Extend eDirectory schema with posixAccount schema
In this
section we will add extend the schema with the fields necessary for creating
posix compliant user accounts, e.g. User ID (UID), primary group (GID), shell,
home folder etc.
- Open iManager and log in as the admin user.
- Under eDirectory Maintenance click on "Import Convert Export Wizard".
- Ensure "Import data from file on disk" is selected
- Select "Run in verbose mode"
- Click Next
- Choose "Schema File" in the File Type list
- Click Browse and select the file
/usr/lib/nds-schema/rfc2307-usergroup.sch
- Deselect "Exit on error"
- Select "Run in verbose mode"
- Deselect "Add records without change type"
- Click Next
- Enter the IP address of your eDirectory server
- Change the port to 636
- Select the file /etc/opt/novell/SSCert.der in the "DER file"
field
- Select "Authenticated Login" and enter your admin details
- Deselect "Use BLURP"
- Select "Allow Forward References"
- Click Next
You should then see a screen such as
- Click Finish
After a few seconds you should get a confirmation screen
like this
eDirectory is now capable of handling posix
account data.
Extend eDirectory schema with samba schema
We now need to add
sambaSamAccount to the schema to create the attributes that Samba need, such
as SID , hashed password etc. The procedure is almost identical to the
above.
- Under eDirectory Maintenance click on "Import Convert Export Wizard".
- Ensure "Import data from file on disk" is selected
- Select "Run in verbose mode"
- Click Next
- Choose "LDIF File" in the File Type list
- Click Browse and select the file
/usr/share/doc/packages/samba/examples/LDAP/samba-nds.schema
- Deselect "Exit on error"
- Select "Run in verbose mode"
- Deselect "Add records without change type"
- Click Next
- Enter the IP address of your eDirectory server
- Change the port to 636
- Select the file /etc/opt/novell/SSCert.der in the "DER file" field
- Select "Authenticated Login" and enter your admin details
- Deselect "Use BLURP"
- Select "Allow Forward References"
- (See previous screenshot)
- Click Next
- Click Finish
- eDirectory is now capable of handling Samba account data.
Create OU's, groups etc
- Create an OU in your tree called Users
- Within this OU create a group call eDirectoryUsers (or whatever you
like) within the OU
- Under the Schema section click "Object Extensions"
- Select the group you created above and click OK
- Click Add, select posixGroup and click OK
- In the window that pops up enter a group number that's not in use on the
Linux server
- and click OK, and OK again
You should now see posixGroup listed
as an extension
Create users and add required extensions
- Create a user in the OU you created earlier. (Tip: don't use spaces in
the username)
- Set a password, but you don't need to enter a simple password
- Click OK to save the user
- Click on "Object Extensions"
- Choose the user you have just created
- Add the posixAccount extension
- Enter /home/username in the homeDirectory field
- Enter the group number you used above in gidNumber
- Enter a unique user ID number in the uidNumber field
- Click OK, and OK again
You should now see posixAccount listed as an
extension
We will create the home folder later.
Configure Linux services for LDAP authentication
- Open YaST2, choose Network Services and click on LDAP Client
- Select "Use LDAP"
- Enter the OU you created earlier in the "LDAP Base DN"
- Enter the IP address of your eDirectory server in the "Address" field
- Select "LDAP TLS/SSL"
- Click Advanced Configuration
- Ensure "File Server" and "Enable LDAP Users to Log In" are selected
- Enter your admin user in "Administrator DN"
(Tip: Always use commas
not fullstops(periods) for LDAP fields)
- Click Next
- Click Finish
- As root edit the file /etc/ldap.conf/
- Check the host and base statements match your eDirectory server
- Uncomment the rootbinddn section and change the username to your
administrator (remember commas)
- Save the file and quit
- Create a file called /etc/ldap.secret and put your admin password in it
(plain text, yes really!)
- Change the permissions of the file to root read only, chmod 600
/etc/ldap.secret
(If you don't like having the admin password stored
in a file then you could create another user and assign the relevant rights
to the parts of the tree we're using...)
SLES should now authenticate
to eDirectory...
Test Linux authentication
We now need to create the home
directory for the user we created above. Copy the skeleton home directory for
the user using cp -r /etc/skel /home/markrobinson
And then
change ownership of it using chown -r markrobinson.eDirectoryUsers
/home/markrobinson
If you don't get any error messages then LDAP
authentication is working fine.
Try logging in as the new user at a
console prompt, or via ssh (you might need to restart sshd or reboot the
server to make sure everything picks up the new authentication
scheme)
Check that the user can create files/folders in their home
directory
Now for the good bit...
Configure samba, including LDAP authentication
Edit the file /etc/samba/smb.conf and change/add the following lines:
(Adjust the values to match your server :-)
ldap admin dn = cn=admin,o=sbs
ldap suffix = ou=users,o=sbs
passdb
backend = ldapsam:ldaps://192.168.0.100:636 smbpasswd
encrypt passwords =
yes
security = user
Make sure that there is a [homes] section such
as
[homes]
comment = Home
Directories
valid users =
%S
browseable =
No
read only =
No
guest ok = No
Save and quit, and then
restart samba (rcsmb restart)
Add samba users
First we need to give Samba the admin password. This is accomplished with
smbpasswd -w somethingverysecret where somethingverysecret is the
password for the account you set in smb.conf. (Tip: if you put a space at the
start of the command line then the command won't be saved in you shell
history)
You should see a line that says "Setting stored password for
'cn=admin,o=sbs' in secrets.tdb" That will give Samba access via LDAP, so we
should now be able to add user accounts.
Try smbpasswd -a
markrobinson and enter the password twice when prompted
You should see a line that says "Added user markrobinson". If you get error
messages complaining about ldapsam_search_one_group you can safely
ignore them!
The user is now able to log in via Samba
Test samba connectivity
You can use a windows machine here if you like, but it's easier to test
thing on Linux first. The command smbclient allows you to test samba without
leaving the command line!
Try smbclient //192.168.0.100/markrobinson -u markrobinson and enter
your password when prompted. You should get a prompt like smb:
>
Try typing ls and you should see the contents of the user's home
directory. You can type mkdir mynewfolder and a new folder should be created.
Type exit to leave the smb client, and change to /home/markrobinson
and check that ls shows the new folder with the appropriate owner: drwxr-xr-x
2 markrobinson eDirectoryUsers 48 Feb 16 16:56 mynewfolder
Put the kettle on
Remember the kettle? Well, now is the time if you haven't had a coffee
already. You should now be able to create more users and modify them for
Samba/Linux authentication. You could add shared areas for a group by creating
a new group in the users OU, creating folders on the Linux filesystem and
changing the group ownership to the new group. Create a share for this folder
in smb.conf and add users to the group and off you go...