Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

For who runs LDAP + SAMBA on 1 box, live happy without SSL!
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
enlightend
n00b
n00b


Joined: 18 Jan 2007
Posts: 29
PostPosted: Tue Feb 06, 2007 3:30 am    Post subject: For who runs LDAP + SAMBA on 1 box, live happy without SSL! Reply with quote
And with that title I mean happy and even more secure then with SSL :p

Man, I spent 2 days trying to get the SSL certificates to play nicely between slapd and samba, but I kept getting errors with tls and the certificates themselves (selfsigned and demoCA signed ones alike.)

Then I started thinking. Why the hell do I even bother getting it to run?
slapd can run on ldapi://blabla.sock!

So, I went ahead and edited /etc/conf.d/slapd
edited it to read:

Code:
OPTS="-h 'ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

This way ldap doesn't attach to the network at all, only on a unix domain socket, beat that SSL!

Next I edited slapd.conf, smb.conf, /etc/ldap.conf and openldap/ldap.conf to use the ldapi:// uri instead of ldap:// or ldaps://

But then, eventhough I searched and searched the net I couldn't find any information on how to use ldapi in smbldap.conf.

As some of you may know, smbldap.conf has server parameters in the format:

Code:

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
#slaveLDAP="127.0.0.1"

# Slave LDAP port
# If not defined, parameter is set to "389"
#slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"

# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"


So I was getting kinda pissed because it seemed like smbldap-tools had some design flaws in terms of grave feature limitations and could only connect to an ldap server over the network.


Then, it hit me. Maybe I can just slap the ldapi uri in the masterLDAP parameter, its worth a shot, save all or loose all kinda deal.

So, I edited the above config part to:
Code:

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
#slaveLDAP="127.0.0.1"

# Slave LDAP port
# If not defined, parameter is set to "389"
#slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock/"

# Master LDAP port
# If not defined, parameter is set to "389"
masterPort=""


And BAM, all smbldap-tools programs work using the URI.

My LDAP server is running purely on a unix domain socket with no bindings to network adapters and my entire Samba+LDAP setup got faster in the process.

Now I'm wondering, can't people who run LDAP and Samba on 2 seperate unix machines do the same thing by using an ldapi:// uri to the .sock file on a mapped NFS drive? Or don't socket files allow that kinda stuff?


But anyways, for everyone running LDAP+Samba on the same machine, don't even bother trying to get SSL to work, its unneeded, you can make LDAP even more secure by simply not binding it to the network and letting samba and all ldap client apps on the server connect to the domain socket, including smbldap-tools!!
Back to top
View user's profile Send private message
enlightend
n00b
n00b


Joined: 18 Jan 2007
Posts: 29
PostPosted: Tue Feb 06, 2007 6:02 pm    Post subject: Reply with quote
Apparently smbldap-tools requires the second ldap server to be filled in, if you have only one, use the same for both Slave and Master:
It isn't a problem filling in just 1, because the smbldap tools client apps just mention that there is no slave entry and they just use the master entry, but if you don't like it telling you that all the time use the following:

Code:

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock/"

# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort=""

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock/"

# Master LDAP port
# If not defined, parameter is set to "389"
masterPort=""


So it'll use the domain socket on your server for both entries.

Btw, be sure to set master port to something empty, if you put # in front of masterport and slaveport, it'll automaticly default the parameter to the LDAP default.
Back to top
View user's profile Send private message
bludger
Guru
Guru


Joined: 09 Apr 2003
Posts: 389
PostPosted: Thu Feb 15, 2007 4:06 pm    Post subject: Reply with quote
Can a windows user change his own password with this setup? The only guide that I have found so far to do this is using smbk5pwd as at http://gentoo-wiki.com/Talk:HOWTO_LDAP_SAMBA_PDC_Basic_Setup. Does this work with your setup?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy