Arch Linux

wolfdogg

Member

From: Portland, OR, USA

Registered: 2011-05-21

Posts: 545

openldap setup

Im having problems authenticating as root to openldap , but i would like to make sure my configs are correct first. 

Which side would all but the first subdomain go on?

e.g.

suffix     "dc=yo,dc=americas.mydomain.pvt"

vs

suffix     "dc=yo.americas.mydomain,dc=pvt"

i.e. does the ... oh crap, do i have to have a dc= for each part????  is that whats going on?

e.g.

suffix     "dc=yo, dc=americas, dc=mydomain,dc=pvt"

EDIT

HMMM, a search yielded this https://technet.microsoft.com/en-us/lib … 77992.aspx   it looks like a dc is needed for each "component"  ok.  ill be back here to see what this fixes.  i forgot to mention, when i do the ldap search for objectclass * i get a no such object, i dont know if this means something if misconfigured yet or not.  im kind of stuck here...

$ ldapsearch -x '(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=yo,dc=hostname.internal.pvt> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

ok, i think what i have above is correct now for the domian components, i have rewritten my configs, but i still see no such object, and cant do an ldapadd, i get invalid credentials.  so i reset my creds with slappasswd, and also i keep restarting samba and reconfiguring it but im not getting anywhere. heres what i have on samba so far

[global]
security = user

  ;   password server = <NT-Server-Name>
  ;  encrypt passwords = yes
  ;  smb passwd file = /etc/samba/smbpasswd
 
    #passdb backend = tdbsam
    #LDAP Settings
    passdb backend = ldapsam:ldap://localhost:389
    ldap suffix = dc=yo,dc=americas,dc=mydomain,dc=pvt
    ldap admin dn = myusername,dc=yo,dc=americas,dc=mydomain,dc=pvt
    ldap passwd sync = yes

i need to ask does anyone know where i can find the schema for samba?

EDIT

ok i found this scema https://github.com/jelmer/samba/blob/ma … mba.schema
when i run the bash script i built that rebuilds the configs, and restarts the daemons,  i get an error on ldap start

# reload-ldap-configs

were beginning our operations...
stopping service...
indexing directory now...
553526f9 /etc/openldap/schema/samba.schema: line 553 objectclass: AttributeType not found: "displayName"
slapindex: bad configuration file!
restarting slapd daemon
Job for slapd.service failed. See "systemctl status slapd.service" and "journalctl -xe" for details.
553526f9 /etc/openldap/schema/samba.schema: line 553 objectclass: AttributeType not found: "displayName"
slaptest: bad configuration directory!

EDIT ooh, lookie what i found

./usr/share/doc/samba/examples/LDAP/samba.schema

but this YIELDS SAME ERROR, Attribute not round, displayName.. what is this?

OK, i had to include the following schema (maybe dont need nis.schema) to correct this error

 include     /etc/openldap/schema/core.schema
  6 include     /etc/openldap/schema/cosine.schema
  7 include     /etc/openldap/schema/nis.schema
  8 include     /etc/openldap/schema/inetorgperson.schema
  9 include     /etc/openldap/schema/samba.schema

EDIT
Eureka, i dont know why i post questions to  boards... lol.   i should just write wikis instead...

$ ldapadd -x -h localhost -D "cn=root,dc=yo,dc=americas,dc=mydomain,dc=pvt" -w mypw -f ldaptest   
..adding new entry "cn=Test Entry,dc=yo, dc=americas, dc=mydomain, dc=pvt"
ldap_add: No such object (32)

cant explain why this is all i have been consistently seeing

will run a search now, ready?
# extended LDIF
#
# LDAPv3
# base <dc=yo,dc=americas,dc=mydomain,dc=pvt> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

ok, so next problem, whats going on above?

