Hello,

I spent almost 3 weeks banging my head making OpenLDAP + TLS + Samba to work. Thought I might share my experience could help someone out there.

I started having no knowledge about LDAP, followed 'OpenLDAP Server' (https://help.ubuntu.com/lts/serverguide/openldap-server.html) and 'Samba and LDAP' (https://help.ubuntu.com/lts/serverguide/samba-ldap.html) server guide pages, I failed many, many times.

I am going to list modification/enhancement points I believe it would be better/nice to have on those two guides.



1. OpenLDAP Server (https://help.ubuntu.com/lts/serverguide/openldap-server.html) Guide


1-1.  I think it would be nice to have brief description of ldap URL scheme somewhere before installation section. Since confusing them could end up wasting days like me :(
Something like:
	There are three URL scheme used for LDAP.  'ldap://', 'ldapi://' and 'ldaps://'.
	- 'ldap://' instructs to use TCP/IP connection and most commonly used. Port 389 will be used, unless you specify it in URL in 'ldap://hostname:port/' form.
	- 'ldapi://' is to use UNIX domain socket, typically used in 'ldapi:///' form to indicate to connect to default server. This can be used only when you run clients on the same machine slapd is running. If you want to use it with TLS, there are some restrictions apply (see the last note on 1-4).
	- 'ldaps://' was used to establish TLS connection using port 636. The new way of TLS enabled LDAP is to use standard 'ldap://' scheme and port 389. Using of 'ldaps://' is discouraged.


1-2.  I followed sections 'Installation', 'Post-install Inspection', 'Modifying/Populating your Database', 'Logging', 'TLS' and 'LDAP Authentication' only.  But anywhere it refers 'hdb' in command or output, it should be replaced with 'mdb' since mdb is the default database slapd uses in current version.


1-3.  In 'TLS' section, following instructions in that order end up having an error at 'ldapmodify' command, since at that time slapd does not have read permission on private key file. Correct order would be:

	<After generating keys and certificates>

	Tighten up (or loosen down?) ownership and permissions:

		sudo adduser openldap ssl-cert
		sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
		sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem
		sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem

	Restart OpenLDAP:

		sudo systemctl restart slapd.service

	Create the file certinfo.ldif with the following contents [[(adjust accordingly, our example assumes we created certs using https://www.cacert.org) I think we created cacert.pem in instructions right above. This note may not be precise? ]]:

		dn: cn=config
		add: olcTLSCACertificateFile
		olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
		-
		add: olcTLSCertificateFile
		olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
		-
		add: olcTLSCertificateKeyFile
		olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

	Use the ldapmodify command to tell slapd about our TLS work via the slapd-config database: [[ modified '/etc/ssl/certinfo.ldif' to 'certinfo.ldif' ]]

		sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif


1-4.  Again, in 'TLS' section, the guide illustrates how to configure slapd, but there's no instructions how ldap client programs communicate to slapd over TLS. It may not be necessary, but it can be an easy way to confirm slapd was configured to use TLS correctly.

	Edit a line in /etc/ldap/ldap.conf. (GnuTLS needs it?)

		TLS_CACERT	/etc/ssl/certs/cacert.pem

	Confirm 'ldapsearch' command runs without error with '-ZZ' option.

		$ ldapsearch -x -LLL -ZZ -H ldap://ldap01.example.com -b dc=example,dc=com 'uid=john' cn gidNumber
		dn: uid=john,ou=People,dc=example,dc=com
		cn: John Doe
		gidNumber: 5000

	As long as you use 'ldapsearch' on the same machine slapd is running, you could run it with '-H ladpi:///' or without '-H' option, but the machine have to identify itself as same name as 'cn' field in the LDAP certificate ('ldap01.example.com'). You may have to either configure your machine so that 'hostname' command returns 'ldap01.example.com', or keep "127.0.1.1 ldap01.example.com ldap01" line in your /etc/hosts, to achieve it.


1-5.  'LDAP Authentication' section. Correct me if I'm wrong, but I believe following those instructions only allow non-encrypted connections between client and server. To make them use TLS, another few steps would be needed.

	To enable TLS on libnss_ldap:

	- Make sure the client machine has the CA certificate that the LDAP certificate has signed upon. In case you followed 'TLS' section above, it is /etc/ssl/certs/cacert.pem. If you don't have it, copy it from server machine, place it as /etc/ssl/certs/cacert.pem, owned by root:root, permission 0644.

