s4: Correct the parameter logic of the "setpassword" script

[Samba/aatanasov.git] / howto-ol-backend-s4.txt

Samba4  OpenLDAP-Backend Quick-Howto
====================================

oliver@itc.li  -  August 2009


This Mini-Howto describes in a very simplified way 
how to setup Samba 4 (S4) (pre)Alpha 9 with the
OpenLDAP (OL) -Backend.
Use of OpenLDAP >= 2.4.17 is strongly recommended.


1.) Download and compile OpenLDAP. 

The use of (older) Versions shipped with Distributions often
causes trouble, so dont use them. Configure-Example:

#> ./configure --enable-overlays=yes --with-tls=yes --with-cyrus-sasl=yes
#> make depend && make && make install

Note: openssl and cyrus-sasl libs should be installed
before compilation.



2.) Prepare S4 to use OL-Backend:

Run the provision-backend Python-Script first, then "final" provision
(these 2-step process will be merged in the future)

Simple provision-backend Example:

#> setup/provision-backend --realm=ldap.local.site \
  --domain=LDAP --ldap-admin-pass="linux" \
  --ldap-backend-type=openldap \
  --server-role='domain controller' \
  --ol-slapd="/usr/local/libexec/slapd"

After that, you should get a similar output:

--------
Your openldap Backend for Samba4 is now configured, and is ready to be started
Server Role:         domain controller
Hostname:            ldapmaster
DNS Domain:          ldap.local.site
Base DN:             DC=ldap,DC=local,DC=site
LDAP admin user:     samba-admin
LDAP admin password: linux
LDAP Debug-Output:
(1, 'connection to remote LDAP server dropped?')
Ok. - No other slapd-Instance listening on: ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi. Starting al provision.
Started slapd for final provisioning with PID: 21728

Now run final provision with: --ldap-backend=ldapi --ldap-backend-type=openldap --password=linux --username=sa=ldap.local.site --domain=LDAP --server-role='domain controller'

--------

Since this (pre)Alpha, you dont have to run slapd manually
any more. slapd will be started automatically, when 
provision-backend is done, listening on the
ldapi://-Socket. System should be ready 
for final provision now:


3.) Final provision:

Use the Parameters displayed above to run final provision.
(you can add --adminpass=<yourpass> to the parameters,
otherwise a random password will be generated for 
cn=Administrator,cn=users,<Your Base-DN>):

#> setup/provision --ldap-backend=ldapi \
   --ldap-backend-type=openldap --password=linux \
   --username=samba-admin --realm=ldap.local.site \
   --domain=LDAP --server-role='domain controller'\
   --adminpass=linux

At the End of the final provision you should get
the following output (only partial here). Read it carefully:

--------
...
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
LDAP Debug-Output:[Message({'dn': Dn(''), 'objectClass': MessageElement(['top','OpenLDAProotDSE'])})]
slapd-PID-File found. PID is :21728

File from provision-backend with stored PID found. PID is :21728

slapd-Process used for provisioning with PID: 21728
 will now be shut down.
slapd-Process used for final provision was properly shut down.
Use later the following commandline to start slapd, then Samba:
/usr/local/libexec/slapd -f /usr/local/samba/private/ldap/slapd.conf -h ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi

This slapd-Commandline is also stored under: /usr/local/samba/private/ldap/slapd_command_file.txt
Please install the phpLDAPadmin configuration located at /usr/local/samba/private/phpldapadmin-config.php into /etc/phpldapadmin/config.php
Once the above files are installed, your Samba4 server will be ready to use
Server Role:    domain controller
Hostname:       ldapmaster
NetBIOS Domain: LDAP
DNS Domain:     ldap.local.site
DOMAIN SID:     S-1-5-21-429312062-2328781357-2130201529
Admin password: linux

--------

Our slapd in "provision-mode" wiil be shut down automatically 
after final provision ends.


4.) Run OL and S4:

After you completed the other necessary steps (krb and named-specific),
start first OL with the commandline displayed in the output under (3),
(remember: the slapd-Commandline is also stored in the file ../slapd_command_file.txt)
then S4.



5.) Special Setup-Types:

a) OpenLDAP-Online Configuration (olc):
Use the provision-backend Parameter 

 --ol-olc=yes.

In that case, the olc will be setup automatically
under ../private/slapd.d/.
olc is accessible via "cn=samba-admin,cn=samba" and Base-DN "cn=config"
olc is intended primarily for use in conjunction with MMR

Attention: You have to start OL with the commandline
displayed in the output under (3), but you have to set a 
listening port of slapd manually:

(e.g. -h ldap://ldapmaster.ldap.local.site:9000)

Attention: You _should_not_ edit the olc-Sections
"config" and "ldif", as these are vital to the olc itself.


b) MultiMaster-Configuration (MMR):
At this time (S4 (pre)Alpha9) the only possible Replication setup.
Use the provision-backend Parameter:

 --ol-mmr-urls=<list of whitespace separated ldap-urls (and Ports <> 389!).

e.g.:
--ol-mmr-urls="ldap://ldapmaster1.ldap.local.site:9000 \ 
   ldap://ldapmaster2.ldap.local.site:9000"

Attention: You have to start OL with the commandline
displayed in the output under (3), but you have to set a 
listening port of slapd manually
(e.g. -h ldap://ldapmaster1.ldap.local.site:9000)

The Ports must be different from 389, as these are occupied by S4.