Open-E external LDAP HOWTO

1. Connecting two Open-e systems to each other:

- use the same software version on both systems,
- use the same workgroup on both systems,
- the source system should be configured with Internal LDAP, while the destination system uses
Eternal LDAP to connect to the source system! All advanced settings should be left at default values!
2. Open-E system as client + LDAP server withot !am"a #here calle$ !%&A':
- build the basic LDAP structure on "#$A%
dn: dc=server,dc=nas
dn: cn=admin,dc=server,dc=nas
dn: ou=People,dc=server,dc=nas
dn: ou=Computers,dc=server,dc=nas
dn: ou=Groups,dc=server,dc=nas
dn: cn=users,ou=Groups,dc=server,dc=nas
- and %
dn: sambaDomainName=workgroup_name,dc=server,dc=nas
- for eample, if "#$A contains the entry%
sambaDomainName=WO!GO"P,dc=server,dc=nas
set the workgroup name on the &pen-E system also to '&#()#&*P,
- there must be compatibility in samba"ID between the sambaDomain+ame entry and the entries for
users and groups! If you need to rewrite samba"ID values for your users and groups, see the sections ,!
and -! below!
...................................................................................
(. Open-E system as client + E)ternal LDAP server with !am"a #here calle$ !%&*'
"#$A configuration%
- make sure the following line is present in the "amba config file /smb!conf0%
domain logons = #es
- create the basic LDAP structure /as detailed in point 1 above0 without a sambaDomain+ame entry
/this entry will be automatically generated by "amba0,
- use the same workgroup name on both the server and the client!
+. ,ow to chec- !am"a!.Ds an$ why are they important/
2irst of all, you need to check the eisting samba"ID for your sambaDomain+ame entry! *nder Linu,
you can do this using ldapsearch%
ldapsearc$ %& %$ '()*'+,*)-.*- %b dc=server,dc=nas %D cn=admin,dc=server,dc=nas %w secret
where%
341!356!1,7!, - ldap server
dc8server,dc8nas - basedn
cn8admin,dc8server,dc8nas - rootdn
secret - password
9elow you can find eample output from the ldapsearch command! :his record was generated in
LDAP for a server using "amba with domain logons set to no /therefore, it is based on net9I&" name
of the connecting server0! In this eample the net9I&" name is D""%
/ D00, server*nas
dn: sambaDomainName=D00,dc=server,dc=nas
sambaDomainName: D00
samba01D: 0%'%2%)'%),(++3))+,%-43'444)(%-').'(-4).
samba5lgorit$micid6ase: '333
ob7ectClass: sambaDomain
sambaNe&t"serid: '333
samba8inPwd9engt$: 2
sambaPwd:istor#9engt$: 3
samba9ogon;oC$gPwd: 3
samba8a&Pwd5ge: %'
samba8inPwd5ge: 3
samba9ockoutDuration: .3
samba9ockoutObservationWindow: .3
samba9ockout;$res$old: 3
samba<orce9ogo==: %'
sambae=use8ac$inePwdC$ange: 3
In contrast, this is a record generated for a server using "amba with domain logons set to #es /therefore,
it is based on the workgroup name0! In this case the workgroup name is '&#()#&*P /this record
will be automatically added after connecting the storage server to the LDAP server0
/ WO!GO"P, server*nas
dn: sambaDomainName=WO!GO"P,dc=server,dc=nas
sambaDomainName: WO!GO"P
samba01D: 0%'%2%)'%+44(32)-(%'(2424(().%-))'('(..)
samba5lgorit$micid6ase: '333
ob7ectClass: sambaDomain
sambaNe&t"serid: '333
samba8inPwd9engt$: 2
sambaPwd:istor#9engt$: 3
samba9ogon;oC$gPwd: 3
samba8a&Pwd5ge: %'
samba8inPwd5ge: 3
samba9ockoutDuration: .3
samba9ockoutObservationWindow: .3
samba9ockout;$res$old: 3
samba<orce9ogo==: %'
sambae=use8ac$inePwdC$ange: 3
As you can see the samba"IDs for these two entries are different! :his situation may occur when you
connect "amba servers with different domain logons values to the same LDAP server! "ince users can
have only one samba"ID, the result of this would be that only one of these two servers would have
"amba access /because the LDAP users; samba"IDs can only be compatible with one
sambaDomain+ame samba"ID0!
:he solution is to use the same samba"ID for both the sambaDomain+ame entries! 2ollowing the
previous eample, we can rewrite the samba"ID value from our old record ;dn%
sambaDomain+ame8D"",dc8server,dc8nas; to record ;dn%
sambaDomain+ame8'&#()#&*P,dc8server,dc8nas;
<ow to do this in Linu=
>reate a file called ;modify; with the following content%
dn: sambaDomainName=WO!GO"P,dc=server,dc=nas
replace: samba01D
samba01D: 0%'%2%)'%),(++3))+,%-43'444)(%-').'(-4).
where%
a0 '&#()#&*P is the workgroup name that you indicated in your D"",
b0 "-3---13-16455?1156-,@?3@@@14-,31734,@17 - correct samba"ID value /you
can get this from the record ;dn%sambaDomain+ame8D"",dc8server,dc8nas;0
net type%
ldapmodi=# %$ ')4*3*3*' %D cn=admin,dc=server,dc=nas %w secret %r %& %= modi=#
where%
31@!?!?!3 - IP of LDAP server
cn8admin,dc8server,dc8nas - rootdn /you can get this from
AetcAldapAslapd!conf0
secret - password
modify - your file
After these modifications you must restart "amba /please restart your
D"" or click again APPLB in the Authentication Cethod bo which will
cause "amba to be restarted0!
