Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Samba HowTo Guide
Prev Home Next

LDAP Configuration Notes

When configuring a master and a slave LDAP server, it is advisable to use the master LDAP server for the PDC and slave LDAP servers for the BDCs. It is not essential to use slave LDAP servers; however, many administrators will want to do so in order to provide redundant services. Of course, one or more BDCs may use any slave LDAP server. Then again, it is entirely possible to use a single LDAP server for the entire network.

When configuring a master LDAP server that will have slave LDAP servers, do not forget to configure this in the /etc/openldap/slapd.conf file. It must be noted that the DN of a server certificate must use the CN attribute to name the server, and the CN must carry the servers' fully qualified domain name. Additional alias names and wildcards may be present in the subjectAltName certificate extension. More details on server certificate names are in RFC2830.

It does not really fit within the scope of this document, but a working LDAP installation is basic to LDAP-enabled Samba operation. When using an OpenLDAP server with Transport Layer Security (TLS), the machine name in /etc/ssl/certs/slapd.pem must be the same as in /etc/openldap/sldap.conf. The Red Hat Linux startup script creates the slapd.pem file with hostname “localhost.localdomain.” It is impossible to access this LDAP server from a slave LDAP server (i.e., a Samba BDC) unless the certificate is re-created with a correct hostname.

Do not install a Samba PDC so that is uses an LDAP slave server. Joining client machines to the domain will fail in this configuration because the change to the machine account in the LDAP tree must take place on the master LDAP server. This is not replicated rapidly enough to the slave server that the PDC queries. It therefore gives an error message on the client machine about not being able to set up account credentials. The machine account is created on the LDAP server, but the password fields will be empty. Unfortunately, some sites are unable to avoid such configurations, and these sites should review the ldap replication sleep parameter, intended to slow down Samba sufficiently for the replication to catch up. This is a kludge, and one that the administrator must manually duplicate in any scripts (such as the add machine script) that they use.

Possible PDC/BDC plus LDAP configurations include:

  • PDC+BDC -> One Central LDAP Server.

  • PDC -> LDAP master server, BDC -> LDAP slave server.

  • PDC -> LDAP master, with secondary slave LDAP server.

    BDC -> LDAP master, with secondary slave LDAP server.

  • PDC -> LDAP master, with secondary slave LDAP server.

    BDC -> LDAP slave server, with secondary master LDAP server.

In order to have a fallback configuration (secondary) LDAP server, you would specify the secondary LDAP server in the smb.conf file as shown in the Multiple LDAP Servers in smb.conf example.

Example5.2.Multiple LDAP Servers in smb.conf

passdb backend = ldapsam:"ldap:// ldap://"
Samba HowTo Guide
Prev Home Next

  Published under the terms fo the GNU General Public License Design by Interspire