# OpenLDAP & modules (syncprov.la)

## Naughtyus

I'm trying to set up a replicating OpenLDAP server as in the samba docs here: http://wiki.samba.org/index.php/2.0._Configuring_LDAP

They suggest that in the slap.conf file, I load several modules, including syncprov.la.  Unfortunately, I can't find this file anywhere on my system, and can't find any help on google about how I should go about getting them onto my system.  Any ideas?

----------

## smerf

A bit about overlays and Sync Provider overlay:

http://linux.die.net/man/5/slapd.overlays

http://linux.die.net/man/5/slapo-syncprov

What openldap version do you use and what USE flags?

You will need to add --enable-syncprov or --enable-overlays during ./configure stage

which means you should use USE="-minimal overlays" (consult your ebuild for details).

Using 'overlays implies' --enable-overlays=mod - maybe you have syncprov built-in?

```
        if ! use minimal ; then

                myconf="${myconf} --enable-slapd --enable-slurpd"

                # --- CUT --- #

                # slapd options

                myconf="${myconf} $(use_enable crypt) $(use_enable slp)"

                myconf="${myconf} --enable-rewrite --enable-rlookups"

                myconf="${myconf} --enable-aci --enable-modules"

                myconf="${myconf} --enable-cleartext --enable-slapi"

                myconf="${myconf} $(use_enable samba lmpasswd)"

                # slapd overlay options

                myconf="${myconf} --enable-dyngroup --enable-proxycache"

                use overlays && myconf="${myconf} --enable-overlays=mod"

                myconf="${myconf} --enable-syncprov"

```

----------

## Naughtyus

The first install I didn't have 'overlays' in my use flags, so I have rebuilt it with that, but the module appears to not have been installed.  I'm about to try on two fresh systems with your suggested method.  Thanks!

----------

## smerf

If you do not have USE="overlays" it is possible, that this module is built-in - comment out 'moduleload' and see if 'overlay syncprov' works.

----------

## Naughtyus

It seems to work when I set the USE flags as you suggested, so thank you for your assistance there.  I've run into another snag though, for the step in the guide where I'm supposed to type:

```
[root@node1 sbin]# ./smbldap-useradd -m -a root

[root@node1 sbin]# ./smbldap-passwd root

Changing password for root

New password :

Retype new password
```

I instead get:

```
SL-011 log # smbldap-useradd -m -a root

failed to perform search; No such object at /usr/sbin//smbldap_tools.pm line 362.

Error looking for next uid at /usr/sbin//smbldap_tools.pm line 993.
```

And if I look in my /var/log/messages, I can see the following:

```
Jul 16 09:34:51 localhost slapd[18125]: conn=5 op=7 SRCH base="ou=Groups,dc=hatfield,dc=local" scope=2 deref=0 fi$

Jul 16 09:34:51 localhost slapd[18125]: conn=5 op=7 SRCH attr=sambaSID

Jul 16 09:34:51 localhost slapd[18125]: <= bdb_equality_candidates: (sambaGroupType) not indexed

Jul 16 09:34:51 localhost slapd[18125]: <= bdb_equality_candidates: (sambaSIDList) not indexed

Jul 16 09:34:51 localhost slapd[18125]: <= bdb_equality_candidates: (sambaSIDList) not indexed

Jul 16 09:34:51 localhost slapd[18125]: <= bdb_equality_candidates: (sambaSIDList) not indexed

Jul 16 09:34:51 localhost slapd[18125]: <= bdb_equality_candidates: (sambaSIDList) not indexed

Jul 16 09:34:51 localhost slapd[18125]: <= bdb_equality_candidates: (sambaSIDList) not indexed

```

----------

## Naughtyus

Also, this is the first step that I had any sort of snag after following through with the directions from the samba website.  I also tried adding "restrict anonymous = 1" to the smb.conf file, as in this forum post https://forums.gentoo.org/viewtopic-p-3958423.html , but didn't have any results there either.

