Matt Richards wrote:
Matt Richards wrote:
Matt Richards wrote:
Matt Richards wrote:
I was following the howto below (originally posted on this list as
BIG
Samba howto for debian only.) to see if I could get my
not-quite-working
Samba 3.0.14a (debian) server fully working and able to handle my
Linux
logins too. The problem I'm having with my Samba setup is that I
can't
change user passwords except through Swat. Users can't change them
from
their machines using the Windows password change - but they are
notified
to change them by when they expire.
Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP
Server configuration". Neither slapindex nor slapd will run. It
looks
like it doesn't like something about my root password, but I'm not
sure
what it wants (I'm no expert on LDAP). :)
Slapindex complains "bad configuration file". Slapd gives the more
detailed:
line 65 (rootpw ***)
/etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn
is
under suffix
I've attached my slapd.conf file if that is of any assistance. Any
help
will be greatly appreciated.
Louis van Belle wrote:
[..snip..]
humm well looking at the config file the first thing that i notice is
this
...
# The base of your directory in database #1
suffix "dc=rahim-dale,dc=org"
rootdn "cn=admin,dc=toronto,dc=ontario,dc=ca"
your root dn isn't in the base of your ldap tree, this should probuly
be
something like ...
suffix "dc=rahim-dale,dc=org"
rootdn "cn=admin,dc=rahim-dale,dc=org"
try it n let us know what happens :).
HTH
Matt.
You got it in one! I've got slapd running.
Now I'm stuck at "5.4 set the samba ldap admin password". I can set
the
admin password and get the expected response, but when I try
"smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it
fails
to add the various groups. I get "failed to add entry: modifications
require authentication at /usr/sbin/smbldap-populate line 460, <GEN1>
line 3." for each ou=<groupname> it tries to add.
Any ideas?
the smbldap-populate scripts requires authentication to the ldap server
there is probuly a problem with the login you have set in smbldap.conf
..
if you have set any at!
i would recommend looking through the smbldap-tools howto at
http://samba.idealx.org/smbldap-tools.en.html
and see if there is anything you have missed out, but the first thing i
would try is this ..
...
3 Configuring the smbldap-tools
As mentioned in the previous section, you'll have to update two
configuration files. The first (smbldap.conf) allows you to set global
parameter that are readable by everybody, and the second
(smbldap_bind.conf) defines two administrative accounts to bind to a
slave
and a master ldap server: this file must thus be readable only by root.
A
script is named configure.pl can help you to set their contents up. It
is
located in the tarball downloaded or in the documentation directory if
you
got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke
it:
/usr/share/doc/smbldap-tools/configure.pl
...
note : the smbldap-tools dir might not be located in your
/usr/share/doc/
directory.
if this doesn't work you could attach your smbldap config file (with
the
passwd taken out of cause) so we can have a little look.
Matt.
I can't see anything wrong with my setup but even when I tweak the
settings a little, I get the same result. Here are: smbldap.conf,
smbldap_bind.conf (with passwords removed) and the smb.conf I'm using
for ldap (renamed right now because I'm keeping my old setup available
until I get this working).
One issue is my password does have an apostrophe and a period in it. It
shouldn't be an issue because the bind file has them in quotes. I've
also tried them escaped ("\") but that didn't change anything.
ok i have looked over everything and the only thing i can see at this
moment is this ...
in your smbldap_bind.conf file you arn't using a bind dn of
cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the
ldap server but the line in the config i gave you before was rootdn
"cn=admin,dc=rahim-dale,dc=org" ... when you first setup ldap no accounts
exist in the ldap database the rootdn account is like a virtual account
that will always have full access and because of this (and i'm guessing
your ldap tree is blank) you will only be able to use the rootdn to bind
at this time.
there are a few lines you can try to attempt to bind to the ldap server
...
ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W
""
ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
the first the the bind dn in your smbldap_bind.conf and the second is
using the rootdn from the other email.
as your ldap tree is blank you wont get much output but one should fail
with a bind error and the other should say something like no such object.
HTH, let me know if they work will see if i can see anything else that
may
be wrong.
Matt.
It's the one without the "family". The howto I've been following used
"internal" in some places, so I've been trying to follow that model,
replacing "internal" with "family". I went back and put the "family" in
the slapd.conf and now it worked with the "family". However, it still
failed to populate. In fact, the "adding new entry" lines still left out
family.
Next I removed family and tried again (stopping slapd and samba, running
slapindex then restarting the services each time). Still getting the
same problem.
ok now I think you have a root of dc=family,dc=rahim-dale,dc=org in your
ldap tree and all the scripts to create the entries in ldap are trying to
create entries under dc=rahim-dale,dc=org .. e.g
ou=Users,dc=rahim-dale,dc=org.
you have 2 options, ...
1. you can remove everything in the ldap database (including the root
object) make sure all the config files are pointing to the same place.
for this step it should be only ...
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=rahim-dale,dc=org"
in smbldap.conf
and cn=admin,dc=rahim-dale,dc=org for the slapd.conf rootdn line and
smbldap_bind.conf files
and then run the scripts again and everything should go nicely.
as I don't know how to remove everything in the ldap tree and don't have a
openldap server lying around to try anything out on I am also sending this
email to the OpenLDAP mailing lists. if anybody could help that would be
great. (ldapdelete i guess?)
2. change everything to have a ldap base of dc=family,dc=rahim-dale,dc=org
and re run the scripts, they should skip over everything that already
exists and just add the objects that don't exist.
oh also ...
if you re run
ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
do you see a base and/or any other objects ?
attaching the output would be useful.
also .. ldap can be quite complicated at first, if your just starting to
use it i would recommend using a nice pretty front end so you can see what
is going on.
A good front end is ...
http://phpldapadmin.sf.net/ , however, this also requires a web server and
php being setup.
HTH
Matt.
Actually, your two suggestions were what I'd already tried (except for
removing everything in the ldap database in 1 - how do you do that?). I
guess my language was a little confusing. I even changed the smb.conf.
Here's the output you requested:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting:
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
