SAMBA 伺服器使用 LDAP 作為後端資料庫
SAMBA Server With LDAP Password Backend Manual
Author: Cwlin
Date: 2005-11-24
Reference: Samba 3 – HOW TO – Password Backends (ldapsam)
http://www.samba.org/samba/docs/man/Samba3-HOWTO/
作業環境:
– RedHat Linux Fedora Core 4
– openldap-2.2.29-1.FC4
– samba-3.0.14a-2
設定檔位置:
OpenLDAP Server : /etc/openldap/slapd.conf
SAMBA Server : /etc/samba/smb.conf
使用檔案:
SAMBA 3 LDAP Schema: /usr/share/doc/samba-3.0.14a/LDAP/samba.schema
一、建立 OpenLDAP 環境
在 OpenLDAP 中引用 SAMBA 所需的 schema 讓 OpenLDAP 能夠儲存 SAMBA 所需的資訊
1. 將 SAMBA 所需使用的 LDAP Schema 複製到 OpenLDAP 的 Schema 目錄中
cp /usr/share/doc/samba-3.0.14a/LDAP/samba.schema /etc/openldap/schema/
2. 引用 samba.schema 到 OpenLDAP 的設定檔中,設定檔片段如下:
## /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
…
3. 使 OpenLDAP 以 samba 的下列屬性規則來維護 LDAP 索引,在 slapd.conf 設定如下:
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
並執行以下指令使 LDAP 依照新設定的規則產生索引:
slapindex -f slapd.conf
4. 重新啟動 OpenLDAP
service ldap restart
5. 建置 LDAP 資料
加入下面的 LDIF 來建立 LDAP 的資料庫,
其中 LDAP 的 basedn dc=qienya,dc=org 需要自行更改為 OpenLDAP 設定檔中的 basedn
userPassword 則需使用 slappasswd 指令來產生密碼
# initldap.ldif
# Organization for Samba ase
dn: dc=quenya,dc=org
objectclass: dcObject
objectclass: organization
dc: quenya
o: Quenya Org Network
description: The Samba-3 Network LDAP Example
# Organizational Role for Directory Management
dn: cn=Manager,dc=quenya,dc=org
objectclass: organizationalRole
cn: Manager
description: Directory Manager
# Setting up container for Users OU
dn: ou=People,dc=quenya,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People
# Setting up admin handle for People OU
dn: cn=admin,ou=People,dc=quenya,dc=org
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
# Setting up container for groups
dn: ou=Groups,dc=quenya,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Groups
# Setting up admin handle for Groups OU
dn: cn=admin,ou=Groups,dc=quenya,dc=org
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
# Setting up container for computers
dn: ou=Computers,dc=quenya,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Computers
# Setting up admin handle for Computers OU
dn: cn=admin,ou=Computers,dc=quenya,dc=org
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
建立好檔案之後輸入以下指令將 LDIF 匯入 OpenLDAP 中
slapadd -v -l initldap.dif
二、SAMBA LDAP 後端資料庫設定
1. 在 SAMBA 的設定檔中加入以下設定
並依照註解設定讓參數以存取 LDAP
# LDAP related parameters:
# Define the DN used when binding to the LDAP servers.
# The password for this DN is not stored in smb.conf
# Set it using ’smbpasswd -w secret’ to store the
# passphrase in the secrets.tdb file.
# If the “ldap admin dn” value changes, it must be reset.
ldap admin dn = “cn=Manager,dc=quenya,dc=org”
# SSL directory connections can be configured by :
# (‘off’, ’start tls’, or ‘on’ (default))
ldap ssl = start tls
# syntax : passdb backend = ldapsam:ldap://server-name[:port]
passdb backend = ldapsam:ldap://frodo.quenya.org
# smbpasswd -x delete the entire dn-entry
ldap delete dn = no
# The machine and user suffix are added to the base suffix
# wrote WITHOUT quotes. NULL suffixes by default
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
# Trust UNIX account informat ion in LDAP
# (see the smb.conf man page for details)
# Specify the base DN to use when searching the directory
ldap suffix = dc=quenya, dc=org
7. 使用 smbpasswd -w 指令,將 ldap admin dn 的密碼存入 samba 的 secrets.tdb 中
方便往後對 LDAP 資料的存取
8. 在 OpenLDAP 設定檔中加入以下 ACL 設定限制對 SambaLMPassword 及 SambaNTPassword 的存取權
需修改 dn 同 SAMBA 設定檔中的 ldap admin dn
## allow the “ldap admin dn” access, but deny everyone else
access to attrs=SambaLMPassword,SambaNTPassword
by dn=”cn=Samba Admin,ou=People,dc=quenya,dc=org” write
by * none
9. 當系統使用 pam_ldap 做使用者認証時可開啟以下設定
讓系統使用者密碼與 Samba 使用者密碼同步
ldap passwd sync = on
—–
Filed under: 蟲的研究心得
cwlin0416
