Gentoo Wiki


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Previous page Top Next Page


Configure LDAP

first thing first is to ensure the proper ownership of some key directories

# chown -R ldap:ldap /var/lib/openldap-*


You can edit the /etc/openldap/slapd.conf file that ships with openldap or we can just create a new one either way we want it to resemble something similar to the following

The include statements include various schema's into our LDAP tree

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

The slapd gentoo init script doesn't make the pidfile or argsfile correctly so we specify them here.

pidfile  /var/run/openldap/
argsfile /var/run/openldap/slapd.args
Note: 06/08/06 net-nds/openldap-2.2.28-r3 has the two previous lines present in /etc/openldap/slapd.conf by default. evilshenaniganz

You should set loglevel to 256 initially, this will give you some good hints when debugging problems. Read man slapd.conf for more information on what the loglevel directive will give you

loglevel 256

for database you can either use "bdb" or "ldbm". bdb is generally favoured by the openldap project as it is faster and more stable, it is somewhat difficult to setup when your server is under high load. Hint: create a DB_CONFIG file in your data directory (/var/lib/openldap-data/) and read the berkeley db documentation at suffix is the suffix for the root of our LDAP tree. The field names here must be all caps, or Windows will turn up its nose when asked to join your domain, with an error stating "User account not found." It will be very frustrating. directory designates the data directory for our LDAP database. rootdn is the hardcoded super-user of the database. rootpw is the hardcoded root password.
To generate a 'secret' you can use

# slappasswd -h {MD5}
New password: <example>
Re-enter new password: <example>

{MD5} indicates the scheme we will be using to encrypt the password. For more information about using different schemes: slappasswd () The index directives define optional indexes that are used to help speed up searches aginst common LDAP data.

database        ldbm
suffix          "dc=example,dc=net"
rootdn          "cn=Manager,dc=example,dc=net"
rootpw          {MD5}s+JROT6YmCR/KFfL3N9o4w==
directory       /var/lib/openldap-data/
index    sambaSID    eq
index    sambaPrimaryGroupSID    eq
index    sambaDomainName    eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname   eq,subinitial
Note: 5/05/2007 Alternative Using bdb (faster DB for large record)
database        bdb
suffix          "dc=example,dc=net"
checkpoint      32      30 # <kbyte> <min>
rootdn          "cn=Manager,dc=example,dc=net"
rootpw          {MD5}s+JROT6YmCR/KFfL3N9o4w==
directory       /var/lib/openldap-data/
index    sambaSID    eq
index    sambaPrimaryGroupSID    eq
index    sambaDomainName    eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname   eq,subinitial

Note: 14/03/2007 Additionally, i had to remove (or maybe move after "suffix") a entry called "checkpoint" out of my configuration, which was in by default.
Note: 28/04/2007 if you use ldbm change directory to /var/lib/openldap-ldbm LDAP-howto . Don't forget to run chown ldap:ldap /var/lib/openldap-ldbm


You should also have a file called /etc/openldap/ldap.conf. This file tells the client programs from the openldap package (ldapsearch, ldapadd, ...) which server it should connect to. Don't confuse this one with /etc/ldap.conf which is for the pam_ldap and nss_ldap packages from

to configure conectivity for the OpenLDAP tools we only need to define the HOST and BASE settings to match our slapd settings

BASE    dc=example,dc=net


we need to make sure the OPTS= line in /etc/conf.d/slapd looks similar to the following. If it dosen't we may have issues starting it through the gentoo scripts. also it wont start a ssl port with out it.

OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

Finalizing openldap

We should allways do a sanity check on /etc/openldap/slapd.conf every time we change it. We can accomplish this with slaptest

# slaptest 
Note: 11/01/2007 If you're using bdb use slaptest -u to check the sanity of /etc/openldap/slapd.conf then start manually the deamon with /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 255 to generate the initial db and check if something wrong. Then stop it with ctrl+C and change the permission on /var/lib/openldap-data as shown in the note number 3.


Note: 14/03/2007 Maybe your openldap executable is not in /usr/sbin/slapd, like said in the first node, but in /usr/lib/openldap/slapd.
Note: 11/09/06 If you're using bdb the rights for the database in /var/lib/openldap-data/ may have been created as root. If so you need to chown ldap:ldap /var/lib/openldap-data/* before starting slapd dcrawford

Next we can attempt to start slapd. Also dont forget to add slapd to the default runlevel.