	- Make modification in /etc/ldap.conf. First of all, the hostname in 'uri' line will be used to match against 'cn (common name)' field in the LDAP certificate. It must be the same. In case of this example, it shall be:

		uri ldap://ldap01.example.com/

	In case of authentication on slapd running machine itself, you could use 'uri ldapi:///', but your machine have to identify itself as same name as LDAP certificate cn field. See the last note on 1-4.

	Then add a line:

		ssl start_tls

	You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).

	Not to be confused, /etc/ldap.conf is a file consulted by libnss_ldap routines (man 5 nss_ldap), where /etc/ldap/ldap.conf is part of the OpenLDAP and consulted by some utility client programs like 'ldapsearch' (man 5 ldap.conf).



2. Samba and LDAP (https://help.ubuntu.com/lts/serverguide/samba-ldap.html) Guide


2-1. Following 'Samba indices' instructions ends up with error at 'ldapmodify' command, as Samuel described above. This is because latest version of slapd package is shipped to have some indices already. In my case those were same as Samuel's description:

	$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}mdb olcDbIndex
	dn: olcDatabase={1}mdb,cn=config
	olcDbIndex: objectClass eq
	olcDbIndex: cn,uid eq
	olcDbIndex: uidNumber,gidNumber eq
	olcDbIndex: member,memberUid eq

I believe we have to merge these indices with those Samba needed. Thus the samba_indices.ldif file contents should be something like:

	dn: olcDatabase={1}mdb,cn=config
	changetype: modify
	replace: olcDbIndex
	olcDbIndex: objectClass eq
	olcDbIndex: cn eq
	olcDbIndex: uid eq,pres,sub
	olcDbIndex: uidNumber,gidNumber eq
	olcDbIndex: member eq
	olcDbIndex: memberUid eq,pres,sub
	olcDbIndex: loginShell eq
	olcDbIndex: uniqueMember eq,pres
	olcDbIndex: sambaSID eq
	olcDbIndex: sambaPrimaryGroupSID eq
	olcDbIndex: sambaGroupType eq
	olcDbIndex: sambaSIDList eq
	olcDbIndex: sambaDomainName eq
	olcDbIndex: default sub

Update indices with the same command:

	sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif

But to examine, command would be ('mdb' instead of 'hdb'):

	sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}mdb olcDbIndex


2-2. 'Adding Samba LDAP objects'. I think it would be nice to have 'smbldap-config' example in this section, since it is a bit tricky. By the way, smbldap-config.pl is now smbldap-config (/usr/sbin/smbldap-config). Here, my keystroke is bracketed by '[[...]]', and '#...' is my comment.

	$ sudo smbldap-config
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
		   smbldap-tools script configuration
		   -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	Before starting, check
	 . if your samba controller is up and running.
	 . if the domain SID is defined (you can get it with the 'net getlocalsid')

	 . you can leave the configuration using the Ctrl-c key combination
	 . empty value can be set with the "." character
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
	Looking for configuration files...

	Samba Configuration File Path [/etc/samba/smb.conf] > [[<Enter>]]

	The default directory in which the smbldap configuration files are stored is shown.
	If you need to change this, enter the full directory path, then press enter to continue.
	Smbldap-tools Configuration Directory Path [/etc/smbldap-tools] > [[<Enter>]]
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	Let's start configuring the smbldap-tools scripts ...