0. !etting p ser sam"a!.Ds
'hen creating users for the eternal LDAP, you need to pay special attention to their samba"IDs!
>orrect "amba entries for a user look like the following eample%
uidNumber: '33'
samba01D: 0%'%2%)'%),(++3))+,%-43'444)(%-').'(-4).%.33)
gidNumber: '333
sambaPrimar#Group01D: 0%'%2%)'%),(++3))+,%-43'444)(%-').'(-4).%.33'
As you can see, there is a ,-digit number appended to the regular samba"ID /which is taken from the
'&#()#&*P eample above0! :his is generated in the following manner%
samba"ID% uid+umber D 1 E 3???
sambaPrimary)roup"ID% gid+umber D 1 E 3??3
:hese entries must always match and conform to the schema above F otherwise the user will not be
able to connect via "C9!
Please also note the user password must always be encrypted using >#BP:! A proper entry looks like
this%
userPassword% G>#BP:HemaDInIPfs#@A
1. An e)ample LDAP $mp
:his is an eample LDAP dump with 1 users and a single group!
dn% dc8server,dc8nas
obJect>lass% top
obJect>lass% dc&bJect
obJect>lass% organiKation
o% server
dc% server
dn% cn8admin,dc8server,dc8nas
obJect>lass% simple"ecurity&bJect
obJect>lass% organiKational#ole
cn% admin
description% LDAP administrator
userPassword% secret
dn% ou8employees,dc8server,dc8nas
obJect>lass% top
obJect>lass% organiKational*nit
ou% employees
dn% cn8Lames 9ond,ou8employees,dc8server,dc8nas
obJect>lass% inet&rgPerson
obJect>lass% samba"amAccount
obJect>lass% posiAccount
obJect>lass% top
given+ame% Lames
sn% 9ond
cn% Lames 9ond
uid% Jbond
mail% James!bondMcompany!com
uid+umber% 3???
samba"ID% "-3---13-16455?1156-,@?3@@@14-,31734,@17-7???
sambaPwdLast"et% 31164,3,63
userPassword% G>#BP:HL&*IBm?->b1E
sambaLCPassword% E-1>A>5@,34A4A11,A793?6272A5>95D
samba+:Password% 66,52@EAEE62933@AD?59DD67?9@-65>
gid+umber% 3???
sambaPrimary)roup"ID% "-3---13-16455?1156-,@?3@@@14-,31734,@17-7??3
homeDirectory% AhomeAusersA"amba)roupAnd
sambaAcct2lags% N*O
dn% cn8Lason 9ourne,ou8employees,dc8server,dc8nas
obJect>lass% inet&rgPerson
obJect>lass% samba"amAccount
obJect>lass% posiAccount
obJect>lass% top
given+ame% Lason
sn% 9ourne
cn% Lason 9ourne
uid% Jbourne
mail% Jason!bourneMcompany!com
uid+umber% 3??3
samba"ID% "-3---13-16455?1156-,@?3@@@14-,31734,@17-7??1
sambaPwdLast"et% 31164,3,63
userPassword% G>#BP:HemaDInIPfs#@A
sambaLCPassword% E-1>A>5@,34A4A11,A793?6272A5>95D
samba+:Password% 66,52@EAEE62933@AD?59DD67?9@-65>
gid+umber% 3???
sambaPrimary)roup"ID% "-3---13-16455?1156-,@?3@@@14-,31734,@17-7??3
homeDirectory% AhomeAusersA"amba)roupAurne
sambaAcct2lags% N*O
dn% ou8groups,dc8server,dc8nas
obJect>lass% top
obJect>lass% organiKational*nit
ou% groups
dn% cn8"amba)roup,ou8groups,dc8server,dc8nas
obJect>lass% posi)roup
obJect>lass% samba)roupCapping
obJect>lass% top
cn% "amba)roup
display+ame% "amba)roup
gid+umber% 3???
samba"ID% "-3---13-16455?1156-,@?3@@@14-,31734,@17-7??3
samba)roup:ype% 1
dn% sambaDomain+ame87-33,dc8server,dc8nas
sambaDomain+ame% 7-33
samba"ID% "-3---13-16455?1156-,@?3@@@14-,31734,@17
sambaAlgorithmic#id9ase% 3???
obJect>lass% sambaDomain
samba+et*ser#id% 3???
VERSION HISTORY
$ersion number Date Author +otes
3!?? 34A3?A1??4 "Kymon Duda Initial version