[Date Prev][Date Next] [Chronological] [Thread] [Top]

Unix auth via LDAP & now need to add Samba!

Hi all,

I'm quite new to LDAP/OpenLDAP and just starting with Samba :)

I've recently setup OpenLDAP 2.0.21, pam_ldap & nss_ldap and authenticate Unix logins via LDAP. I only have the root account in both passwd (shadow) and in LDAP. All other test 'user' accounts are in LDAP only.

I created a test base dn "o=local" and used Padl's base, passwd & group migration scripts to build up the ldbm. I only keep the user accounts in LDAP under ou=People. All system accounts remain in the passwd file. All groups are in both the group file and LDAP under ou=Group.

Unix passwords in LDAP are 'crypt'ed and the cn=manager,o=local password uses SSHA.

I have the Mandrake (8.2) Samba 2.2.3a RPM installed (it's not clear from the changelog if it was built with LDAP support!) and want to start using Samba.

Right from the start I want Samba to authenticate via LDAP against the existing People & Group ou's but am not sure how to integrate this.

I've read the info on samba.idealx.org and see, like Padl, that they also provide some migration scripts (smbldap-tools) and a sample "Initial Entries" LDIF that will setup various gids amongst other things.

The output from both Padl's and Idealx's migration scripts doesn't seem straightforward to combine. Also, I'm not sure whether it's worth adding an additional (Samba only) ou=Computers, as proposed by Idealx. Wouldn't it be simpler to just stick with only ou=People & ou=Group?

I could proceed by;

a) manually adding Samba related objectClasses, etc. to the few test uid's under ou=People and adding necessary Samba groups to ou=Group or;
b) delete my ldbm and start again using only Idealx's migration scripts or;
c) another way suggested by you gurus ;-)

For a) above I'm not sure what to add manually so I'd need help or pointers to a good resource.

Also, is there a good resource to help with setting up correct ACL's in slapd.conf for a Unix/Samba account authentication based OpenLDAP?

Once all is setup correctly, I will test the "Directory administrator" program ( http://diradmin.open-it.org/index.php ) and hopefully use it to create a new user template(s) to ease the process of adding combined Unix/Samba accounts into LDAP in the future.

FYI, I'm not familiar with shell scripting (just bought a book which has a shell scripting chapter :) ).

Sorry if I've posed too many questions. I'm most interested in feedback about combining integrated Unix/Samba account authentication into OpenLDAP.

Scrumpy :)

P.S. It would be nice if Webmin could administer pam_ldap'ed Unix & Samba accounts. Guess I'd better drop them a suggestion ;-)

Send and receive Hotmail on your mobile device: http://mobile.msn.com