Last edited by wolfdogg (2015-04-20 17:38:29)

---

Node.js, PHP Software Architect and Engineer (Full-Stack/DevOps)
GitHub  | LinkedIn

ghen

Member

From: Belgium

Registered: 2010-08-31

Posts: 124

Re: openldap setup

Did you create the root object dc=yo,dc=americas,dc=mydomain,dc=pvt of your database first?

Should look like

dn: dc=yo,dc=americas,dc=mydomain,dc=pvt
objectClass: dcObject
objectClass: organization
dc: yo
o: yo.americas.mydomain.pvt

Everything else will be a child (or further down) of this one.

Last edited by ghen (2015-04-20 17:27:15)

wolfdogg

Member

From: Portland, OR, USA

Registered: 2011-05-21

Posts: 545

Re: openldap setup

Hi,

thanks for your reply,

notice, i added one more edit to the end of that post (see the last code caption)

no i didnt thanks, where do i create that at?  i did see on some research thsi that your talking about, that a root needs defined...  so in the main config?  no wonder i cant see any objects?

here is my config

# vim /etc/openldap/slapd.conf
  1 #
  2 # See slapd.conf(5) for details on configuration options.
  3 # This file should NOT be world readable.
  4 #
  5 include     /etc/openldap/schema/core.schema
  6 include     /etc/openldap/schema/cosine.schema
  7 include     /etc/openldap/schema/inetorgperson.schema
  8 include     /etc/openldap/schema/nis.schema
  9 include     /etc/openldap/schema/samba.schema
 10
 11 # Define global ACLs to disable default read access.
 12
 13 # Do not enable referrals until AFTER you have a working directory
 14 # service AND an understanding of referrals.
 15 #referral   ldap://root.openldap.org
 16
 17 pidfile     /run/openldap/slapd.pid
 18 argsfile    /run/openldap/slapd.args
 19
 20 # Load dynamic backend modules:
 21 # modulepath    /usr/lib/openldap
 22 # moduleload    back_bdb.la
 23 # moduleload    back_hdb.la
 24 # moduleload    back_ldap.la
 25
 26 # Sample security restrictions
 27 #   Require integrity protection (prevent hijacking)
 28 #   Require 112-bit (3DES or better) encryption for updates
 29 #   Require 63-bit encryption for simple bind
 30 # security ssf=1 update_ssf=112 simple_bind=64
 31
 32 # Sample access control policy:
 33 #   Root DSE: allow anyone to read it
 34 #   Subschema (sub)entry DSE: allow anyone to read it
 35 #   Other DSEs:
 36 #       Allow self write access
 37 #       Allow authenticated users read access
 38 #       Allow anonymous users to authenticate
 39 #   Directives needed to implement policy:
 40 # access to dn.base="" by * read
 41 # access to dn.base="cn=Subschema" by * read
 42 # access to *
 43 #   by self write
 44 #   by users read
 45 #   by anonymous auth
 46 #
 47 # if no access controls are present, the default policy
 48 # allows anyone and everyone to read anything but restricts
 49 # updates to rootdn.  (e.g., "access to * by * read")
 50 #
 51 # rootdn can always read and write EVERYTHING!
 52
 53 #######################################################################
 54 # BDB database definitions
 55 #######################################################################
 56
 57 database    bdb
 58 # suffix doesnt have to be
 59 suffix  "dc=yo,dc=americas,dc=mydomain,dc=pvt"
 60 rootdn  "cn=root,dc=yo,dc=americas,dc=mydomain,dc=pvt"
 61 # Cleartext passwords, especially for the rootdn, should
 62 # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
 63 # Use of strong authentication encouraged.
 64 # The database directory MUST exist prior to running slapd AND
 65 # should only be accessible by the slapd and slap tools.
 66 # Mode 700 recommended.
 67 directory   /var/lib/openldap/openldap-data
 68
 69 # Indices to maintain
 70 index   objectClass eq
 71 index  uid         pres,eq
 72 index   mail       pres,sub,eq
 73 index   cn         pres,sub,eq
 74 index   sn         pres,sub,eq
 75 index   dc         eq
 76

