Raspberry Pi Infrastructure Series
Samba PDC using LDAP (PART 1)
Ever since I did the LDAP tutorial I've been wanting to do a follow up for showing full integration with Samba. In this tutorial I'll once again show you how to set up LDAP but this time we're aiming create a primary domain controller with Samba so that our login information is centralized. Once you've got a PDC setup you just join any subsequent server to the domain and then share files and what not by authenticating against the Samba LDAP directory rather than each server having to maintain its own set of users/credentials.
Coming up with the information for this tutorial actually took me a while to do. This is mainly because there aren't a lot of clear cut examples for setting up Samba with LDAP, I found some while looking but most were dated or were too messy. Now that I've got the steps down I think I can help people make a lot more sense of how to set it up.
The first thing we want to do is actually install slapd which provides the LDAP serving and ldap-utils which is a set of tools for testing and connecting to LDAP.
sudo apt-get install slapd ldap-utils
Here put in the password you want for your LDAP administrator account.
Re-enter it again.
Unfortunately since slapd doesn't ask you for the domain we have to manually run the setup to set it. We can do this with the following command.
sudo dpkg-reconfigure slapd
At the first screen select no because we want to change the configuration.
Next enter the name of your domain (this can be whatever you want, it's not a real domain that you have to own or anything).
Type in your organization name.
Enter the password you want for your administrator account.
Re-enter the password.
Here we'll just select HDB for the database as that's what Debian recommends.
When asked if we want to purge the database we'll say no.
Select yes here because we need to move the old database that Debian setup during the install.
And here we can say no because LDAPv2 is obsolete.
Now that we've got LDAP running on a basic level, we'll go ahead and setup our web interface for managing it. In my previous LDAP tutorial I used phpLDAPAdmin as the tool for administration. However, since then I've found that there's another web-based tool in the Debian repositories that's much friendlier and operates a lot faster on the Raspberry Pi's limited hardware. It's called LDAP Account Manager. I'd recommend this tool for any LDAP server you setup even if you aren't using Samba. I found that with current version of phpldapadmin in Debian there's a bug where you can't add Samba Group Mappings. There's a hack to work around it (or you can install the latest version) but I really want to stay within the scope of the Debian repositories. So let's get PHP, Nginx, and LDAP Account Manager installed.
sudo apt-get install php5-fpm php5 php5-ldap php-apc php5-gd php-fpdf ldap-account-manager nginx
Now we just need to make a modification to /etc/nginx/conf/sites-available/default so that Nginx knows where to serve up the PHP from.
sudo nano /etc/nginx/sites-available/default
Let's comment out or remove the main server block and replace it with the following.
And after we've done that restart Nginx.
sudo service nginx restart
Now point your browser to the server's IP and you should be presented with the login screen for LAM.
Before we can do anything we need to go to LAM Configuration and then to Edit Server Profiles. Enter lam as the password and then you should wind up at the following page.
Here we need to change the Tree Suffix to dc=ducky-pond,dc=lan. And then in the List of Valid Users we want to erase what's there and put in cn=admin,dc=ducky-pond,dc=lan. This is the user that we set the password for during the LDAP installation and it will be used when we login into the LAM interface.
Now on the Account Types page we need to change LDAP Suffix for Users, Hosts, Groups, and Samba domains. These are the OUs where LAM will look for these objects, and later these will created/populated by Samba. Their respective values should be as follows.
After that's done go ahead and hit Save. At this point you can go back to the login page and we should be able to login to LAM using the LDAP admin password. The screen should look like the following but at this point we don't need to do anything with it.
LDAP Authentication Setup
For the PDC to actually authenticate against the domain we need to install LDAP authentication since we can't join it to the domain it serves. This is vital if you want to host file shares on the PDC or have domain users login to the PDC.
The process of setting up a client for LDAP authentication used to be more manual, thankfully it's lot easier to do. We'll need to run the command below to install two packages which will get things going.
sudo apt-get install libpam-ldapd libnss-ldapd
At the first screen we need to enter the LDAP server address (port is optional). Since I'm doing this on the LDAP server I'm using the localhost address.
Tell it the base DN where it needs to search for users and groups.
Here we need to tell the system what we should use LDAP for, it's safe to go ahead and select everything for now.
This concludes the first part of the setup. In part two we'll update the LDAP schema for Samba and then proceed to installing and configuring Samba.
Leave a comment
DerekJ Hi All,
I just got this working on from a clean install but I think that there are a couple of steps you need to do before starting this.
1)run the updates
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
sudo apt-get install ssh
3)Get ssh to run at boot time
sudo update-rc.d ssh defaults
4)Set up a static IP address. There are lots of how-tos on this site
5)Install Putty on your Windows PC (google for putty) and connect to the RPi's command line.
This will save a lot of pain typing on the command line as you can cut (ctrl-c) from this page and right-click to paste into the putty terminal.
Hope this helps.
DerekJ OK I got it.
I was trying to log in not press the link at the top-right of the page
DerekJ Hi All
I've got as far as seeing the LAM login screen but can't log in. I'm using "lam" as the password but get a
"Wrong password/user name combination. Please try again."
I've made sure that /var/run/php5-fpm.sock exists
Any Idea what I'm doing wrong?
Shady Tanios Just noticed that for 12.04.1 LTS you need to replace fastcgi_pass unix:/var/run/php5-fpm.sock; with fastcgi_pass 127.0.0.1:9000;, to be able to connect to the .fpm as the .sock file is no longer there.
@PS_Aitch I've done the early parts of part 2 now, and my phpLDAPAdmin is now showing the samba options as valid.
I am pretty sure my "valid user" exists, as I am logged in using it using the php admin tool. I can't find any options within it to change some of the things I can see in ldap-account-manager.
I had to roll back the samba config change in part 2 though, because with the samba.conf file you provided (I believe suitably modified) I lost all sign of the Pi by http (I had already configured samba to provide shares to windows, but without central authentication) so I think I should probably look through the config files to see if I can work out what's going on.
I must say, your guides are well written and easy to follow, certainly compared to what else is out there.
Ben Hanna At this point, LDAP shouldn't know anything about Samba. If you're getting a bind error then that sounds more like it can't find the admin user. You need to make sure that Valid Users contains the path of admin user in your LDAP server. By default this is cn=admin,dc=your-domain,dc=com.
@PS_Aitch I've found your LDAP guide very useful, and although I struggled with the admin pages for phpLDAPAdmin I got it to work - I'm very interested in part 2 of this, where you get Samba to work but I can't figure out why my version of LDAP Account Manager won't connect properly. I'm using Apache, and I get complaints about valid bind user when I try to submit the changes as per the LAM section above.
Looking at my data within /etc/ldap/slapd.d I don't see anything that mentions samba.