# /etc/init.d/slapd start
# rc-update add slapd default
Note: 09/12/06 check ldap is the owner of files in /var/lib/openldap-data if failed started

hopefully slapd started [ok], if it didn't ([!!]) skip down to the troubleshooting section, otherwise continue with the testing section to make sure everything's running correctly.

Configure PAM


Note: 5/05/2007 Please skip this section as pam will know where to go when reading /etc/nsswitch.conf - FIXME: is this correct? I need to add those lines. Else it won't work here.

PAM, short for Plugable Authentication Module(s) is a system that allows us to define the modules used for system authentication. redefining pam.d/system-auth along with nsswitch.conf will allow us to authenticate against our LDAP directory.

You should also have a file called /etc/pam.d/system-auth. We need to edit the file to resemble something like this:

File: /etc/pam.d/system-auth

auth       required
auth       sufficient likeauth nullok
auth       sufficient use_first_pass
auth       required

account    required
account    sufficient

password   required difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 type=
password   sufficient nullok md5 shadow use_authtok
password   sufficient use_authtok
password   required

session    required
session    required
session    optional


You probably want to make a few changes to su authentication. By default, su checks that the user is in group wheel, and then authenticates them as the root user through the normal system-auth methods. There are two changes that you may want to make.

You probably want to have the wheel group information in LDAP instead of in /etc/group. Unfortunately, and seem to stop after checking /etc/group if the group wheel is present in the file and the user is not in the group. You can safely remove the wheel group and and then add it to LDAP with the following commands:

# groupdel wheel
# smbldap-groupadd -g 10 -o wheel
# smbldap-groupmod -m <userlist, comma separated> wheel
Note: 01/05/08 By removing wheel from /etc/group, you might not be able to su if your LDAP server is down. This makes remote administration difficult, since a secure setup only allows root to login from the console.
Note: 16/09/2008 I created 'wheel' group in LDAP, added appropriate users to that group, then appended line in /etc/pam.d/su
auth       sufficient

Local 'wheel' group still exists and users added to LDAP 'wheel' are able to su. --Stootch 12:40, 16 September 2008 (UTC)

[NOTE: You probably should perform an smbldap-populate (information provided on the next page for completing this) before you remove/add the wheel group.]

You may not want to allow su'ing with the LDAP root password, but force the /etc/passwd password instead. If that is the case, you should copy the auth section from /etc/pam.d/system-auth to /etc/pam.d/su and remove the line. This will override the new default, LDAP-centric authentication behavior. Here is a sample auth section.

File: /etc/pam.d/su

auth     sufficient
auth     required
auth     required
auth     sufficient
auth     required

Configure NSS_LDAP


You should also have a file called /etc/nsswitch.conf.we need to modify the lines pretaining to passwd:, group, and shadow to resemble the following.

passwd:      files ldap
group:       files ldap
shadow:      files ldap
Note: 5/05/2007 Alternative Configuration
passwd:      compat ldap
shadow:      compat ldap
group:       compat ldap
#sudoers:     files ldap

For LDAP sudoer please check on OpenLDAP


Next we want to configure /etc/ldap.conf this file sets directives pertaining to the ldap we specified in nsswitch.conf above.

again we use host and base to refer to our ldap server address and context of our ldap tree respectively.

base dc=example,dc=net

some ldap attribute which is different from the default ldap.conf

pam_filter objectclass=posixAccount
pam_login_attribute uid

the nss_base_* specify the context in ldap to look for the suffix config item where refering to. make sure to have two nss_base_passwd sections to cover users and computers so you don't get a nasty "user name could not be found error" when joining computers to the domain.

nss_base_passwd ou=Computers,dc=example,dc=net?sub
nss_base_passwd ou=Users,dc=example,dc=net?sub
nss_base_shadow ou=Users,dc=example,dc=net?sub
nss_base_group  ou=Groups,dc=example,dc=net?one

Here we use debug to specify the output message complexity, during testing this value should be 256 to help track down problems. the logdir directive tells us where we store the logs that the debug directive produces.

debug 256
logdir /var/log/nss_ldap
Note: There is a problem with the debug 256 option. When portage emerges packages like openssh or glibc, the sandbox environment crashes the whole operation with ACCESS VIOLATION, commenting the debug 256 out from the file helped me solve this problem, I hope this will help others as well. m0t3jl

The ssl directive is used to identify whether or not we're using an encrypted conversation. pam_password ... tbe ...

ssl no
pam_password md5
Note: You can also use the following. This will let the ldap server do the encrypting and storing of the password. This plays well with the smbk5pwd overlay. Po0ky
pam_password exop

Dont forget to create the folder(s) refrenced in the logdir directive. we can accomplish this with the following command.