----------

## Naughtyus

Disregard this post - samba starts after I run the following command, but I'm back with the 'no such object at /usr/sbin//smbldap_tools.pm line 362' error:

smbpasswd -w SambaAdmin

Hmm.. Actually on the PDC, it looks like samba isn't even starting anymore.  /var/log/samba/smbd gives the following:

```
[2008/07/16 10:04:19, 1] passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2613)

  User account [nobody] not found!

[2008/07/16 10:04:19, 0] smbd/server.c:main(1059)

  ERROR: failed to setup guest info.
```

Although, my /etc/samba/smbusers file does have the following line:

nobody = guest pcguest smbguest

----------

## smerf

First of all start slapd manually with full debug output and watch the console as you type anything else...

Can you tell me what object it is looking for? Is this objectClass=sambaDomain? This entry should hold

informations like sambaDomainName, sambaNextUserRid, sambaSID, sambaMaxPwdAge and so on...

What smbldap-tools version do you use?

----------

## Naughtyus

Using smbldap-tools-0.9.1-r1 from the portage stable tree

Ok, so I'm starting out fresh here, running the following commands:

```

SL-011 ~ # slapadd –b "dc=hatfield,dc=local"  -v -l preload-hatfield.ldif

added: "dc=hatfield,dc=local" (00000001)

added: "cn=Manager,dc=hatfield,dc=local" (00000002)

added: "cn=syncuser,dc=hatfield,dc=local" (00000003)

added: "cn=sambaadmin,dc=hatfield,dc=local" (00000004)

added: "cn=mailadmin,dc=hatfield,dc=local" (00000005)

added: "ou=Users,dc=hatfield,dc=local" (00000006)

added: "ou=People,ou=Users,dc=hatfield,dc=local" (00000007)

added: "ou=Computers,ou=Users,dc=hatfield,dc=local" (00000008)

added: "ou=Groups,dc=hatfield,dc=local" (00000009)

added: "ou=Domains,dc=hatfield,dc=local" (0000000a)

added: "sambaDomainName=HATFIELD,ou=Domains,dc=hatfield,dc=local" (0000000b)

added: "cn=Domain Admins,ou=Groups,dc=hatfield,dc=local" (0000000c)

added: "cn=Domain Users,ou=Groups,dc=hatfield,dc=local" (0000000d)

added: "cn=Domain Guests,ou=Groups,dc=hatfield,dc=local" (0000000e)

added: "cn=Domain Computers,ou=Groups,dc=hatfield,dc=local" (0000000f)

added: "cn=Administrators,ou=Groups,dc=hatfield,dc=local" (00000010)

added: "cn=Account Operators,ou=Groups,dc=hatfield,dc=local" (00000011)

added: "cn=Print Operators,ou=Groups,dc=hatfield,dc=local" (00000012)

added: "cn=Backup Operators,ou=Groups,dc=hatfield,dc=local" (00000013)

added: "cn=Replicators,ou=Groups,dc=hatfield,dc=local" (00000014)

SL-011 ~ # chown -R ldap.ldap /var/lib/openldap-data/

SL-011 ~ # smbpasswd -w SambaAdmin

Setting stored password for "cn=sambaadmin,dc=hatfield,dc=local" in secrets.tdb

```

At this point, I start slap with this command: /usr/lib64/openldap/slapd -d 255 -f /etc/openldap/slapd.conf

now when I run 'smbldap-useradd -m -a username', I get the output above (Error looking for next uid...)

One interesting thing is that looking at the console output from slapd.  Before I run any commands, it looks ok, I see references to my domain (hatfield.local), and it sits happily waiting for input.  When I run the smbldap-useradd command, I see a lot of references IDEALIX.org (where I would expect to see HATFIELD.local instead)

ie.

