM
objectclass: organizationalRole
cn: root

Cheers,

reply | view as pdf view as pdf
Sponsored Links: Unified Communications: Thoughts, Strategies and Predictions
Join the discussion.
www.seamlessenterprise.com

IP Convergence
Integrate your wireless and wireline networks.
Learn how from the experts at Sprint.
www.seamlessenterprise.com

Wireless & Wireline Integration
Thoughts, strategies and solutions: join the discussion
www.seamlessenterprise.com

Unified Communications 2009
Join the Discussion. Now.
www.seamlessenterprise.com

Red Hat Virtual Experience - a free virtual event. Dec. 9th