[OpenIndiana-discuss] Could not setup LDAP for SAMBA
IVO GELOV (CRM)
ivo at crm.walltopia.com
Mon Mar 5 17:41:03 UTC 2012
I have installed the latest OpenIndiana 151a, SAMBA 3.5.5 and OpenLDAP 2.4.13
SAMBA works in workgroup setup, LDAP server also works - I can bind with the root DN and I have 5-6 profiles inside (posixAccount).
Unfortunately SAMBA does not trust the uidNumber from LDAP and tries Get_PwNam without success.
"getent passwd ldap_user" does not show anything, and "tcpdump" reveals there is not even an attempt for LDAP connection.
I am totally confused what could be wrong.
/etc/openldap/slapd.conf:
=================
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/solaris.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=domain,dc=com"
rootdn "cn=admin,dc=domain,dc=com"
rootpw my-secret
password-hash {CLEARTEXT}
directory /var/openldap
monitoring off
authz-regexp uid=([^,]*),cn=[^,]*,cn=[^,]*,cn=auth uid=$1,OU=users,DC=domain,DC=com
authz-regexp uid=([^,]*),cn=[^,]*,cn=auth uid=$1,OU=users,DC=domain,DC=com
authz-regexp uid=([^,]*),cn=[^,]*,cn=auth cn=$1,DC=domain,DC=com
authz-policy to
access to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none
access to attrs=sambaLMPassword,sambaNTPassword by dn="uid=samba_admin,dc=domain,dc=com" read by * none
access to dn.base="" by * read
/etc/openldap/init.ldif:
===============
dn: dc=domain,dc=com
dc: domain
o: Office
objectclass: dcObject
objectclass: organization
objectclass: top
dn: cn=admin,dc=domain,dc=com
cn: admin
objectclass: organizationalRole
dn: ou=groups,dc=domain,dc=com
objectclass: organizationalUnit
objectclass: top
ou: groups
dn: ou=machines,dc=domain,dc=com
objectclass: organizationalUnit
objectclass: top
ou: machines
dn: ou=users,dc=domain,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users
dn: sambaDomainName=domain,dc=domain,dc=com
objectclass: sambaDomain
objectclass: top
sambaalgorithmicridbase: 10000
sambadomainname: domain
sambasid: S-1-5-21-1
dn: uid=samba_admin,dc=domain,dc=com
objectclass: account
objectclass: simpleSecurityObject
objectclass: top
uid: samba_admin
userpassword: {SSHA}V4aSjZpxJs0jroIXrKAZKYRdDf7+M9H/
/etc/nsswitch.conf:
==============
passwd: files ldap
group: files ldap
hosts: files dns mdns
ipnodes: files dns mdns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
I have added into /etc/pam.conf:
========================
login auth sufficient pam_ldap.so.1
other auth sufficient pam_ldap.so.1
other account sufficient pam_ldap.so.1
I have set up the USER profile with nwamcfg:
=================================
activation-mode manual
enabled true
nameservices files,dns,ldap
nameservices-config-file "/etc/nsswitch.conf"
dns-nameservice-configsrc manual
dns-nameservice-domain "domain.com"
dns-nameservice-servers "192.168.2.1"
dns-nameservice-search "domain.com"
ldap-nameservice-configsrc manual
ldap-nameservice-servers "127.0.0.1"
default-domain "domain.com"
/var/ldap/ldap_client_cred:
======================
NS_LDAP_BINDDN= cn=admin,dc=domain,dc=com
NS_LDAP_BINDPASSWD= my-secret
/var/ldap/ldap_client_file:
====================
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 127.0.0.1
NS_LDAP_SEARCH_BASEDN= dc=domain,dc=com
NS_LDAP_CACHETTL= 0
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=users,dc=domain,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=domain,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=users,dc=domain,dc=com
This is my first touch with non-Linux OS and it is unfamiliar enough to me ...
More information about the OpenIndiana-discuss
mailing list