Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 341
  • Last Modified:

Linux LDAP server, need basic tutorial

I need to set up a LDAP server on Linux. Whenever I post a question about LDAP on any forum I typically get a one-liner that I don't understand. My follow-up posts generally go unanswered which leads me to believe the respondant never actually used LDAP.

SO! I need some basic guidance on setup up LDAP from someone's whose actually done it, please! My immediate objective is to configure an LDAP address book for the roundCube webmail client, but I'm hopeful this exercise will be applicable generally.

I am running Slackware64 14.1, kernel 3.10.17 on one host and have another running Slackware 13.37.0, kernel

The Slackware 14.1 host has Samba4, but my understanding is that Samba4 has LDAP, but that it might not be suited for normal LDAP use( If I can't use the 14.1 host I can use the 13.37.0 host which doesn't have Samba4.

I basically understand what LDAP is for, but am pretty clueless about getting it setup. Most web postings I've found feel like I've been dropped into the "middle of the book" assuming lots of prior knowledge.

What do I need to do to get started?
  • 8
  • 5
2 Solutions
Kamran ArshadIT AssociateCommented:

Follow the below steps and let us know where you stuck;
jmarkfoleyAuthor Commented:
Kamran Arshad: thanks for your response. The first place I'm stuck is at the beginning. Can I use OpenLDAP, or Samba4's own LDAP on my Samba4 server or not? Things I've read say that Samba4 supplies its own LDAP and not to use "external" LDAP servers:, "Samba has its own LDAP and Kerberos implementation, using external LDAP and Kerberos server is not recommended."

I don't know if this means Samba's LDAP will work for this exercise, or that I shouldn't actually use it. From this link, I get the feeling that I shouldn't

So, your advice? Do you know if I can use Samba4's LDAP? If not, perhaps I should use the host with Samba 3.

btw - I can do some LDAP authentication tests on the Samba4 host:
$ host -t SRV _ldap._tcp.HPRS.LOCAL.
_ldap._tcp.HPRS.LOCAL has SRV record 0 100 389 mail.hprs.local.

$ host -t SRV _kerberos._udp.HPRS.LOCAL.
_kerberos._udp.HPRS.LOCAL has SRV record 0 100 88 mail.hprs.local.

Open in new window

jmarkfoleyAuthor Commented:
Hmmm, it appears that I'm back to my usual "follow-up posts" syndrome. Perhaps it was a mistake mentioning roundCube. I'm looking for someone experienced with LDAP on Linux to help me.

Let's fall-back to basics and try again ...

I have a Samba4 Linux server we'll call, and a Samba3 Linux server we'll call How would I go about just plain authenticating from s3 to s4 using LDAP given that LDAP things work normally?
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

To make a crude example, the LDAP a cabinet or a tree.  Somewhat analogous to a Database server with a database that includes a certain set of information from the get go.
There is the basic set dealing with user authentication/user information.
Once You install LDAP (which ever flavor you want, openLDAP, samba4/LDAP or you have the MS AD) The configuration part of the LDAP server is done.
What you are looking for is to add additional structure (branches/limbs or shelves) to facilitate and deal with your requirements.
Different applications have different structures that they need to work.
At this stage when you have the different sets of data (elements) that the new application needs, the schema of your LDAP directory needs to be adjusted to deal with the application's requirements.
Since I've followed some of your prior posts, you are in need to adjust the records in your LDAP implementation (SAMBA4/LDAP AD DC) to include MS exchange schema structure.
What you are after is adding the additional tables to the database (LDAP Schema) that will contain the additional information.

The information dealing with schema modification when searched for will likely discuss/reference openLDAP since it's been around longer that the one you use samba4/LDAP, it does not mean that you have to use openLDAP to implement the structural changes to your LDAP schema.

Back to the link/and your question about. You can use the link, skipping over the openldap reference but adjusting your samba4/ldap configurations to match.
I.e. the suggestion is to load slapd ldap-utils, php-ldap.  The LDAP-utils and php5-ldap are fairly standard, though their package names on slackware might be different.
my suggestion, is you see the commands the use ldapsearch, etc. all you need to do is confirm that you have these commands on your system.
which or apropos or straight run ldapsearch --help  to make sure it is available on your system.

You already have the LDAP server (samba4/LDAP) setup an operational.
The example/reference to the roundtree ( is a script to modify your LDAP schema to include the hierarchy/structure that roundree address book needs.