# mkdir -p /var/log/nss_ldap

To avoid greater timeout delays on boot time, set bind_policy to soft. This ensures no waiting for a timeout if the slapd is not yet started and a service needs to switch user.

bind_policy = soft
Note: Don't forget to alt both the rootbinddn to reflect your settings, also Password is stored in /etc/ldap.secret (mode 600) . Otherwise it will keep saying can't connect !! mmuser

Configure Samba

Next we're going to try to tackle the big item, Samba. Configuring Samba can become quite a complex task on its own right. As such where going to keep our samba config to the minimum nesscary for us to get a PDC running, with a LDAP backend.

The following is mostly cut and pasted out of the HOWTO Implement Samba as your PDC and modified for our needs.The following is /etc/samba/smb.conf

The first section we will configure is the [global] services section, followed by [netlogon], [profiles], [homes] and other services sections. You'll need to change some values to meet your criteria.

The [global] service section =

netbios name sets the NetBIOS name by which a Samba server is known. This is what you'll see in network neighborhood. workgroup controls what workgroup your server will appear to be in when queried by clients. This is also the DOMAIN you will work from if you are using one server string controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view.

 netbios name = COMPUTER_NAME
 workgroup = YOUR_DOMAIN
 server string = LDAP PDC [on Gentoo :: Samba server %v]

hosts allow is a comma, space, or tab delimited set of hosts which are permitted to access a service. security affects how clients respond to Samba and is one of the most important settings in the smb.conf file. encrypt passwords controls whether encrypted passwords will be negotiated with the client. socket options allows you to set socket options to be used when talking with the client. It is for performance fine tuning. If you find more/better options, I'd love to know of them. interfaces allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. bind interfaces allows the Samba admin to limit what interfaces on a machine will serve SMB requests.

hosts allow =
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = lo eth0
bind interfaces only = yes

To make your Samba server the PDC, the following 4 parameters are required. Setting your OS level to 65 ensures your server WILL BE the PDC in a network where there are other DC. local master allows nmbd to try and become a local master browser on a subnet. os level controls what level Samba advertises itself as for browse elections. domain master enables WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. preferred master controls if nmbd is a preferred master browser for its workgroup.

local master = yes
os level = 65
domain master = yes
preferred master = yes

null passwords allows or disallows client access to accounts that have null passwords. hide unreadable prevents clients from seeing the existance of files that cannot be read. hide dot files controls whether files starting with a dot appear as hidden files.

null passwords = no
hide unreadable = yes
hide dot files = yes

domain logons dictates whether the Samba server will serve Windows Domain logons for the workgroup it is in. logon script specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. logon path specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. logon drive specifies the local path to which the home directory will be connected and is only used by NT Workstations. logon home specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. Please note that variables %L and %U must be used. They defined the server name and username (respectively). You may specify any drive letter as long as it does not conflict with other drives on your Win2k client.

For logon script, I personally use a static file name. Using %U will require a batch file for each user as %U == the username establishing the connection.

domain logons = yes
;logon script = login.bat OR %U.bat
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U

IMPORTANT NOTE: This may sound pretty obvious, but will save you a ton of headaches and Windows-cursing. You really want to have your logon drive as Z:, just in case.

Why, you ask? Take a look at the following example: you have a computer with three HDD partitions (C:, D:, and E:), as well as a DVD reader (F:) and a CD-RW (G:). And, yes, your logon drive at H:. Common sense would suggest that, should you connect any removable media to this computer (say, a USB drive, an external DVD burner, etc.), it would get allocated as I:, right?

The first mistake here is that you assumed that Microsoft would use any common sense. Let me explain what happened to me in such a case. Apparently, the recently-inserted media tries to get H: and the only result is that it becomes unaccessible. Another example would be a computer that doesn't have such a heavily partitioned HDD, but is filled with removable media bays, just as any VAIO or HP you can find out there. --Demiurgo 00:49, 23 June 2006 (UTC)

wins support controls if the nmbd process in Samba will act as a WINS server. name resolve order is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. dns proxy specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.

wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no

time server determines if nmbd advertises itself as a time server to Windows clients. log file option allows you to override the name of the Samba log file (also known as the debug file). max log size specifies the max size the log file should grow to.