>>> dnPrettyNormal: <sambaDomainName=IDEALX-NT,dc=idealx,dc=org>

my ldif entry to sambaDomain is:

```
dn: sambaDomainName=HATFIELD,ou=Domains,dc=hatfield,dc=local

objectClass: sambaDomain

objectClass: sambaUnixIdPool

uidNumber: 1000

gidNumber: 1000

sambaDomainName: HATFIELD

sambaSID: S-1-5-21-2173393106-846196495-3825328646

sambaAlgorithmicRidBase: 1000

structuralObjectClass: sambaDomain
```

----------

## Naughtyus

Also, if it isn't clear, I'm doing my best to go directly from the directions posted here: http://wiki.samba.org/index.php/1.0._Configuring_Samba , so most of the config files are the same as those posted there, but with 'differentialdesign.org' replaced with my domain

----------

## Naughtyus

Another thing, since the fresh install, I've been trying to get the "easy" replication mode working.  I've just tried using the delta sync method working again, and I still get the following error (even though I compiled openldap with the overlay use flag):

```
SL-011 ~ # slapadd -b "dc=hatfield,dc=local" -v -l preload-hatfield.ldif 

/etc/openldap/slapd.conf: line 26: index attribute "reqEnd" undefined

slapadd: bad configuration file!

```

reqEnd I believe is part of the syncprov.la module.  I just tried the same with openldap2.4.10, with the same result.

----------

## smerf

Have you edited all configuration files for smbldap-tools?

/etc/smbldap-tools/*.conf

IDEALX seems like a forgotten config file (it is default).

----------

## Naughtyus

Yep, you were right there - I hadn't touched the .conf files in /etc/smbldap-tools.  I updated those with what should be the correct values for my system, and that has cleaned up the output of my slap daemon, however I'm still getting the 'can't find next uid' error when I try to add a user.  Do you know of any good examples of what I should set my smbldap.conf and smbldap_bind.conf files up like in case that is where the problem lies?

```
SL-011 ~ # smbldap-useradd -m -a root

Error looking for next uid at /usr/sbin//smbldap_tools.pm line 993.
```

----------

## Naughtyus

My smbldap.conf file looks like this:

```
SID="S-1-5-21-2173393106-846196495-3825328646"

sambaDomain="HATFIELD"

ldapTLS="0"

suffix="dc=hatfield,dc=local"

sambaUnixIdPooldn="sambaDomainName=HATFIELD,${suffix}"

userSmbHome=

userProfile=

userHomeDrive=

userScript=

mailDomain="hatfield.local"

```

My smbldap_bind.conf looks like this:

```
slaveDN="cn=Manager,dc=hatfield,dc=local"

slavePw="Manager"

masterDN="cn=Manager,dc=hatfield,dc=local"

masterPw="Manager"

```

After making those modifications, restarting both servers, my output is now:

```
SL-011 smbldap-tools # smbldap-useradd -m -a root    

Argument "" isn't numeric in addition (+) at /usr/lib64/perl5/vendor_perl/5.8.8/Net/LDAP.pm line 453.

Error looking for next uid at /usr/sbin//smbldap_tools.pm line 993.
```

----------

## Naughtyus

Also, for consistency my slapd.conf file from the PDC:

```
# /etc/openldap/slapd.conf

# using slurpd

# LDAP Master

include     /etc/openldap/schema/core.schema

include     /etc/openldap/schema/cosine.schema

include     /etc/openldap/schema/inetorgperson.schema

include     /etc/openldap/schema/nis.schema

include     /etc/openldap/schema/samba.schema

pidfile     /var/run/openldap/slapd.pid

argsfile    /var/run/openldap/slapd.args

database    bdb

suffix       "dc=hatfield,dc=local"

rootdn      "cn=Manager,dc=hatfield,dc=local"

rootpw      Manager

directory   /var/lib/openldap-data

replica  host=SL-012.hatfield.local:389

           suffix="dc=hatfield,dc=local"

           binddn="cn=syncuser,dc=hatfield,dc=local"

           bindmethod=simple credentials=SyncUser

replogfile  /var/lib/ldap/replogfile

access to attrs=userPassword

        by self write

        by dn="cn=sambaadmin,dc=hatfield,dc=local" write

        by dn="cn=syncuser,dc=hatfield,dc=local" read

        by * auth

access to attrs=sambaLMPassword,sambaNTPassword

        by dn="cn=sambaadmin,dc=hatfield,dc=local" write

        by dn="cn=syncuser,dc=hatfield,dc=local" read

access to *

        by dn="cn=sambaadmin,dc=hatfield,dc=local" write

        by dn="cn=syncuser,dc=hatfield,dc=local" read

        by * read

# Indices to maintain

index objectClass           eq

index cn                    pres,sub,eq

index sn                    pres,sub,eq

index uid                   pres,sub,eq

index displayName           pres,sub,eq

index uidNumber             eq

index gidNumber             eq

index memberUID             eq

index sambaSID              eq

index sambaPrimaryGroupSID  eq

index sambaDomainName       eq

index default               sub