Your tree structure is
               . (root)
            local  (if you were inclined)
            hprs  (additional structure, test, meaning you would have records for requests with the base of dc=HPRS,dc=local and dc=test,dc=local) in this type of handling, the REALM in winbind or the use of test\username versus HPRS\username will differentiate the source of the data ........ not sure you would be able to use (winbind in this type of scenario i.e. you have two different  organizations under the same roof, served by your samba4/LDAP samba can support different shares based on different realms/user authentication, not sure whether ....... getting or have I gotten way of track)

such that you need to adjust scripts before using them to make sure that you do not create structures such as localhost in the example when you do not need it.
Your references should always have "dc=HPRS,DC=local" as the base of any schema changes you make. along the same lines, your rootdn is likely "cn=admin,dc=HPRS,DC=local" user admin on HPRS.local

what is the results of your current setup if you run
ldapsearch -xLLL -H ldap://localhost:389 -D "cn=admin,dc=HPRS,dc=local" -w <yourpassword> -b "dc=HPRS,dc=local"
this should (if I am not mistaken in the instructions) display the current elements that exist in your setup all the organizational units/groups that you may have created as well as users.

besides adding structures, you also need to define the elements/objects within that includes in your case email address. Have to find/look at the exchange LDIF to ............

I hope this helps make it clearer (versus cloudier)
I think the answer is yes, you can configure S3 to use the LDAP on S4

i.e. you would configure likely slapd.conf with the information about the LDAP server on s4 and how to connect to it. ......
You could make s3 with openldap a replica of the Samba4/LDAP AD DC.
i.e. if firewalled, s4 will need to allow 389 and/or 636 (secure) in
The main purpose of user authentication is there, the issue is only with setting up the access.
As the schema is modified those app/resource will need to have the base of their LDAP access adjusted to reflect the correct structure of data.
jmarkfoleyAuthor Commented:
Sorry, did my threatened SBS2008ectomy over the weekend and still cleaning up the blood. Will get to this asap as I think I'm going to need it to suppress user howling.
good luck.
jmarkfoleyAuthor Commented:
Sorry for the delay, at the tail end of SBS -> Samba4 conversion. Will try to get back to this in the next few days.
jmarkfoleyAuthor Commented:
Sorry for the looooong delay. Now getting back into this as a priority. This is possibly the last mystery I have to solve on my Samba AD/DC

Arnold: Ran your suggested command:

ldapsearch -xLLL -H ldap://localhost:389 -D "cn=admin,dc=HPRS,dc=local" -w <yourpassword> -b "dc=HPRS,dc=local"

I substituted what I believe is my cn (cn=Administrator) and that user's password. Got the following:

ldap_bind: Invalid credentials (49)
        additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE

Adminstrator is configured as the AD/DC administrator:
$ samba-tool group listmembers "Domain Admins"
ldb_wrap open of secrets.ldb

$ samba-tool group listmembers "Administrators"
ldb_wrap open of secrets.ldb
Enterprise Admins
Domain Admins

Open in new window

This has kind of been my story with LDAP. Can't get past square-one.

Suggestions on how to move forward?
If you just run as root?
ldapsearch -xLLL -H ldap://localhost:389  -b "dc=HPRS,dc=local"

What happens?

ldapsearch -xLLL -H ldap://localhost:389 -W -b "dc=HPRS,dc=local"

The samba 4/LDAP integration scheme might .......
jmarkfoleyAuthor Commented:
That command didn't work gives:

$ ldapsearch -xLLL -H ldap://localhost:389  -b "dc=HPRS,dc=local"
Operations error (1)
Additional information: 00002020: Operation unavailable without authentication

but this did:

ldapsearch -xLLL -H ldap://localhost:389 -D "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local"

Apparently Administrator "lives" in CN=Users
jmarkfoleyAuthor Commented:
Got some additional help from the SambaList. The following variation on your (Arnold's) suggested command worked:
ldapsearch -xLLL -H ldap://localhost:389 -D "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local"

Open in new window

Apparently the "CN=Users" bit is needed.

I can run this from the AD/DC or from other LAN computers not joined to the DC. I guess this confirms that LDAP is working.
Yes, missed that. ...
-W - prompt for password (more secure) as password not displayed as part of the process list.....
-w password - password provided
jmarkfoleyAuthor Commented:
Arnold's command confirmed that my LDAP is working OK. My comment has the correct syntax of the command.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now