OpenLDAP proxy for samba-usage - openldap-technical

22 Mar 2022


      Hello :)
Hopefully I'm not completly wrong on this ml, as its not only ldap 
related, but also samba related.
I work at a Chair of a german university.
University uses a central LDAP-system for all students, employees, 
scientists, scientific guests, etc., providing an unique UID for all 
these peoples, plus many more information.
My idea was: setting-up a local OpenLDAP-proxy, so that people of our 
Chair get access to ressources (eg. via samba) using their unique UID 
and password, but without setting-up an AD.
Many system here are owned by the Chair or University, but lots of 
students are using their own laptop, so using a AD (and adding them) is 
not very handy for them ... so, something like a stand-alone 
samba-server with authentification versus ldap.
Is there a chance to get this running? There is no chance to add the 
schema on a proxy?
What I did so far:
- I can establish a connection to the central LDAP-system using 
/etc/pam_ldap.conf
uri ldaps://ldap.DOMAIN.de
host ldap.DOMAIN.de
base ou=CHAIR,ou=hosts,dc=DOMAIN,dc=de
ldap_version 3
binddn cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de
bindpw PASSWORD
pam_password crypt
ssl start_tls
ssl on
- I configured /etc/libnss-ldap.conf, and a 'getent passwd' shows all 
local users plus the members
uri ldaps://ldap.DOMAIN.de
host ldap.DOMAIN.de
base ou=CHAIR,ou=hosts,dc=DOMAIN,dc=de
ldap_version 3
binddn cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de
bindpw PASSWORD
- I also configured /etc/ldap/slapd.conf for proxy usage (I think I did 
...), but I learned 2 days ago I can't add any schemata on a proxy ...
# Schema includes
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
#
include         /etc/ldap/schema/misc.schema
include         /etc/ldap/schema/openldap.schema
#
#
# Module
modulepath      /usr/lib/ldap
moduleload      back_ldap.la
moduleload      back_hdb.la
moduleload      back_mdb
moduleload      rwm
moduleload      pcache.la
moduleload      memberof.la
#
# Main settings
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
conn_max_pending 1000
sockbuf_max_incoming 4194303
logfile /var/log/ldap/logfile.log
#loglevel stats conns filter
loglevel any
sizelimit unlimited
limits * size.pr=0 size.prtotal=none
tool-threads 1
#
readonly on
access to *
by * read
#
# Database defs (proxy to AD)
database ldap
chase-referrals no
rootdn ou=CHAIR,ou=hosts,dc=DOMAIN,dc=de
suffix "dc=DOMAIN,dc=de"
uri ldap://localhost/
uri ldap://ldap.DOMAIN.de/
uri ldaps://ldap.DOMAIN.de/
acl-bind bindmethod=simple 
binddn="cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de" credentials="PASSWORD" 
starttls=yes
idassert-bind bindmethod=simple 
binddn="cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de" credentials="PASSWORD" 
starttls=yes
#cancel abandon
overlay pcache
#proxycache    hdb 100000 3 1000 100
proxycache    mdb 100000 3 1000 100
pcachePersist TRUE
proxyAttrset  0 mail uid gecos
proxyTemplate (sn=) 0 3600
proxyTemplate (&(sn=)(givenName=)) 0 3600
#cachesize 20
index       objectClass eq
index       cn,sn,uid,mail  pres,eq,sub
pcacheAttrset   0 1.1
pcacheTemplate  (&(|(objectClass=))) 0 3600
pcacheTemplate (objectClass=*) 0 3600
pcacheAttrset   1 displayname
pcacheTemplate (objectClass=*) 1 3600
pcacheAttrset   2 memberOf
pcacheTemplate (objectClass=*) 2 3600
conn-ttl 3600
#
directory /var/lib/ldap
Testing the config works:
root@ldap:~# /usr/sbin/slapd -Tt -f /etc/ldap/slapd.conf
config file testing succeeded
62398f56 mdb_opinfo_get: err Permission denied(13)
root@ldap:~#
(I have no idea which Permission is denied)
slapd can be started via
/usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf
ldapsearch works fine using '-h localhost' or '-H 
ldap://ldap.DOMAIN.de', so I think the basic config is not bad at all ...
Thanks in advance!
Cheers,
Torsten