3 Configuring the smbldap-tools
As mentioned in the previous section, you'll have to update two
configuration files. The first (smbldap.conf) allows you to
set global parameter that are readable by everybody, and the second
(smbldap_bind.conf) defines two administrative accounts to
bind to a slave and a master ldap server: this file must thus be
readable only by root.
A script is named configure.pl can help you to set their contents
up. It is located in the tarball
downloaded or in the documentation directory if you got the RPM
archive (see /usr/share/doc/smbldap-tools/). Just invoke it:
/usr/share/doc/smbldap-tools/configure.pl
It will ask for the default values defined in your
smb.conf file, and will update the two configuration files used
by the scripts. Note that you can stop the script at any moment with
the Crtl-c keys.
Before using this script :
-
the two configuration files must be present in the
/etc/smbldap-tools/ directory
- check that samba is configured and running, as the script will try to
get your workgroup's domain secure id (SID).
In those files are parameters are defined like this:
key="value"
Full example configuration files can be found at
9.1.
3.1 The smbldap.conf file
This file is used to define parameters that can be readable by
everybody. A full example file is available in section 9.1.1.
Let's have a look at all available parameters.
-
UID_START : minimum user's uid
Example: UID_START="1000"
Remark: nss_ldap needs to be configured correctly to find the first
available value.
- GID_START : uid
Example: GID_START="1000"
Remark: nss_ldap needs to be configured correctly to find the
first available value.
- SID : Secure Identifier Domain
Example: SID="S-1-5-21-3703471949-3718591838-2324585696"
Remark: you can get the SID for your domain using the net getlocalsid
command. Samba must be up and running for this to work (it can take several minutes for a Samba server to correctly negotiate its status with other network servers).
- slaveLDAP : slave LDAP server
Example: slaveLDAP="127.0.0.1"
Remark: must be a resolvable DNS name or it's IP address
- slavePort : port to contact the slave server
Example: slavePort="389"
- masterLDAP : master LDAP server
Example: masterLDAP="127.0.0.1"
- masterPort : port to contact the master server
Example: masterPort="389"
- ldapTLS : should we use TLS connection to contact the
ldap servers ?
Example: ldapTLS="1"
Remark: the LDAP severs must be configured to accept TLS
connections. See section 6 for more
details. If you are using TLS support, select port 389 to connect to
the master and slave directories.
- verify : How to verify the server's certificate (none,
optional or require). See "man Net::LDAP" in start_tls section for
more details
Example: verify="require"
- cafile : the PEM-format file containing certificates
for the CA that slapd will trust
Example: cafile="/etc/smbldap-tools/ca.pem"
- clientcert : the file that contains the client certificate
Example: clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.com.pem"
- clientkey : the file that contains the private key that
matches the certificate stored in the clientcert file
Example: clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.com.key"
- suffix : The distinguished name of the search base
Example: suffix="dc=idealx,dc=com"
- usersdn : branch in which users account can be found or
must be added
Example: usersdn="ou=Users"
Remark: this branch is relative to the suffix value
- computersdn : branch in which computers account can be
found or must be added
Example: computersdn"ou=Computers"
Remark: this branch is relative to the suffix value
- groupsdn : branch in which groups account can be found
or must be added
Example: groupsdn="ou=Groups"
Remarks: this branch is relative to the suffix value
- scope : the search scope.
Example: scope="sub"
- hash_encrypt : hash to be used when generating a
user password.
Example: hash_encrypt="SSHA"
Remark: This is used for the unix password stored in userPassword attribute.
- userLoginShell : default shell given to users.
Example: userLoginShell="/bin/bash"
Remark: This is stored in loginShell attribute.
- userHomePrefix : default directory where users's home
directory are located.
Example: userHomePrefix="/home/"
Remark: This is stored in homeDirectory attribute.
- userGecos : gecos used for users
Example: userGecos="System User"
- defaultUserGid : default primary group set to users accounts
Example: defaultUserGid="513"
Remark: this is stored in gidNumber attribute.
- defaultComputerGid : default primary group set to
computers accounts
Example: defaultComputerGid="550"
Remark: this is stored in gidNumber attribute.
- skeletonDir : skeleton directory used for users accounts
Example: skeletonDir="/etc/skel"
Remark: this option is used only if you ask for home directory creation when adding a new user.
- defaultMaxPasswordAge : default validation time for a
password (in days)
Example: defaultMaxPassword="55"
- userSmbHome : samba share used to store user's home directory
Example:
userSmbHome="\\PDC-SMB3\
homes"
Remark: this is stored in sambaHomePath attribute.
- userProfile : samba share used to store user's profile
Example:
userProfile="\\PDC-SMB3\
profiles"
Remark: this is stored in sambaProfilePath attribute.
- userHomeDrive : letter used on windows system to map
the home directory
Example: userHomeDrive="K:"
- with_smbpasswd : should we use the smbpasswd command
to set the user's password (instead of the mkntpwd utility) ?
Example: with_smbpasswd="0"
Remark: must be a boolean value (0 or 1).
- smbpasswd : path to the smbpasswd binary
Example: smbpasswd="/usr/bin/smbpasswd"
- mk_ntpasswd : path to the mkntpwd binary
Example: mk_ntpasswd="/usr/local/sbin/mkntpwd"
Remark: the rpm package of the smbldap-tools will install this utility. If
you are using the tarball archive, you have to install it yourself (sources are also in the smbldap-tools archive).
3.2 The smbldap_bind.conf file
This file is only used by root to modify the content of the directory.
It contains distinguised names and credentials to connect to
both the master and slave directories. A full example file is available
in section 9.1.2.
Let's have a look at all available parameters.
-
slaveDN : distinguished name used to bind to the slave server
Example 1: slaveDN="cn=Manager,dc=idealx,dc=com"
Example 2: slaveDN=""
Remark: this can be the manager account of the
directory or any LDAP account that has sufficient permissions to read the
full directory (Slave directory is only used for reading). Anonymous
connections uses the second example form.
- slavePw : the credentials to bind to the slave server
Example 1: slavePw="secret"
Example 2: slavePw=""
Remark: the password must be stored here in clear form. This file must
then be
readable only by root! All anonymous connections use the second
form provided in our example.
- masterDN : the distinguished name used to bind to the master server
Example: masterDN="cn=Manager,dc=idealx,dc=com"
Remark: this can be the manager account of the
directory or any LDAP account that has enough permissions to modify the content of
the directory. Anonymous access does not make any sense here.
- masterPw : the credentials to bind to the master server
Example: masterPw="secret"
Remark: the password must be in clear text. Be sure to protect this file
against unauthorized readers!