time server = yes
log file = /var/log/samba/log.%m
max log size = 50

The following are parameters to assist you in adding/deleting users/machines from a client. Note: That using these peramaters that refrence the smbldap-tools means that you must install it when presented later in this HowTo

add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"


passdb backend = ldapsam:ldap://
ldap delete dn = Yes
ldap ssl = no
winbind nested groups = no
Note: You must add the line for winbind or samba will not start. This is a known bug in samba. Chucks

The following settings refer to the positions of various LDAP objects in our directory. ldap suffix is the same one we entered in slapd.conf and is the root of our LDAP tree. ldap admin dn is the distunguished name of your rootdn previously named in slapd.conf. ldap xxxx suffix is the suffix of each of the containers you see, where xxxx = group, user, machine, idmap.

ldap suffix = dc=example,dc=net
ldap admin dn = cn=Manager,dc=example,dc=net
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap

The [SHARE_NAME] services section

This section defines your shares. If you include a parameter within any one of these sections that is defined in the global section it will override the parameter in the global section. I'm not going to get into detail about each and every parameter here. The samba link provided above is a great resource for defining parameters. Use it!

netlogon is the service section of where your Default Profile (for new users) and your login script reside. Make sure the directory is owned and group owned by root and permissions are 755 (chmod -R 0755).

 path = /var/lib/samba/netlogon
 guest ok = Yes
 browseable = no
 write list = root

profiles is the service section for user roaming profiles. Make sure the directory proper is owned and group owned by root. Make sure its permission is 755 (chmod -R 1757). Inside this directory is where you user profiles are located.

 path = /var/lib/samba/profiles
 writable = yes
 browseable = no
 create mode = 0644
 directory mode = 0755
 guest ok = yes

homes defines the users home directory. Nothing special needs to be done to this directive or directory.

 path = /home/%U
 browseable = no
 valid users = %S
 read only = no
 create mask = 0664
 directory mask = 0775

public is only an example of one of my shares. You can define as many as you want. You can name them whatever you want. It does not have to be named [public].

 comment = Public Stuff
 path = /public
 public = yes
 read only = yes
 browseable = yes
 write list = @users

Finishing up Samba

Now that we have configured smb.conf with the rootdn, we need to store the password for it. we can accomplish this with the following command.
Note: your secret password will have to be typed at the command line
# smbpasswd -w secret

Before we will be able to start samba we need to do a quick sanity check.

You should also use testparm to run a sanity check against smb.conf. You can do this by executing the following command.

# testparm

Make sure to add samba to the default runlevel

# rc-update add samba default

now that its time to start up samba

# /etc/init.d/samba start

now with fingers crossed we should have had a successfull start

Configure smbldap-tools

Next you will need to edit the two smbldap-tools config files /etc/smbldap-tools/smbldap.conf and /etc/smbldap-tools/smbldap_bind.conf the editing of these files is straightforward and mostly needs to reflect settings you have specifed previously. With the execption of the lines noted below edit the config files to suit your needs.


the directives ldapTLS, verify, and hash_encypt have to be set as follows. any of the other directives should be changed to match settings we have previously set in other files. if you dont know what a directive does, it should be safe to skip it.

# Other configuration should be altered too!!!

Note: Whilst configuring smbldap-tools, do not use the %L for the PDC name when configuring the Paths to use. This will break roaming profile logins


this file need only to be updated with the rootdn that you have previously specified as well as the secret password of the rootdn in plain text.

after editing the above files feel free to move onto the next section.

Using Smbk5pwd overlay

I'm still working on this subject, you can take a peak by checking out the Talk:HOWTO_LDAP_SAMBA_PDC_Basic_Setup - Po0ky

Previous page Top Next Page

Common errors and fixes

I have "I have no name!@<hostname>" as my prompt.

This happens when pam can't access the ldap server. Caused because it can't read the /etc/ldap.conf file. Make it world readable (don't put any passwords in the file!! The password goes into /etc/ldap.secret)
chmod +r /etc/ldap.conf

With OpenLDAP 2.3 / nss_ldap-239+ a readable /etc/ldap.conf may not be enough. Use nscd (Name Service Cache Daemon)

/etc/init.d/nscd start
rc-update add nscd default
I am unable to use su
Even when I have the user in the wheel group (ldap) I'm unable to use su. Only when I add the user to the wheel group (/etc/group) I'm able to su.

A complete solution to this problem is now presented in the Configure PAM section above. Make sure that the wheel group does not exist in /etc/group.

Last modified: Tue, 16 Sep 2008 02:40:00 +0000 Hits: 32,709