OpenLDAP Everywhere Revisited

Samba 3 offers new capabilites for a unified directory for all clients. Get mail, file sharing and more all working together with the latest software.
Create LDAP User Login Entries

A user login entry is identified by the login name as uid. Login users are members of ou=people, resulting in this dn:

dn: uid=gomerp,ou=people,dc=foo,dc=com

The full entry contains attributes that are needed to control account access, as shown in Listing 4. The full entry also includes attributes needed by the Samba configuration that is discussed below.

OpenLDAP ships with migration utilities that can extract the user account information; see /usr/share/openldap/migration. To convert an existing /etc/passwd file to LDIF, start by checking Edit the file to include your domain name, default base and enable extended schema:

# Default DNS domain

# Default base
$DEFAULT_BASE = "dc=foo,dc=com";

# turn this on to support more general object classes
# such as person.

Extract the user account information from /etc/passwd:

/usr/share/openldap/migration/ \
/etc/passwd > people.ldif

Review the resulting LDIF file. You should remove entries for system accounts such as root and for local users' private groups that do not need to appear in LDAP.

Add the user entries to LDAP and test with an ldapsearch command, as discussed above:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f people.ldif

Because the login users belong to ou=people, you now may look up their e-mail addresses within your e-mail client.

Create Group Entries

You need to make a group entry for each group to be shared between multiple Linux computers. Each user also needs a group entry for the user private group. A group entry is identified by cn, and each group belongs to ou=Groups. For example:

dn: cn=gomerp,ou=Groups,dc=foo,dc=com

A user private group would look like this:

dn: cn=gomerp,ou=Groups,dc=foo,dc=com
objectclass: posixGroup
objectclass: top
cn: gomerp
userPassword: {crypt}x
gidNumber: 5223

A shared group would look like:

dn: cn=web_dev,ou=Groups,dc=foo,dc=com
objectclass: posixGroup
objectclass: top
cn: web_dev
gidNumber: 5019
memberUid: gomerp
memberUid: goober
memberUid: barneyf

Extract the group information from /etc/group:

/usr/share/openldap/migration/ \
/etc/group > group.ldif

Review the resulting LDIF file. You should remove entries for system groups and for local system users that do not need to appear in LDAP.

Add the group entries to LDAP and test with an ldapsearch command:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f group.ldif

Configure Automount to Share Home Directories and NFS Shares

With unified login, users have a single home directory that is shared by way of the Network File System (NFS). We host our home directories from and share /home, but the file server and OpenLDAP do not need to run on the same machine. Details on NFS are outside the scope of this article, but here is the line from /etc/exports that works to export home directories:

/home *

Linux LDAP clients mount the user's home directory at login, using automount and NFS. The LDAP use of automount is a replacement for NIS (network information service) automount maps. Replace the automount maps for auto.master, auto.home and auto.misc. To do so, we create a new organizational unit for auto.master:

dn: ou=auto.master,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.master

An auto.master entry is identified by cn. The automountInformation attribute instructs automount to look for the map in LDAP:

dn: cn=/h,ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.home,dc=foo,dc=com
cn: /h

While we're at it, let's create an auto.master entry for other NFS shared directories:

dn: cn=/share,ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.misc,dc=foo,dc=com
cn: /share

Create the automount entries in LDIF format, save as auto.master.ldif and add the entries to LDAP:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W -f auto.master.ldif

Next, we create a new organizational unit for auto.home:

objectClass: top
objectClass: automountMap
ou: auto.home

A home directory entry is identified by cn:

dn: cn=gomerp,ou=auto.home,dc=foo,dc=com
objectClass: automount
cn: gomerp

Create auto.home entries for each user in ldif format, save as auto.home.ldif and add the entries to LDAP:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f auto.home.ldif

When automounted from a Linux LDAP client, your home directory,, is mounted on /h/gomerp. Other NFS shares may be entered in LDAP and automounted as needed. The auto.misc organizational unit holds these automount maps, which have the form ou=auto.misc.

We've already created an auto.master entry for /share, as shown above. Now, we create the ou=auto.misc entry:

ou: auto.misc
objectClass: top
objectClass: automountMap

Create entries for the NFS shares under ou=auto.misc:

objectClass: automount
cn: redhat

objectClass: automount
cn: engineering

Save the entries as auto.misc.ldif and add the entries to LDAP:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W -f auto.misc.ldif

When automounted from a Linux LDAP client, your shared directory is mounted on /share/engineering.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


Anonymous's picture

GOOD. It was very useful to solve the problem,

Thank you very much

LDBM and RedHat OpenLDAP Version

Quanah Gibson-Mount's picture

There are two things wrong with this article:

(1) It shows a setup using the LDBM databse. This is very unfortunate, since LDBM is not "data safe" and will happily corrupt or lose data without informing you. See for more information on the problems with LDBM.

(2) It shows usage of the RedHat distributed version of OpenLDAP. RedHat traditionally does a very poor job of packaging OpenLDAP, and this remains the case to this day. In addition, 2.2.13 is a very old release at this point, on a historic version of OpenLDAP. 2.3 is the current release branch, with 2.3.20 the current stable release. There are at least 2 DOS vulnerabilities in the 2.2.13 OpenLDAP release, as well as hundreds of bugs that were fixed since then.

If you are using RedHat, and want to use OpenLDAP without updating the local RedHat OpenLDAP libraries, I suggest using CDS3 silver, available for *free* from CDS3 is a packaged version of OpenLDAP 2.3 with *additional* features over OpenLDAP.


Quanah Gibson-Mount
Product Engineer
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

So long and thanks for all the spam?

Jason Elovich's picture

We appreciate the spam disguised as useful info, really.

Since CDS silver free

Anonymous's picture

Since CDS silver is a free packaging of OpenLDAP 2.3, I don't see this as spam, any more than me posting to let you know that I provide my own packages of OpenLDAP 2.3

Of course, both Quanah and I have vested interests in recommending that users (1) don't use ldbm, and (2) use 2.3 ... because we both end up helping the unfortunate users who get stuck after following advice like in this article on the openldap-software mailing list.

Since you don't ... well you can say whatever you like about both of these posts and we won't care.

Although you do help people

Anonymous's picture

Although you do help people Buchan and provide great packages, Quanah is more likely to insult people for not paying for support if the post actually makes it to the OpenLDAP list. It is extremely difficult to get any helpful support for OpenLDAP if you're not a guru or the topic is not absolutely, strictly limited to only OpenLDAP of the latest release.

Samba Schema

Compunuts-2's picture

I can't seem to find Samba Schema mentioned in "include /etc/openldap/schema/samba.schema" line. Can someone explain a little more on whether I really need samba schema and where I can download it? Thanks.

Location of samba schema

Dean's picture

In Debian this schema can be found in /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz, you can copy and extract this file into the schema directory. Samba doc's have to be installed of course.

You do need it. Try

Anonymous's picture

You do need it. Try googling for "samba.schema", or on your server "locate samba.schema"

automountMap vs. nisMap

drswalton's picture

Very useful article. I used their earlier articles as a guide to setting up OpenLDAP in my area, along with ones by Mick Bauer, and I couldn't have done it without them.

I only have one comment: the use of the automountMap objectClass. If you use the script in recent versions of OpenLDAP, it uses the nisMap objectClass and nisMapName to describe automounts. I am not sure if one or the other is deprecated or both are supported.