1. 安裝LDAP (/usr/port/net/openldap23-server)
2. 重新安裝SAMBA (若當初沒有編譯進去的話)
3. 拷貝SAMBA綱要(samba.schema)
cp /usr/local/share/examples/samba/LDAP/samba.schema \
/usr/local/etc/openldap/schema
4. 設定slapd.conf
Add Fix Delete
...
include /usr/local/etc/openldap/schema/core.schema
# SAMBA所需要的檔案
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
...
# 僅供Manager,Math.NCTU.edu.tw寫入SambaLMPassword及SambaNTPassword兩個值
# 且對其他都不提供讀寫服務
access to attrs=SambaLMPassword,SambaNTPassword
by dn="cn=Manager,dc=Math,dc=NCTU,dc=edu,dc=tw" write
by * none
# 提供自己寫入,訪客讀取,其他都不提供讀寫服務
access to *
by self write
by anonymous read
by * none
...
# 使用肥大的bdb來作為儲存的資料庫
database bdb
# 通常拿網域DN來當suffix
suffix "dc=Math,dc=NCTU,dc=edu,dc=tw"
# 你愛拿什麼名字當老大就在cn那邊寫就好了 XD
rootdn "cn=Manager,dc=Math,dc=NCTU,dc=edu,dc=tw"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# root的密碼,稍後會提
rootpw {SSHA}blahblah
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap-data
# Indices to maintain
index objectClass eq
# 以下都是建立索引檔用的,方便在DB大的時候搜尋用
我也看不懂pres、sub、eq在幹麻的
index cn pres,sub,eq
index sn pres,sub,eq
## required to support pdb_getsampwnam
index uid pres,sub,eq
## required to support pdb_getsambapwrid()
index displayName pres,sub,eq
## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
##index uidNumber eq
##index gidNumber eq
##index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
5. 用slappasswd更改密碼
kingmax@Samba [/usr/ports/net/openldap23-server] [0:33] slappasswd
New password:
Re-enter new password:
{SSHA}YuorCb2Aecvbb+uztuCQVxoCgoD6rCma
kingmax@Samba [/usr/ports/net/openldap23-server] [0:38]
跑出來那串就是加密過的密碼了
6. copy the {SSHA} line to rootpw
7. 寫一個LDIF檔案來建立LDAP的資料庫,LDIF的格式在OpenLDAP官網有
---------------- file start : initldap.dif --------------------
# Organization for Samba Base
dn: dc=Math,dc=NCTU,dc=edu,dc=tw
objectclass: dcObject
objectclass: organization
dc: Math
o: NCTU_AM_CC
description: NCTU AM CC SAMBA Account over LDAP
# Organizational Role for Directory Management
dn: cn=Manager,dc=Math,dc=NCTU,dc=edu,dc=tw
objectclass: organizationalRole
cn: Manager
description: Directory Manager
# Setting up container for Users OU
dn: ou=People,dc=Math,dc=NCTU,dc=edu,dc=tw
objectclass: top
objectclass: organizationalUnit
ou: People
# Setting up admin handle for People OU
dn: cn=admin,ou=People,dc=Math,dc=NCTU,dc=edu,dc=tw
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}blahblah
# Setting up container for groups
dn: ou=Groups,dc=Math,dc=NCTU,dc=edu,dc=tw
objectclass: top
objectclass: organizationalUnit
ou: Groups
# Setting up admin handle for Groups OU
dn: cn=admin,ou=Groups,dc=Math,dc=NCTU,dc=edu,dc=tw
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}blah
# Setting up container for computers
dn: ou=Computers,dc=Math,dc=NCTU,dc=edu,dc=tw
objectclass: top
objectclass: organizationalUnit
ou: Computers
# Setting up admin handle for Computers OU
dn: cn=admin,ou=Computers,dc=Math,dc=NCTU,dc=edu,dc=tw
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}blah
----------------- file end : initldap.dif ---------------------
8. 建立索引資料庫
slapindex -f /usr/local/etc/openldap/slapd.conf
9. 匯入LDIF到LDAP建立資料
slapadd -v -l /usr/local/etc/openldap/initldap.dif
10.啟動LDAP
/usr/local/etc/rc.d/slapd start
11.更改SAMBA設定檔
ldap admin dn = "cn=Manager,dc=Math,dc=NCTU,dc=edu,dc=tw"
ldap ssl = off
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap suffix = dc=Math,dc=NCTU,dc=edu,dc=tw
ldap passwd sync = yes
passdb backend = ldapsam:ldap://192.168.1.26
12.重跑SAMBA
/usr/local/etc/rc.d/samba restart
13.設定SAMBA連接LDAP時用的管理員密碼
smbpasswd -W
14.轉換原有的SAMBA密碼資訊檔,smbpasswd -> ldapsam
pdbedit -v -i smbpasswd:/usr/local/etc/samba/smbpasswd -e ldapsam:ldap://samba.
math.nctu.edu.tw
15.測試啦
a. smbclient -L 192.168.1.26 -U account (測可否使用SAMBA)
b. smbpasswd -as account (測建帳號)
c. smbpasswd account (測改密碼)
c. smbpasswd -x account (測砍帳號會不會順便砍掉DN)
Reference : SAMBA-OFFICIAL-HOWTO Chapter 11
留言列表