Ever since I did the LDAP tutorial I've been wanting to do a follow up for showing full integration with Samba. In this tutorial I'll once again show you how to set up LDAP but this time we're aiming create a primary domain controller with Samba so that our login information is centralized. Once you've got a PDC setup you just join any subsequent server to the domain and then share files and what not by authenticating against the Samba LDAP directory rather than each server having to maintain its own set of users/credentials.

Coming up with the information for this tutorial actually took me a while to do. This is mainly because there aren't a lot of clear cut examples for setting up Samba with LDAP, I found some while looking but most were dated or were too messy. Now that I've got the steps down I think I can help people make a lot more sense of how to set it up.

LDAP Install

The first thing we want to do is actually install slapd which provides the LDAP serving and ldap-utils which is a set of tools for testing and connecting to LDAP.

sudo apt-get install slapd ldap-utils

Here put in the password you want for your LDAP administrator account.

LDAP administrator password

Re-enter it again.

Confirm administrator password

Unfortunately, since slapd doesn't ask you for the domain we have to manually run the setup to set it. We can do this with the following command.

sudo dpkg-reconfigure slapd

At the first screen select No because we want to change the configuration.

Change the LDAP configuration

Next enter the name of your domain (this can be whatever you want, it's not a real domain that you have to own or anything).

Domain name

Type in your organization name.

Organization name

Enter the password you want for your administrator account.

Administrator password

Re-enter the password.

Confirm password

Here we'll just select HDB for the database as that's what Debian recommends.

LDAP database type

When asked if we want to purge the database we'll say No.

Purge database

Select Yes here because we need to move the old database that Debian setup during the install.

Move the old database

And here we can say No because LDAPv2 is obsolete.

Disable LDAPv2

Now that we've got LDAP running on a basic level, we'll go ahead and setup our web interface for managing it. In my previous LDAP tutorial I used phpLDAPAdmin as the tool for administration. However, since then I've found that there's another web-based tool in the Debian repositories that's much friendlier and operates a lot faster on the Raspberry Pi's limited hardware. It's called LDAP Account Manager. I'd recommend this tool for any LDAP server you setup even if you aren't using Samba. I found that with current version of phpldapadmin in Debian there's a bug where you can't add Samba Group Mappings. There's a hack to work around it (or you can install the latest version) but I really want to stay within the scope of the Debian repositories. So let's get PHP, Nginx, and LDAP Account Manager installed.

sudo apt-get install php5-fpm php5 php5-ldap php-apc php5-gd php-fpdf ldap-account-manager nginx

Now we're first going to disable the default Nginx virtual host configuration.

sudo unlink /etc/nginx/sites-enabled/default

Next start a new file at /etc/nginx/sites-available/ldap-account-manager and let's the put the following in it.

server {

        root /usr/share/ldap-account-manager;
        index index.php index.html index.htm;

        location ~ \.php$ {
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }

}

And after we've done that we just need to enable our new virtual host configuration and restart Nginx.

sudo ln -s /etc/nginx/sites-available/ldap-account-manager /etc/nginx/sites-enabled/ldap-account-manager
sudo service nginx restart

Now point your browser to the server's IP and you should be presented with the login screen for LAM.

LAM login screen

Before we can do anything we need to go to LAM Configuration and then to Edit Server Profiles. Enter lam as the password and then you should wind up at the following page.

LAM server profile

Here we need to change the Tree Suffix to dc=ducky-pond,dc=lan. And then in the List of Valid Users we want to erase what's there and put in cn=admin,dc=ducky-pond,dc=lan. This is the user that we set the password for during the LDAP installation and it will be used when we login into the LAM interface.

Now on the Account Types page we need to change LDAP Suffix for Users, Hosts, Groups, and Samba domains. These are the OUs where LAM will look for these objects, and later these will created/populated by Samba. Their respective values should be as follows.

  • Users: ou=Users,dc=ducky-pond,dc=lan
  • Groups: ou=Groups,dc=ducky-pond,dc=lan
  • Hosts: ou=Computers,dc=ducky-pond,dc=lan
  • Samba domains: dc=ducky-pond,dc=lan

After that's done go ahead and hit Save. At this point you can go back to the login page and we should be able to login to LAM using the LDAP admin password. The screen should look like the following but at this point we don't need to do anything with it.

LAM user management

LDAP Authentication Setup

For the PDC to actually authenticate against the domain we need to install LDAP authentication since we can't join it to the domain it serves. This is vital if you want to host file shares on the PDC or have domain users login to the PDC.

The process of setting up a client for LDAP authentication used to be more manual, thankfully it's lot easier to do. We'll need to run the command below to install two packages which will get things going.

sudo apt-get install libpam-ldapd libnss-ldapd

At the first screen we need to enter the LDAP server address (port is optional). Since I'm doing this on the LDAP server I'm using the localhost address.

LDAP server address

Tell it the base DN where it needs to search for users and groups.

DN for users and groups

Here we need to tell the system what we should use LDAP for, it's safe to go ahead and select everything for now.

NSS groups

This concludes the first part of the setup. In part two we'll update the LDAP schema for Samba and then proceed to installing and configuring Samba.


Comments

comments powered by Disqus