Ref:
http://linuxgyd.blogspot.tw/2014/07/set-up-openldap-server-on-centos-65.htmlhttp://jackiechen.org/2014/08/15/setup-ldap-authentication-in-centos-openldapsssd/http://www.server-world.info/en/note?os=CentOS_6&p=samba&f=4http://www.linuxtopia.org/online_books/rhel6/rhel_6_deployment/rhel_6_deployment_ch-Authentication_Configuration.htmlKeypoint: TLS
Steps:
#
# basic config
#
yum install openldap-clients openldap-servers
cd /etc/openldap/slapd.d/cn\=config
vi 'olcDatabase={1}monitor.ldif' 'olcDatabase={2}bdb.ldif' # to change all 'my-domain' entries
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
wget
ftp://fr2.rpmfind.net/linux/centos/6.6/os/x86_64/Packages/migrationtools-47-7.el6.noarch.rpmrpm -ivh migrationtools-47-7.el6.noarch.rpm
cd /usr/share/migrationtools/
vi migrate_common.ph # to change base dn
\rm /var/lib/ldap/[!D]* ; ./migrate_all_offline.sh # repeat until fix all errors!
chown -R ldap.ldap /var/lib/ldap/
chkconfig slapd on
service slapd start
ldapsearch -x -b "dc=xxxxxxxxxxx,dc=xxxxx" # to test
#
# enable TLS
#
openssl req -newkey rsa:2048 -x509 -nodes -out /etc/openldap/certs/ldap-pub.pem -keyout /etc/openldap/certs/ldap-pri.pem
chown -R ldap.ldap /etc/openldap/certs/ldap-p*
cd /etc/openldap/slapd.d/cn\=config
vi olcDatabase\=\{0\}config.ldif
olcTLSCertificateFile: /etc/openldap/certs/ldap-pub.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap-pri.pemvi /etc/sysconfig/ldap
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yesservice slapd restart
#
# client config
#
yum install -y openldap-clients sssd
scp xxxx.xxxx.xxxx:/etc/openldap/certs/ldap-pub.pem /etc/openldap/cacerts/
vi /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
ssl start_tls
TLS_REQCERT allow
BASE dc=xxxxxxxx,dc=xxxx
URI ldaps://xxxx.xxxx.xxxx/
HOST ip.ip.ip.ipvi /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = default
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
ldap_tls_reqcert = never
auth_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = XXXXX.XXX
ldap_search_base = dc=xxxxxx,dc=xxx
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
ldap_uri = ldaps://xxxx.xxxx.xxxx
ldap_chpass_uri = ldaps://xxxx.xxxx.xxxx/
krb5_kdcip = xxxx.xxxx.xxxx
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
krb5_server = xxxx.xxxx.xxxxauthconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --enablemkhomedir --ldapserver=ldaps://xxxx.xxxx.xxxx --ldapbasedn=dc=xxxxxx,dc=xxx --enablelocauthorize --enableldaptls --update
ldapsearch -x -D "cn=Manager,dc=xxxxxxxxx,dc=xxxxx" -W -H ldaps://xxxx.xxxx.xxxx
#
# smbldap-tools & SAMBA config
# (on server side)
#
wget
http://download.gna.org/smbldap-tools/packages/el6/smbldap-tools-0.9.10-1.el6.noarch.rpmwget
ftp://rpmfind.net/linux/dag/redhat/el6/en/x86_64/dag/RPMS/perl-Crypt-SmbHash-0.12-1.2.el6.rf.noarch.rpmyum localinstall perl-Crypt-SmbHash-0.12-1.2.el6.rf.noarch.rpm
yum localinstall smbldap-tools-0.9.10-1.el6.noarch.rpm
vi schema_convert.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schemamkdir ldif_output
slapcat -f schema_convert.conf -F ./ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./cn\=samba.ldif
vi ./cn\=samba.ldif
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
....# and delete these bottum lines:
structuralObjectClass: olcSchemaConfig
entryUUID: 761ed782-e76d-102f-94de-7784c8a781ec
creatorsName: cn=config
createTimestamp: 20110320184149Z
entryCSN: 20110320184149.954974Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110320184149Zldapadd -Y EXTERNAL -H ldapi:/// -f cn=samba.ldif
vi samba_indexes.ldif
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif
service slapd restart
cd /etc/samba/
mv smb.conf smb.conf.bakup
cp /usr/share/doc/smbldap-tools-0.9.10/smb.conf.example smb.conf
vi smb.conf
[global]
workgroup = XXXXXXXXXX
netbios name = XXX
deadtime = 10
log level = 1
log file = /var/log/samba/log.%m
max log size = 5000
debug pid = yes
debug uid = yes
syslog = 0
utmp = yes
security = user
domain logons = yes
os level = 64
logon path =
logon home =
logon drive =
logon script =
passdb backend = ldapsam:"ldap://xxxx.xxx.xxxx/"
ldap ssl = start tls
ldap admin dn = cn=Manager,dc=xxxxxxxx,dc=xxxxx
ldap delete dn = no
## Sync UNIX password with Samba password
## Method 1:
ldap password sync = yes
## Method 2:
;ldap password sync = no
;unix password sync = yes
;passwd program = /usr/sbin/smbldap-passwd -u '%u'
;passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
ldap suffix = dc=xxxxxxx,dc=xxxx
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
delete user script = /usr/sbin/smbldap-userdel '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1
Dos charset = CP932
Unix charset = UTF-8
admin users = root administrator domain
[NETLOGON]
path = /var/lib/samba/netlogon
browseable = no
share modes = no
[PROFILES]
path = /var/lib/samba/profiles
browseable = no
writeable = yes
create mask = 0611
directory mask = 0700
profile acls = yes
csc policy = disable
map system = yes
map hidden = yes
mkdir /var/lib/samba/netlogon
mkdir /var/lib/samba/profiles
service smb restart
service nmb restart
chkconfig smb on
chkconfig nmb on
smbpasswd -W
perl /usr/share/doc/smbldap-tools-0.9.10/smbldap-config.pl
cd /etc/smbldap-tools/
vi smbldap.conf
SID="S-1-5-21-627543661-3216288505-2393536575"
sambaDomain="XXXXXXXXX"
slaveLDAP="xxxx.xxxx.xxxx"
slavePort="389"
masterLDAP="xxxx.xxxx.xxxx"
masterPort="389"
ldapTLS="1"
verify="none"
cafile="/etc/openldap/cacerts/ldap-pub.pem"
clientcert="/etc/openldap/certs/ldap-pub.pem"
clientkey="/etc/openldap/certs/ldap-pri.pem"
suffix="dc=xxxxxxx,dc=xxxxxx"
usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Group,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=XXXXXXXXX,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format=""
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\xxxxx\%U"
userProfile="\\xxxxxx\profiles\%U"
userHomeDrive="H:"
userScript=""
mailDomain="xxxxxxxx.xxxxx"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"smbldap-populate
smbldap-groupmod -a root
smbldap-usermod -a root
smbldap-groupadd -a domu1
smbldap-useradd -am -g domu1 domu1
smbldap-passwd domu1
ldapsearch -x -b "uid=domu1,ou=People,dc=xxxxxxxx,dc=xxxx" -H ldaps://xxxxxxx.xxxxx.xxxxx
id domu1
smbclient -L xxxx.xxxx.xxxx -U domu1
smbldap-useradd -W user-pc
