Using OpenLDAP to authenticate with FreeBSD and Samba

This tutorial will show you how to configure OpenLDAP, FreeBSD and Samba to allow a unified view of users in both FreeBSD? and Windows systems. It assumes that the machine running OpenLDAP? will also run Samba. They could be separate although I am not sure how this impacts on performance.

The grunt work is done by smbldap-tools - this port installs several Perl utilities which allow creation and maintenance of the LDAP schema.

Installing the requisite software

You will need to install the following ports..

• net/openlda24-server
• security/pam_ldap
• net/nss_ldap
• net/samba3
• net/smbldap-tools

Setting up OpenLDAP

Modify the OpenLDAP configuration file /usr/local/etc/openldap/slapd.conf so it looks like this

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/samba.schema

loglevel        none

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb

# ACLs to allow users to change their own passwords

access to attrs=userPassword
        by self         write
        by *            auth

access to attrs=sambaLMPassword
        by self         write
        by *            auth

access to attrs=sambaNTPassword
        by self         write
        by *            auth

access to attrs=sambaPwdLastSet
        by self         write
        by *            auth

access to *
        by * read

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=dons,dc=net,dc=au"
rootdn          "cn=Manager,dc=mydomain,dc=com,dc=zz"

rootpw          XXXXX
password-hash   {SSHA}
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data
# Indices to maintain
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial

TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCertificateFile /usr/local/etc/openldap/slapd.crt
TLSCertificateKeyFile /usr/local/etc/openldap/slapd.key

Replace the XXXX with the output of slappasswd. This should be a very strong password, I suggest using part of the output of dd if=/dev/random count=1 | b64encode. Make sure the data directory (/var/db/openldap-data) exists, is owned by ldap:ldap and has permissions 0700.

Next you need to create the certificate and key so that TLS will work. This page should help you do that.

Edit /etc/rc.conf and put the following in

slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldaps://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"

Now you need to move the slapd startup script from /usr/local/etc/rc.d/slapd to /etc/rc.d and then modify /etc/rc.d/SERVERS to add 'slapd' to the REQUIRE line. This will result in slapd being run early in the boot process.

-- Main.darius - 02 Apr 2007