summaryrefslogtreecommitdiff
path: root/howto-ol-backend-s4.txt
blob: c96ce55d115e2ed50e8231822257592e3e5347d0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
Samba4  OpenLDAP-Backend Quick-Howto
====================================

oliver@itc.li  -  August 2009


This Mini-Howto describes in a very simplified way 
how to setup Samba 4 (S4) (pre)Alpha 9 with the
OpenLDAP (OL) -Backend.
Use of OpenLDAP >= 2.4.17 is strongly recommended.


1.) Download and compile OpenLDAP. 

The use of (older) Versions shipped with Distributions often
causes trouble, so dont use them. Configure-Example:

#> ./configure --enable-overlays=yes --with-tls=yes --with-cyrus-sasl=yes
#> make depend && make && make install

Note: openssl and cyrus-sasl libs should be installed
before compilation.



2.) Prepare S4 to use OL-Backend:

Run the provision-backend Python-Script first, then "final" provision
(these 2-step process will be merged in the future)

Simple provision-backend Example:

#> setup/provision-backend --realm=ldap.local.site \
  --domain=LDAP --ldap-admin-pass="linux" \
  --ldap-backend-type=openldap \
  --server-role='domain controller' \
  --ol-slapd="/usr/local/libexec/slapd"

After that, you should get a similar output:

--------
Your openldap Backend for Samba4 is now configured, and is ready to be started
Server Role:         domain controller
Hostname:            ldapmaster
DNS Domain:          ldap.local.site
Base DN:             DC=ldap,DC=local,DC=site
LDAP admin user:     samba-admin
LDAP admin password: linux
LDAP Debug-Output:
(1, 'connection to remote LDAP server dropped?')
Ok. - No other slapd-Instance listening on: ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi. Starting al provision.
Started slapd for final provisioning with PID: 21728

Now run final provision with: --ldap-backend=ldapi --ldap-backend-type=openldap --password=linux --username=sa=ldap.local.site --domain=LDAP --server-role='domain controller'

--------

Since this (pre)Alpha, you dont have to run slapd manually
any more. slapd will be started automatically, when 
provision-backend is done, listening on the
ldapi://-Socket. System should be ready 
for final provision now:


3.) Final provision:

Use the Parameters displayed above to run final provision.
(you can add --adminpass=<yourpass> to the parameters,
otherwise a random password will be generated for 
cn=Administrator,cn=users,<Your Base-DN>):

#> setup/provision --ldap-backend=ldapi \
   --ldap-backend-type=openldap --password=linux \
   --username=samba-admin --realm=ldap.local.site \
   --domain=LDAP --server-role='domain controller'\
   --adminpass=linux

At the End of the final provision you should get
the following output (only partial here). Read it carefully:

--------
...
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
LDAP Debug-Output:[Message({'dn': Dn(''), 'objectClass': MessageElement(['top','OpenLDAProotDSE'])})]
slapd-PID-File found. PID is :21728

File from provision-backend with stored PID found. PID is :21728

slapd-Process used for provisioning with PID: 21728
 will now be shut down.
slapd-Process used for final provision was properly shut down.
Use later the following commandline to start slapd, then Samba:
/usr/local/libexec/slapd -f /usr/local/samba/private/ldap/slapd.conf -h ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi

This slapd-Commandline is also stored under: /usr/local/samba/private/ldap/slapd_command_file.txt
Please install the phpLDAPadmin configuration located at /usr/local/samba/private/phpldapadmin-config.php into /etc/phpldapadmin/config.php
Once the above files are installed, your Samba4 server will be ready to use
Server Role:    domain controller
Hostname:       ldapmaster
NetBIOS Domain: LDAP
DNS Domain:     ldap.local.site
DOMAIN SID:     S-1-5-21-429312062-2328781357-2130201529
Admin password: linux

--------

Our slapd in "provision-mode" wiil be shut down automatically 
after final provision ends.


4.) Run OL and S4:

After you completed the other necessary steps (krb and named-specific),
start first OL with the commandline displayed in the output under (3),
(remember: the slapd-Commandline is also stored in the file ../slapd_command_file.txt)
then S4.



5.) Special Setup-Types:

a) OpenLDAP-Online Configuration (olc):
Use the provision-backend Parameter 

 --ol-olc=yes.

In that case, the olc will be setup automatically
under ../private/slapd.d/.
olc is accessible via "cn=samba-admin,cn=samba" and Base-DN "cn=config"
olc is intended primarily for use in conjunction with MMR

Attention: You have to start OL with the commandline
displayed in the output under (3), but you have to set a 
listening port of slapd manually:

(e.g. -h ldap://ldapmaster.ldap.local.site:9000)

Attention: You _should_not_ edit the olc-Sections
"config" and "ldif", as these are vital to the olc itself.


b) MultiMaster-Configuration (MMR):
At this time (S4 (pre)Alpha9) the only possible Replication setup.
Use the provision-backend Parameter:

 --ol-mmr-urls=<list of whitespace separated ldap-urls (and Ports <> 389!).

e.g.:
--ol-mmr-urls="ldap://ldapmaster1.ldap.local.site:9000 \ 
   ldap://ldapmaster2.ldap.local.site:9000"

Attention: You have to start OL with the commandline
displayed in the output under (3), but you have to set a 
listening port of slapd manually
(e.g. -h ldap://ldapmaster1.ldap.local.site:9000)

The Ports must be different from 389, as these are occupied by S4.