Skip to content

LDAP + Samba + phpldapadmin on Centos 6

2012 January 20
Posted by shirker2006

Nice article about it - http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=1

OpenLDAP

[1] Install OpenLDAP

[root@dir ~]#

yum -y install openldap-servers openldap-clients

[root@dir ~]#

vi /etc/sysconfig/ldap
# line 16: uncomment and change

SLAPD_LDAPI=

yes

[root@dir ~]#

vi /etc/openldap/slapd.conf
# create new
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

[root@dir ~]#

rm -rf /etc/openldap/slapd.d/*

[root@dir ~]#

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

config file testing succeeded

[root@dir ~]#

vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif
# line 4: change

olcAccess:

{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

[root@dir ~]#

vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif
# create new
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
creatorsName: cn=config
modifiersName: cn=config

[root@dir ~]#

chown -R ldap. /etc/openldap/slapd.d

[root@dir ~]#

chmod -R 700 /etc/openldap/slapd.d

[root@dir ~]#

/etc/rc.d/init.d/slapd start

Starting slapd: [ OK ]
[root@dir ~]#

chkconfig slapd on
[2] Initial Configuration
[root@dir ~]#

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=core,cn=schema,cn=config”

[root@dir ~]#

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=cosine,cn=schema,cn=config”

[root@dir ~]#

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=nis,cn=schema,cn=config”

[root@dir ~]#

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=inetorgperson,cn=schema,cn=config”

[root@dir ~]#

slappasswd
# generate password

New password:

# input any one

Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[root@dir ~]#

vi backend.ldif
# create new
# replace the section “dc=***,dc=***” to your own suffix
# replace the section “olcRootPW: ***” to your own password generated by slappasswd above
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=server,dc=world
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=server,dc=world
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=server,dc=world" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=server,dc=world" write by * read

[root@dir ~]#

ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=module,cn=config”

adding new entry “olcDatabase=hdb,cn=config”

[root@dir ~]#

vi frontend.ldif
# create new
# replace the section “dc=***,dc=***” to your own suffix
# replace the section “userPassword: ***” to your own password generated by slappasswd above
dn: dc=server,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server

dn: cn=admin,dc=server,dc=world
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: ou=people,dc=server,dc=world
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=server,dc=world
objectClass: organizationalUnit
ou: groups

[root@dir ~]#

ldapadd -x -D cn=admin,dc=server,dc=world -W -f frontend.ldif

Enter LDAP Password:

# password you set
adding new entry "dc=server,dc=world"

adding new entry "cn=admin,dc=server,dc=world"

adding new entry "ou=people,dc=server,dc=world"

adding new entry "ou=groups,dc=server,dc=world"
[3] Add Existing local Users to LDAP Directory

[root@dir ~]#

vi ldapuser.sh
# extract local users who have 500-999 digit UID
# replace “SUFFIX=***” to your own suffix
# this is an example
#!/bin/bash

SUFFIX='dc=server,dc=world'
LDIF='ldapuser.ldif'

echo -n > $LDIF
for line in `grep "x:[5-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"`
do
   UID1=`echo $line | cut -d: -f1`
   NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
   if [ ! "$NAME" ]
   then
      NAME=$UID1
   else
      NAME=`echo $NAME | sed -e "s/%/ /g"`
   fi
   SN=`echo $NAME | awk '{print $2}'`
   if [ ! "$SN" ]
   then
      SN=$NAME
   fi
   GIVEN=`echo $NAME | awk '{print $1}'`
   UID2=`echo $line | cut -d: -f3`
   GID=`echo $line | cut -d: -f4`
   PASS=`grep $UID1: /etc/shadow | cut -d: -f2`
   SHELL=`echo $line | cut -d: -f7`
   HOME=`echo $line | cut -d: -f6`
   EXPIRE=`passwd -S $UID1 | awk '{print $7}'`
   FLAG=`grep $UID1: /etc/shadow | cut -d: -f9`
   if [ ! "$FLAG" ]
   then
      FLAG="0"
   fi
   WARN=`passwd -S $UID1 | awk '{print $6}'`
   MIN=`passwd -S $UID1 | awk '{print $4}'`
   MAX=`passwd -S $UID1 | awk '{print $5}'`
   LAST=`grep $UID1: /etc/shadow | cut -d: -f3`

