Hello :)
Hopefully I'm not completly wrong on this ml, as its not only ldap related, but also samba related.
I work at a Chair of a german university.
University uses a central LDAP-system for all students, employees, scientists, scientific guests, etc., providing an unique UID for all these peoples, plus many more information.
My idea was: setting-up a local OpenLDAP-proxy, so that people of our Chair get access to ressources (eg. via samba) using their unique UID and password, but without setting-up an AD.
Many system here are owned by the Chair or University, but lots of students are using their own laptop, so using a AD (and adding them) is not very handy for them ... so, something like a stand-alone samba-server with authentification versus ldap.
Is there a chance to get this running? There is no chance to add the schema on a proxy?
What I did so far:
- I can establish a connection to the central LDAP-system using /etc/pam_ldap.conf
uri ldaps://ldap.DOMAIN.de
host ldap.DOMAIN.de
base ou=CHAIR,ou=hosts,dc=DOMAIN,dc=de
ldap_version 3
binddn cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de
bindpw PASSWORD
pam_password crypt
ssl start_tls
ssl on
- I configured /etc/libnss-ldap.conf, and a 'getent passwd' shows all local users plus the members
uri ldaps://ldap.DOMAIN.de
host ldap.DOMAIN.de
base ou=CHAIR,ou=hosts,dc=DOMAIN,dc=de
ldap_version 3
binddn cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de
bindpw PASSWORD
- I also configured /etc/ldap/slapd.conf for proxy usage (I think I did ...), but I learned 2 days ago I can't add any schemata on a proxy ...
# Schema includes
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
#
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/openldap.schema
#
#
# Module
modulepath /usr/lib/ldap
moduleload back_ldap.la
moduleload back_hdb.la
moduleload back_mdb
moduleload rwm
moduleload pcache.la
moduleload memberof.la
#
# Main settings
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
conn_max_pending 1000
sockbuf_max_incoming 4194303
logfile /var/log/ldap/logfile.log
#loglevel stats conns filter
loglevel any
sizelimit unlimited
limits * size.pr=0 size.prtotal=none
tool-threads 1
#
readonly on
access to *
by * read
#
# Database defs (proxy to AD)
database ldap
chase-referrals no
rootdn ou=CHAIR,ou=hosts,dc=DOMAIN,dc=de
suffix "dc=DOMAIN,dc=de"
uri ldap://localhost/
uri ldap://ldap.DOMAIN.de/
uri ldaps://ldap.DOMAIN.de/
acl-bind bindmethod=simple binddn="cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de" credentials="PASSWORD" starttls=yes
idassert-bind bindmethod=simple binddn="cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de" credentials="PASSWORD" starttls=yes
#cancel abandon
overlay pcache
#proxycache hdb 100000 3 1000 100
proxycache mdb 100000 3 1000 100
pcachePersist TRUE
proxyAttrset 0 mail uid gecos
proxyTemplate (sn=) 0 3600
proxyTemplate (&(sn=)(givenName=)) 0 3600
#cachesize 20
index objectClass eq
index cn,sn,uid,mail pres,eq,sub
pcacheAttrset 0 1.1
pcacheTemplate (&(|(objectClass=))) 0 3600
pcacheTemplate (objectClass=*) 0 3600
pcacheAttrset 1 displayname
pcacheTemplate (objectClass=*) 1 3600
pcacheAttrset 2 memberOf
pcacheTemplate (objectClass=*) 2 3600
conn-ttl 3600
#
directory /var/lib/ldap
Testing the config works:
root@ldap:~# /usr/sbin/slapd -Tt -f /etc/ldap/slapd.conf
config file testing succeeded
62398f56 mdb_opinfo_get: err Permission denied(13)
root@ldap:~#
(I have no idea which Permission is denied)
slapd can be started via
/usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf
ldapsearch works fine using '-h localhost' or '-H ldap://ldap.DOMAIN.de', so I think the basic config is not bad at all ...
Thanks in advance!
Cheers, Torsten