This blog posting is a part of a series of blog postings:
- Part 1 – OpenLDAP setup
- Part 2 – SSL/TLS
- Part 3 – Schemas for samba, autofs and kerberos
- Part 4 – Kerberos setup
- Part 5 – DNS settings for kerberos using dnsmasq
- Part 6 – NFSv4 with kerberos
- Part 7 – Autofs
In this part I’m setting up ldap schemas for samba, autofs and kerberos. This is needed before the actual configuration for these can be done. Unfortunately I could not find ldif files for OpenLDAP for these, so the schema files need to be converted to ldif files. The tutorial at help.ubuntu.com instructs to use the slaptest tool for this.
First get the tools and packages that contain the schemas that need to be converted. autofs.schema is in the autofs-ldap package, samba.schema is in the samba sources and kerberos.schema come with the krb5-kdc-ldap package.
sudo apt-get install dpkg-dev autofs-ldap krb5-kdc-ldap apt-get source samba cp ./samba-3.4.3/examples/LDAP/samba.schema . cp /etc/ldap/schema/autofs.schema . cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz . gunzip kerberos.schema.gz
schema_convert.conf is a temporary file used to convert the schemas to ldif format:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include samba.schema include autofs.schema include kerberos.schema
The actual conversion is done by running slaptest. It places the the resulting files under ldif_result directory. The files need to be cleaned a bit so that they are be imported. This is not exactly the nicest looking piece I’ve written, but it seems to do the trick.
mkdir ldif_result
slaptest -f schema_convert.conf -F ldif_result
cat ldif_result/cn=config/cn=schema/cn=*samba.ldif |
egrep -v structuralObjectClass|entryUUID|creatorsName |
egrep -v createTimestamp|entryCSN|modifiersName|modifyTimestamp |
sed 's/dn: cn={.}samba/dn: cn=samba,cn=schema,cn=config/g' |
sed 's/{.}samba/samba/' > samba.ldif
cat ldif_result/cn=config/cn=schema/cn=*autofs.ldif |
egrep -v structuralObjectClass|entryUUID|creatorsName |
egrep -v createTimestamp|entryCSN|modifiersName|modifyTimestamp |
sed 's/dn: cn={.}autofs/dn: cn=autofs,cn=schema,cn=config/g' |
sed 's/{.}autofs/autofs/' > autofs.ldif
cat ldif_result/cn=config/cn=schema/cn=*kerberos.ldif |
egrep -v structuralObjectClass|entryUUID|creatorsName |
egrep -v createTimestamp|entryCSN|modifiersName|modifyTimestamp |
sed 's/dn: cn={.}kerberos/dn: cn=kerberos,cn=schema,cn=config/g' |
sed 's/{.}kerberos/kerberos/' > kerberos.ldif
sudo cp samba.ldif autofs.ldif kerberos.ldif /etc/ldap/schema/
The ldif files are now placed under /etc/ldap/schema/ and can be added using ldapadd:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/kerberos.ldif
Next it’s time to finally get to kerberos, I hope..
Veli-Matti Lintu
Thanks for the thorough howto! I used many of the instructions detailed here to set up Kerberos for an existing Samba domain controller. I ran into one really nasty issue with ldap though, that’s described here:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/427842
Although the bug is closed this error can occur if you migrate data where the bug is found…
Anyway, thanks for the thorough guide, will definately follow more of these…
Regards,
Michael
Thanks, great jod. Very usefull. I’m working to make to talk kerio mailserver/connect to an OpenLDAP server, this script helped me convert .schema provied by kerio. Great job.