 78 rootpw    {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Last edited by wolfdogg (2015-04-20 17:38:48)

---

Node.js, PHP Software Architect and Engineer (Full-Stack/DevOps)
GitHub  | LinkedIn

ghen

Member

From: Belgium

Registered: 2010-08-31

Posts: 124

Re: openldap setup

With the same ldapadd command as above but with the root object as input.
(this can be on stdin, end with an empty line followed by Ctrl+D)

wolfdogg

Member

From: Portland, OR, USA

Registered: 2011-05-21

Posts: 545

Re: openldap setup

wow, that was it.  thanks a bunch!  i finally see something on my search result now

# extended LDIF
#
# LDAPv3
# base <dc=yo,dc=americas,dc=mydomain,dc=pvt> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# yo.americas.mydomain.pvt
dn: dc=yo,dc=americas,dc=mydomain,dc=pvt
objectClass: dcObject
objectClass: organization
dc: yo
o: yo.americas.mydomain.pvt

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Last edited by wolfdogg (2015-04-20 18:17:19)

---

Node.js, PHP Software Architect and Engineer (Full-Stack/DevOps)
GitHub  | LinkedIn

wolfdogg

Member

From: Portland, OR, USA

Registered: 2011-05-21

Posts: 545

Re: openldap setup

i want samba to sync automatically next, i dont want to have to physically add any users, i think this is all i need.  i want to get samba correctly configured now so the existing users will now have samba access using the ldap backend as oposed to the passwd backend.  I think the main thing i need for this is just to tell samba to use the backend, like i have above on my config.  but im not sure yet.  it appears i will be needing this last setting as well for that??

ldap passwd sync = yes

im just not getting the password prompt, rather a connection error when i use ldap:// as my back end

edit

this is quite a complicating feat. going on 3rd day working on this.   prob 16 hours now..   

ok, i have having package hell.  i SIMPLY want to isntall smbldap-tools from the aur.  this has some complicating dependencies.  i have all them installed except for

$ makepkg
==> Making package: smbldap-tools 0.9.10-1 (Mon Apr 20 11:07:00 PDT 2015)
==> Checking runtime dependencies...
==> Missing dependencies:
  -> perl-unicode-maputf8
==> Checking buildtime dependencies...
==> ERROR: Could not resolve all dependencies.

where can i find that?  i do see https://aur.archlinux.org/packages/perl-unicode-map8/, and i do see https://aur.archlinux.org/packages/perl-unicode-string/.  when itry to install the former ( because i think this might be what is needed to satisfy the perl-unicode-maputf8 dependency is it?), i get a package problem, because when i download the TARBAll, IM ONLY GETTING A MAKEPKG FILE(see the tarball link here, look at its contents https://aur.archlinux.org/packages/pe/p … ap8.tar.gz
).  i cant believe it comes down to a broken dependency to stop me from getting my samba configured. 

if somebody can point me to a comprehensive way to do this without the smbtools that would be great too...

EDIT
ok, i foudn this file, https://aur.archlinux.org/packages/perl … e-maputf8/
  and it too only has a MAKEPKG, no binary src installation files though

EDIT
it looks like the answers might be here https://wiki.samba.org/index.php/Samba_%26_LDAP as to how to get samba properly configged, its stating that its best to duplicate the user creds into the ldap config, not just on passwd file, so it does appear i have to migrate all overs over into this database.  however, correct me if im wrong, it looks like that if configured correctly, atlest if this is done before users are added to samba, that adding users to samba, will automatically pipe theses users and their gids into the ldap database correct?

ill await some answers here for help before i can go any further.  im just way stuck at this point.  thanks in advance.  PLEASE NOTE, if your helping me, then your helping the WIKI, because i will be adding this stuff to the WIKI

Last edited by wolfdogg (2015-04-20 20:37:09)

---

Node.js, PHP Software Architect and Engineer (Full-Stack/DevOps)
GitHub  | LinkedIn