Openldap 2.2.X and samba 3.0.X Howto
This page will guide you through the process of building, configuring and installing openldap with GSSAPI (kerberos authentication) and also samba 3.0.X with ldapsam support (ldapsam allows you to keep all the information you will usually see in the smbpassword file inside the openldap directory database). If this tutorial was usefull to you drop me a thanks e-mail. If you have questions about openldap or samba you should join the lists and ask there.
The official openldap web site can be located at www.openldap.org.
Software Requirements: In order to provide kerberos (GSSAPI) support you need to first build the following software.
- Berkeley db 4.2+: Since we will be working on openldap versions 2.2.X we need to have version 4.2.X of the Berkeley database software.
- Heimdal 0.6+: The reason why you must use heimdal instead of MIT kerberos in your openldap server is that the first is thread safe while the latest is not (including krb5-1.3.1). If you do not care about a multi threaded ldap server then you may just go ahead and use the MIT kerberos libraries but you need to make sure that you configure openldap with the flag: --without-threads
- Cyrus SASL 2.1+: You need to use Cyrus sasl in order to provide the means of doing GSSAPI authentication against your kerberos server to allow your users to modify the ldap database. Let's say you want to allow your users to modify their common information such as address, phone, their picture, their default shell, etc in the ldap database. The user will use his kerberos id and password to authenticate, then openldap will use sasl with the GSSAPI mechanism to verify the user credentials against the kerberos server and it will finally allow or deny the changes.
- SSL Certificates:These are needed to provide TLS (transport layer security) to your Openldap server.
After all the software above has been configured correctly you may proceed to the Openldap Howto.
- Encap: This is a package management system that allows you to have multiple versions of the same software installed on a system. It basically works through the use of symbolic links. You may read more and find out how it works on their website.
The official samba website is located at www.samba.org. We only use samba as a PDC and have no Windows servers in our networks (yeah!!!!!!!! 8). If you are looking for a howto about integrating samba with native windows domain controllers this is not the right place to look.
Since we will store all samba information in ldap the pre-requisite is Openldap.
Mit Kerberos Server Howto
If you want to run Mit Kerberos for you authentication server you can find my install notes here. It will guide you through the process of creating one Master and one Slave server. If you decide to have an Mit Kerberos server you cannot run Openldap on the same server since you need Heimdal for openldap. The howto uses the krb5-1.3.2 release.