Ever since I did the LDAP tutorial I've been wanting to do a follow up for showing full integration with Samba. In this tutorial I'll once again show you how to set up LDAP but this time we're aiming create a primary domain controller with Samba so that our login information is centralized. Once you've got a PDC setup you just join any subsequent server to the domain and then share files and what not by authenticating against the Samba LDAP directory rather than each server having to maintain its own set of users/credentials.
Coming up with the information for this tutorial actually took me a while to do. This is mainly because there aren't a lot of clear cut examples for setting up Samba with LDAP, I found some while looking but most were dated or were too messy. Now that I've got the steps down I think I can help people make a lot more sense of how to set it up.
LDAP Install
The first thing we want to do is actually install slapd which provides the LDAP serving and ldap-utils which is a set of tools for testing and connecting to LDAP.
sudo apt-get install slapd ldap-utils
Here put in the password you want for your LDAP administrator account.
Re-enter it again.
Unfortunately since slapd doesn't ask you for the domain we have to manually run the setup to set it. We can do this with the following command.
sudo dpkg-reconfigure slapd
At the first screen select no because we want to change the configuration.
Next enter the name of your domain (this can be whatever you want, it's not a real domain that you have to own or anything).
Type in your organization name.
Enter the password you want for your administrator account.
Re-enter the password.
Here we'll just select HDB for the database as that's what Debian recommends.
When asked if we want to purge the database we'll say no.
Select yes here because we need to move the old database that Debian setup during the install.
And here we can say no because LDAPv2 is obsolete.
Now that we've got LDAP running on a basic level, we'll go ahead and setup our web interface for managing it. In my previous LDAP tutorial I used phpLDAPAdmin as the tool for administration. However, since then I've found that there's another web-based tool in the Debian repositories that's much friendlier and operates a lot faster on the Raspberry Pi's limited hardware. It's called LDAP Account Manager. I'd recommend this tool for any LDAP server you setup even if you aren't using Samba. I found that with current version of phpldapadmin in Debian there's a bug where you can't add Samba Group Mappings. There's a hack to work around it (or you can install the latest version) but I really want to stay within the scope of the Debian repositories. So let's get PHP, Nginx, and LDAP Account Manager installed.
sudo apt-get install php5-fpm php5 php5-ldap php-apc php5-gd php-fpdf ldap-account-manager nginx
Now we just need to make a modification to /etc/nginx/conf/sites-available/default so that Nginx knows where to serve up the PHP from.
sudo nano /etc/nginx/sites-available/default
Let's comment out or remove the main server block and replace it with the following.
server {
root /usr/share/ldap-account-manager;
index index.php index.html;
server_name localhost;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
And after we've done that restart Nginx.
sudo service nginx restart
Now point your browser to the server's IP and you should be presented with the login screen for LAM.
Before we can do anything we need to go to LAM Configuration and then to Edit Server Profiles. Enter lam as the password and then you should wind up at the following page.
Here we need to change the Tree Suffix to dc=ducky-pond,dc=lan. And then in the List of Valid Users we want to erase what's there and put in cn=admin,dc=ducky-pond,dc=lan. This is the user that we set the password for during the LDAP installation and it will be used when we login into the LAM interface.
Now on the Account Types page we need to change LDAP Suffix for Users, Hosts, Groups, and Samba domains. These are the OUs where LAM will look for these objects, and later these will created/populated by Samba. Their respective values should be as follows.
- Users: ou=Users,dc=ducky-pond,dc=lan
- Groups: ou=Groups,dc=ducky-pond,dc=lan
- Hosts: ou=Computers,dc=ducky-pond,dc=lan
- Samba domains: dc=ducky-pond,dc=lan
After that's done go ahead and hit Save. At this point you can go back to the login page and we should be able to login to LAM using the LDAP admin password. The screen should look like the following but at this point we don't need to do anything with it.
LDAP Authentication Setup
For the PDC to actually authenticate against the domain we need to install LDAP authentication since we can't join it to the domain it serves. This is vital if you want to host file shares on the PDC or have domain users login to the PDC.
The process of setting up a client for LDAP authentication used to be more manual, thankfully it's lot easier to do. We'll need to run the command below to install two packages which will get things going.
sudo apt-get install libpam-ldapd libnss-ldapd
At the first screen we need to enter the LDAP server address (port is optional). Since I'm doing this on the LDAP server I'm using the localhost address.
Tell it the base DN where it needs to search for users and groups.
Here we need to tell the system what we should use LDAP for, it's safe to go ahead and select everything for now.
This concludes the first part of the setup. In part two we'll update the LDAP schema for Samba and then proceed to installing and configuring Samba.