Wong, G. MR EECS wrote:> I'm trying to set up an Idmap Backend LDAP server for winbind. I
don't
> need a full blown SAMBA PDC; just a server to provide the SID to UID/GID
> mappings. We're using a Windows Active Directory server to
authenticate
> against but we want the above mappings to be the same across multiple
> samba machines. Can we just stand up a simple ldap server and just add
> the mappings
> and that's it or do we have to have a full blown Samba PDC for this
> purpose? If just the mappings are built, what are the specifics? What
> entries do we have to add? All the documentation I've read talks about
> an idmap backend in the context of building a PDC.
I just set this up on Debian Stable - here's what I did from my notes -
adjust for how your OS installs openldap, etc (my ADS domain is
MYDOMAIN.LOCAL & samba was already correctly working as an ADS member
with a local winbindd_ipmap.tdb):
Install "slapd" & "ldap-utils" packages from
backports.org (OpenLDAP 2.1)
Configuring slapd (debconf "wizard")
DNS domain name: mydomain.local
name of org: company (?)
Admin password: ****
Allow LDAPv2: No
Copy samba.schema.gz to /etc/ldap/schema & gunzip.
Edit /etc/ldap/slapd.conf to include samba.schema
Edit /etc/samba/smb.conf
smbpasswd -w **** - enter LDAP admin password
made Idmap OU with Java LDAP Browser while testing - don't know if samba
can make this automatically?
I think you might have to delete winbindd_idmap.tdb?
I then set it up to use SSL after it was working. Ignore the last three
lines of slapd.conf & use "ldap ssl = off" and "idmap backend
=
ldap:ldap://ipaddress" in smb.conf to not use SSL.
This is probably very Debian specific, but hope it helps,
Josh
From /etc/samba/smb.conf:
[global]
workgroup = MYDOMAIN
netbios name = MAIL1
security = ADS
realm = MYDOMAIN.LOCAL
encrypt passwords = true
password server = DC1.MYDOMAIN.LOCAL
hosts allow = 192.168.0. 127.
log file = /var/log/samba/log.%m
log level = 0
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
#testing ldap idmap backend
ldap admin dn = cn=admin,dc=mydomain,dc=local
ldap ssl = on
ldap suffix = dc=mydomain,dc=local
idmap backend = ldap:ldaps://127.0.0.1
ldap idmap suffix = ou=Idmap
File /etc/ldap/slapd.conf:
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 0
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=mydomain,dc=local"
# Where the database file are physically stored for database #1
#directory "/var/lib/ldap"
directory "/mnt/shared/ldap"
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attribute=userPassword
by dn="cn=admin,dc=mydomain,dc=local" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=mydomain,dc=local" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=mydomain,dc=local" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
TLSCACertificateFile /etc/ssl/certs/openldap.pem
TLSCertificateFile /etc/ssl/certs/openldap.pem
TLSCertificateKeyFile /etc/ssl/certs/openldap.pem