   echo "dn: uid=$UID1,ou=people,$SUFFIX" >> $LDIF
   echo "objectClass: inetOrgPerson" >> $LDIF
   echo "objectClass: posixAccount" >> $LDIF
   echo "objectClass: shadowAccount" >> $LDIF
   echo "uid: $UID1" >> $LDIF
   echo "sn: $SN" >> $LDIF
   echo "givenName: $GIVEN" >> $LDIF
   echo "cn: $NAME" >> $LDIF
   echo "displayName: $NAME" >> $LDIF
   echo "uidNumber: $UID2" >> $LDIF
   echo "gidNumber: $GID" >> $LDIF
   echo "userPassword: {crypt}$PASS" >> $LDIF
   echo "gecos: $NAME" >> $LDIF
   echo "loginShell: $SHELL" >> $LDIF
   echo "homeDirectory: $HOME" >> $LDIF
   echo "shadowExpire: $EXPIRE" >> $LDIF
   echo "shadowFlag: $FLAG" >> $LDIF
   echo "shadowWarning: $WARN" >> $LDIF
   echo "shadowMin: $MIN" >> $LDIF
   echo "shadowMax: $MAX" >> $LDIF
   echo "shadowLastChange: $LAST" >> $LDIF
   echo >> $LDIF
done

[root@dir ~]#

sh ldapuser.sh

[root@dir ~]#

ldapadd -x -D cn=admin,dc=server,dc=world -W -f ldapuser.ldif

Enter LDAP Password:

# LDAP admin password
adding new entry "uid=cent,ou=people,dc=server,dc=world"

adding new entry "uid=fedora,ou=people,dc=server,dc=world"

adding new entry "uid=ubuntu,ou=people,dc=server,dc=world"

adding new entry "uid=debian,ou=people,dc=server,dc=world"

adding new entry "uid=fermi,ou=people,dc=server,dc=world"
[4] Add existing local groups to LDAP directory.

[root@dir ~]#

vi ldapgroup.sh
# extract local groups who have 500-999 digit UID
# replace “SUFFIX=***” to your own suffix
# this is an example
#!/bin/bash

SUFFIX='dc=server,dc=world'
LDIF='ldapgroup.ldif'

echo -n > $LDIF
for line in `grep "x:[5-9][0-9][0-9]:" /etc/group`
do
   CN=`echo $line | cut -d: -f1`
   GID=`echo $line | cut -d: -f3`
   echo "dn: cn=$CN,ou=groups,$SUFFIX" >> $LDIF
   echo "objectClass: posixGroup" >> $LDIF
   echo "cn: $CN" >> $LDIF
   echo "gidNumber: $GID" >> $LDIF
   users=`echo $line | cut -d: -f4 | sed "s/,/ /g"`
   for user in ${users} ; do
      echo "memberUid: ${user}" >> $LDIF
   done
   echo >> $LDIF
done

[root@dir ~]#

sh ldapgroup.sh

[root@dir ~]#

ldapadd -x -D cn=admin,dc=server,dc=world -W -f ldapgroup.ldif

Enter LDAP Password:

# LDAP admin password
adding new entry "cn=cent,ou=groups,dc=server,dc=world"

adding new entry "cn=fedora,ou=groups,dc=server,dc=world"

adding new entry "cn=ubuntu,ou=groups,dc=server,dc=world"

adding new entry "cn=debian,ou=groups,dc=server,dc=world"

adding new entry "cn=fermi,ou=groups,dc=server,dc=world"
[5] If you’d like to delete User or Group in LDAP, Do as below.
[root@dir ~]#

ldapdelete -x -W -D ‘cn=admin,dc=server,dc=world’ “uid=cent,ou=people,dc=server,dc=world”