	. workgroup name: name of the domain Samba acts as a PDC for
	  workgroup name [WORKGROUP] > [[<Enter>]]	# Configure any Samba parameters to fit yours.
	. netbios name: netbios name of the samba controller
	  netbios name [] > [[<Enter>]]
	. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
	  logon drive [] > [[<Enter>]]
	. logon home: home directory location (for Win95/98 or NT Workstation).
	  (use %U as username) Ex:'\\\%U'
	  logon home (press the "." character if you don't want homeDirectory) [\\\%U] > [[.]]
	. logon path: directory where roaming profiles are stored. Ex:'\\\profiles\%U'
	  logon path (press the "." character if you don't want roaming profiles) [\\\profiles\%U] > [[.]]
	. home directory prefix (use %U as username) [/home/%U] > [[<Enter>]]
	. default users' homeDirectory mode [700] > [[<Enter>]]
	. default user netlogon script (use %U as username) [] > [[<Enter>]]
	  default password validation time (time in days) [45] > [[<Enter>]]
	. ldap suffix [] > [[dc=example,dc=com]]
	. ldap group suffix [] > [[ou=Groups]]
	. ldap user suffix [] > [[ou=People]]
	. ldap machine suffix [] > [[ou=Computers]]
	. Idmap suffix [ou=Idmap] > [[<Enter>]]
	. sambaUnixIdPooldn: object where you want to store the next uidNumber
	  and gidNumber available for new users and groups
	  sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=WORKGROUP] > [[<Enter>]]
	. ldap master server: IP address or DNS name of the master (writable) ldap server
	  ldap master server [127.0.0.1] > [[ldap01.example.com]]	# If you don't use TLS, you may just press enter.
	. ldap master port [389] > [[<Enter>]]
	. ldap master bind dn [] > [[cn=admin,dc=example,dc=com]]
	. ldap master bind password [] > [[<Password>]]
	. ldap slave server: IP address or DNS name of the slave ldap server: can also be the master one
	  ldap slave server [127.0.0.1] > [[ldap01.example.com]]	# If you don't have slave server, make it same as master.
	. ldap slave port [389] > [[<Enter>]]
	. ldap slave bind dn [] > [[cn=admin,dc=example,dc=com]]
	. ldap slave bind password [] > [[<Password>]]
	. ldap tls support (1/0) [0] > [[1]]	# If you don't use TLS, enter '0'. You won't be asked next 4 questions.
	. How to verify the server's certificate (none, optional or require) [require] > [[<Enter>]]
	. CA certificate file [/etc/smbldap-tools/ca.pem] > [[/etc/ssl/certs/cacert.pem]]
	. certificate to use to connect to the ldap server [/etc/smbldap-tools/smbldap-tools.pem] > [[.]]	# We don't use client authentication, just zap it.
	. key certificate to use to connect to the ldap server [/etc/smbldap-tools/smbldap-tools.key] > [[.]]	# Ditto.
	. SID for domain WORKGROUP: SID of the domain (can be obtained with 'net getlocalsid ')
	  SID for domain WORKGROUP [S-1-5-21-1368871063-451239926-1424446152] > [[<Enter>]]	# Your number may vary. Just enter, or you could zap it.
	. unix password encryption: encryption used for unix passwords
	  unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > [[<Enter>]]
	. default user gidNumber [513] > [[<Enter>]]
	. default computer gidNumber [515] > [[<Enter>]]
	. default login shell [/bin/bash] > [[<Enter>]]
	. default skeleton directory [/etc/skel] > [[<Enter>]]
	. default domain name to append to mail address [] > [[<Enter>]]
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	backup old configuration files:
	  /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
	  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
	writing new configuration file:
	  /etc/smbldap-tools/smbldap.conf done.
	  /etc/smbldap-tools/smbldap_bind.conf done.
	$ 


2-3.  In 'Samba Configuration', restarting Samba right after we made modification to /etc/samba/smb.conf will fail, since Samba needs LDAP rootDN password to restart, which we will provide in next instruction. Correct order would be:

	<Edit /etc/samba/smb.conf>

	Now inform Samba about the rootDN user's password (the one set during the installation of the slapd package):

		sudo smbpasswd -w password	[[ or 'sudo smbpasswd -W' and enter password from keyboard ]]

	Restart samba to enable the new settings:

		sudo systemctl restart smbd.service nmbd.service


2-4.  Again in 'Samba Configuration', when you use TLS, the 'hostname' in the line 'passdb backend = ldapsam:ldap://hostname/' in /etc/samba/smb.conf file have to be the same name you used in 'cn' in the LDAP certification. If you are running smbd on the same machine slapd is running, you could use 'ldapi:///', but same restrictions apply. See the last note on 1-4.


2-5.  Fainal note on 'Samba Configuration'.  If you don't use TLS, 'ldap ssl' line in /etc/samba/smb.conf should be 'ldap ssl = no'.


My personal opinion. Since this procedure could fail in so many ways, I would strongly suggest you configure Samba without TLS first ('ldap tls support = 0' in smbldap-config, 'ldap ssl = no' in smb.conf), then enable it after ('ldap ssl = start tls' in smb.conf, 'ldapTLS="1", verify="require", cafile="/etc/ssl/certs/cacert.pem"' in /etc/smbldap-tools/smbldap.conf).  It is MUCH easier.



This report has been confirmed on following versions of packages.

uname: 4.4.0-53-generic #74-Ubuntu SMP Fri Dec 2 15:59:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Package: slapd
Version: 2.4.42+dfsg-2ubuntu3.1

Package: ldap-utils
Version: 2.4.42+dfsg-2ubuntu3.1

Package: gnutls-bin
Version: 3.4.10-4ubuntu1.1

Package: ssl-cert
Version: 1.0.37

Package: samba
Version: 2:4.3.11+dfsg-0ubuntu0.16.04.1

Package: smbldap-tools
Version: 0.9.9-1ubuntu1.16.04.2

I am no experts on any of those software. Correct me whatever you feel necessary!
Hope this helps someone like me use those packages without much hustle.

Chao!