1. 安裝LDAP (/usr/port/net/openldap23-server)
2. 重新安裝SAMBA (若當初沒有編譯進去的話)
3. 拷貝SAMBA綱要(samba.schema)
cp /usr/local/share/examples/samba/LDAP/samba.schema \
/usr/local/etc/openldap/schema
4. 設定slapd.conf
Add Fix Delete

...

include         /usr/local/etc/openldap/schema/core.schema
# SAMBA所需要的檔案
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/samba.schema

...

# 僅供Manager,Math.NCTU.edu.tw寫入SambaLMPassword及SambaNTPassword兩個值
# 且對其他都不提供讀寫服務
access to attrs=SambaLMPassword,SambaNTPassword
     by dn="cn=Manager,dc=Math,dc=NCTU,dc=edu,dc=tw" write
     by * none

# 提供自己寫入,訪客讀取,其他都不提供讀寫服務
access to *
    by self write
    by anonymous read
    by * none
...

# 使用肥大的bdb來作為儲存的資料庫
database        bdb
# 通常拿網域DN來當suffix
suffix          "dc=Math,dc=NCTU,dc=edu,dc=tw"
# 你愛拿什麼名字當老大就在cn那邊寫就好了 XD
rootdn          "cn=Manager,dc=Math,dc=NCTU,dc=edu,dc=tw"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# root的密碼,稍後會提
rootpw          {SSHA}blahblah
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data
# Indices to maintain
index   objectClass     eq

# 以下都是建立索引檔用的,方便在DB大的時候搜尋用
我也看不懂pres、sub、eq在幹麻的
index cn                      pres,sub,eq
index sn                      pres,sub,eq
## required to support pdb_getsampwnam
index uid                     pres,sub,eq
## required to support pdb_getsambapwrid()
index displayName             pres,sub,eq

## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
##index uidNumber               eq
##index gidNumber               eq
##index memberUid               eq

index   sambaSID              eq
index   sambaPrimaryGroupSID  eq
index   sambaDomainName       eq
index   default               sub

5. 用slappasswd更改密碼
kingmax@Samba [/usr/ports/net/openldap23-server] [0:33] slappasswd
New password:
Re-enter new password:
{SSHA}YuorCb2Aecvbb+uztuCQVxoCgoD6rCma
kingmax@Samba [/usr/ports/net/openldap23-server] [0:38]
跑出來那串就是加密過的密碼了
6. copy the {SSHA} line to rootpw
7. 寫一個LDIF檔案來建立LDAP的資料庫,LDIF的格式在OpenLDAP官網有
---------------- file start : initldap.dif --------------------
# Organization for Samba Base
dn: dc=Math,dc=NCTU,dc=edu,dc=tw
objectclass: dcObject
objectclass: organization
dc: Math
o: NCTU_AM_CC
description: NCTU AM CC SAMBA Account over LDAP

# Organizational Role for Directory Management
dn: cn=Manager,dc=Math,dc=NCTU,dc=edu,dc=tw
objectclass: organizationalRole
cn: Manager
description: Directory Manager

# Setting up container for Users OU
dn: ou=People,dc=Math,dc=NCTU,dc=edu,dc=tw
objectclass: top
objectclass: organizationalUnit
ou: People

# Setting up admin handle for People OU
dn: cn=admin,ou=People,dc=Math,dc=NCTU,dc=edu,dc=tw
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}blahblah

# Setting up container for groups
dn: ou=Groups,dc=Math,dc=NCTU,dc=edu,dc=tw
objectclass: top
objectclass: organizationalUnit
ou: Groups

# Setting up admin handle for Groups OU
dn: cn=admin,ou=Groups,dc=Math,dc=NCTU,dc=edu,dc=tw
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}blah

# Setting up container for computers
dn: ou=Computers,dc=Math,dc=NCTU,dc=edu,dc=tw
objectclass: top
objectclass: organizationalUnit
ou: Computers

# Setting up admin handle for Computers OU
dn: cn=admin,ou=Computers,dc=Math,dc=NCTU,dc=edu,dc=tw
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject

userPassword: {SSHA}blah
----------------- file end : initldap.dif ---------------------
8. 建立索引資料庫
slapindex -f /usr/local/etc/openldap/slapd.conf
9. 匯入LDIF到LDAP建立資料
slapadd -v -l /usr/local/etc/openldap/initldap.dif
10.啟動LDAP
/usr/local/etc/rc.d/slapd start
11.更改SAMBA設定檔
    ldap admin dn = "cn=Manager,dc=Math,dc=NCTU,dc=edu,dc=tw"
    ldap ssl = off
    ldap delete dn = no
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap machine suffix = ou=Computers
    ldap suffix = dc=Math,dc=NCTU,dc=edu,dc=tw
    ldap passwd sync = yes
    passdb backend = ldapsam:ldap://192.168.1.26
12.重跑SAMBA
/usr/local/etc/rc.d/samba restart
13.設定SAMBA連接LDAP時用的管理員密碼
smbpasswd -W
14.轉換原有的SAMBA密碼資訊檔,smbpasswd -> ldapsam
pdbedit -v -i smbpasswd:/usr/local/etc/samba/smbpasswd -e ldapsam:ldap://samba.
math.nctu.edu.tw
15.測試啦
  a. smbclient -L 192.168.1.26 -U account  (測可否使用SAMBA)
  b. smbpasswd -as account  (測建帳號)
  c. smbpasswd account      (測改密碼)
  c. smbpasswd -x account   (測砍帳號會不會順便砍掉DN)

Reference : SAMBA-OFFICIAL-HOWTO Chapter 11

arrow
arrow
    全站熱搜

    KingMAX 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