Enter LDAP Password:
[root@dir ~]#

ldapdelete -x -W -D ‘cn=admin,dc=server,dc=world’ “cn=cent,ou=groups,dc=server,dc=world”

Enter LDAP Password:

Installing and configuring Samba

yum -y install samba smbldap-tools
vim /etc/samba/smb.conf

dont forget to change domain name:

[global]
workgroup = SIMPLEX
netbios name = SIMPLEX
passdb backend = ldapsam:ldap://simplex.local
username map = /etc/samba/smbusers
security = user

passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

#add user script = /usr/sbin/useradd -m %u
#delete user script = /usr/sbin/userdel -r %u
#add group script = /usr/sbin/groupadd %g
#delete group script = /usr/sbin/groupdel %g
#add user to group script = /usr/sbin/usermod -G %g %u
#add machine script = \
# /usr/sbin/useradd -s /bin/false -d /dev/null \
# -g machines %u

# The following specifies the default logon script
# Per user logon scripts can be specified in the
# user account using pdbedit
logon script = scripts\logon.bat
# This sets the default profile path.
# Set per user paths with pdbedit
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
ldap suffix = dc=simplex,dc=local
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=People
ldap admin dn = cn=admin
ldap ssl = no
ldap passwd sync = yes
idmap uid = 15000-20000
idmap gid = 15000-20000

# Other resource shares

[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   valid users = %S

[netlogon]
   comment = Network Logon Service
   path = /etc/samba/netlogon
   guest ok = yes
   writable = no
   share modes = no

Run smbldap-tools configuration:

chmod +x /usr/share/doc/smbldap-tools-0.9.6/configure.pl
/usr/share/doc/smbldap-tools-0.9.6/configure.pl
[root@asterisk21 ~]# cat /etc/smbldap-tools/smbldap.conf | grep -v "#"

SID="S-1-5-21-1149901229-438850559-190516975"

sambaDomain="SIMPLEX"

slaveLDAP="192.168.18.21"

slavePort="389"

masterLDAP="192.168.18.21"

masterPort="389"

ldapTLS="0"

verify=""

cafile=""

clientcert=""

clientkey=""

suffix="dc=simplex,dc=local"

usersdn="ou=People,${suffix}"

computersdn="ou=People,${suffix}"

groupsdn="ou=Group,${suffix}"

idmapdn="ou=People,${suffix}"

sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

scope="sub"

hash_encrypt="SSHA"

crypt_salt_format=""

userLoginShell="/bin/bash"

userHome="/home/%U"

userHomeDirectoryMode="700"

userGecos="System User"

defaultUserGid="513"

defaultComputerGid="515"

skeletonDir="/etc/skel"

defaultMaxPasswordAge="70"

userSmbHome="\\%L\%U"

userProfile="\\%L\Profiles\%U"

userHomeDrive="/home"

userScript="scripts\logon.bat"

mailDomain="simplex-bpo.com"

with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

conf file should be look like that:

[root@asterisk21 ~]# cat /etc/smbldap-tools/smbldap.conf | grep -v "#"

SID="S-1-5-21-1149901229-438850559-190516975"

sambaDomain="SIMPLEX"

slaveLDAP="192.168.18.21"

slavePort="389"

masterLDAP="192.168.18.21"

masterPort="389"

ldapTLS="0"

verify=""

cafile=""

clientcert=""

clientkey=""

suffix="dc=simplex,dc=local"

usersdn="ou=People,${suffix}"

computersdn="ou=People,${suffix}"

groupsdn="ou=Group,${suffix}"

idmapdn="ou=People,${suffix}"

sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

scope="sub"

hash_encrypt="SSHA"

crypt_salt_format=""

userLoginShell="/bin/bash"

userHome="/home/%U"

userHomeDirectoryMode="700"

userGecos="System User"

defaultUserGid="513"

defaultComputerGid="515"

skeletonDir="/etc/skel"

defaultMaxPasswordAge="70"

userSmbHome="\\%L\%U"

userProfile="\\%L\Profiles\%U"

userHomeDrive="/home"

userScript="scripts\logon.bat"

mailDomain="simplex-bpo.com"

with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

and smbldap_bind.conf:

[root@asterisk21 ~]# cat /etc/smbldap-tools/smbldap_bind.conf

############################
# Credential Configuration #
############################
# Note: you can specify two different configurations if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=admin,dc=simplex,dc=local"
slavePw="passwd"
masterDN="cn=admin,dc=simplex,dc=local"
masterPw="passwd"

Adding samba scheme to LDAP

make a new file:

[root@asterisk21 ~]# cat schema_convert.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema
mkdir /tmp/ldif_output
slaptest -f schema_convert.conf -F /tmp/ldif_output

now edit two files in /tmp/ldif_output/cn=config/cn=schema/

  •  cn={13}samba.ldif
  • cn={8}misc.ldif

edit header of files:

[root@asterisk21 ~]# cat /tmp/ldif_output/cn=config/cn=schema/cn={13}samba.ldif
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
[root@asterisk21 ~]# cat /tmp/ldif_output/cn=config/cn=schema/cn={8}misc.ldif
dn: cn=misc,cn=schema,cn=config
objectClass: olcSchemaConfig
cn:misc

erase from bottom something like that:

structuralObjectClass: olcSchemaConfig
entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
creatorsName: cn=config
createTimestamp: 20080826021140Z
entryCSN: 20080826021140.791425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080826021140Z

then export them to LDAP:

ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ldif_output/cn=config/cn=schema/cn={8}misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ldif_output/cn=config/cn=schema/cn={13}samba.ldif

Now youll be able to run:

smbldap-populate

If it was OK, then your smbldap-tools were set properly. Now you can add new samba-LDAP users
I have a simple script to do it easy:

[root@asterisk21 ~]# cat ldapuser-add.sh
#!/bin/bash
# smbldap-useradd -a -m -A 1 -B 1 -N John -S Smith -T john.smith@724care.net (username)
# USAGE: ldapuser-add.sh
smbldap-useradd -a -m -A 1 -B 1 -N $2 -S $3 -T $4 $1
smbldap-passwd $1

phpldapadmin

  790  cd /usr/src/
  791  wget http://downloads.sourceforge.net/project/phpldapadmin/phpldapadmin-php5/1.2.2/phpldapadmin-1.2.2.tgz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fphpldapadmin%2Ffiles%2Fphpldapadmin-php5%2F1.2.2%2F&ts=1326997487&use_mirror=voxel
  792  ls
  793  tar -xzvf phpldapadmin-1.2.2.tgz
  794  cp -R phpldapadmin-1.2.2 /var/www/html/
  795  mv /var/www/html/phpldapadmin-1.2.2/config/config.php.example  /var/www/html/phpldapadmin-1.2.2/config/config.php
  796  cd /var/www/html/
  797  ls
  798  mv phpldapadmin-1.2.2 phpldapadmin

now go to http://SERVER_IP/phpldapadmin
and login as “cn=admin,dc=example,dc=com”

2 Responses
  1. February 14, 2012

    smbldap-populate
    Can’t locate Crypt/SmbHash.pm in @INC (@INC contains: /usr/sbin/ /usr/local/lib/perl5 /usr/local/share/perl5 /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5 /usr/share/perl5 .) at /usr/sbin//smbldap_tools.pm line 27, line 522.
    BEGIN failed–compilation aborted at /usr/sbin//smbldap_tools.pm line 27, line 522.
    Compilation failed in require at /usr/sbin/smbldap-populate line 31, line 522.
    BEGIN failed–compilation aborted at /usr/sbin/smbldap-populate line 31, line 522.

  2. shirker2006 permalink
    February 25, 2012

    How did you install smbldap-tools?

Comments are closed.