```

Here is the ldap.conf file from the PDC:

```
#/etc/ldap.conf

# LDAP Master

host    SL-011.hatfield.local SL-012.hatfield.local

base    dc=hatfield,dc=local

binddn  cn=Manager,dc=hatfield,dc=local

bindpw  Manager

bind_policy soft

pam_password exop

nss_base_passwd ou=People,ou=Users,dc=hatfield,dc=local?one

nss_base_shadow ou=People,ou=Users,dc=hatfield,dc=local?one

nss_base_passwd ou=Computers,ou=Users,dc=hatfield,dc=local?one

nss_base_shadow ou=Computers,ou=Users,dc=hatfield,dc=local?one

nss_base_group  ou=Groups,dc=hatfield,dc=local?one

ssl     no

```

And the smb.conf from the PDC:

```
# # Primary Domain Controller smb.conf

# # Global parameters

[global]

unix charset = LOCALE

workgroup = HATFIELD

netbios name = SL-011

#passdb backend = ldapsam:ldap://127.0.0.1

passdb backend = ldapsam:"ldap://192.168.10.11 ldap://192.168.10.12"

#passdb backend =ldapsam:"ldap://node1.differentialdesign.org ldap://node2.differentialdesign.org"

username map = /etc/samba/smbusers

log level = 1

syslog = 0

log file = /var/log/samba/%m

max log size = 0

name resolve order = wins bcast hosts

time server = Yes

#printcap name = CUPS

#nobody = guest

add user script = /usr/sbin/smbldap-useradd -m '%u'

delete user script = /usr/sbin/smbldap-userdel '%u'

add group script = /usr/sbin/smbldap-groupadd -p '%g'

delete group script = /usr/sbin/smbldap-groupdel '%g'

add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u'

delete user from group script = /usr/sbin/smbldap-groupmod -x '%g' '%u'

set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

add machine script = /usr/sbin/smbldap-useradd -w '%u'

shutdown script = /var/lib/samba/scripts/shutdown.sh

abort shutdown script = /sbin/shutdown -c

#logon script = %u.bat

#logon path = \\192.168.10.11\profiles\%u

#logon path = \\nodes.differentialdesign.org\profiles\%u

#logon drive = H:

domain logons = Yes

domain master = Yes

wins support = Yes

# peformance optimization all users stored in ldap

ldapsam:trusted = yes

ldap suffix = dc=hatfield,dc=local

ldap machine suffix = ou=Computers,ou=Users

ldap user suffix = ou=People,ou=Users

ldap group suffix = ou=Groups

ldap idmap suffix = ou=Idmap

ldap admin dn = cn=sambaadmin,dc=hatfield,dc=local

idmap backend = ldap://127.0.0.1

idmap uid = 10000-20000

idmap gid = 10000-20000

#printer admin = root

#printing = cups

restrict anonymous = 1

#========================Share Definitions=========================

[homes]

 comment = Home Directories

 valid users = %S

 browseable = yes

 writable = yes

 create mask = 0600

 directory mask = 0700

[netlogon]

comment = Network Logon Service

path = /data/samba/netlogon

writeable = yes

browseable = yes

read only = no

[profiles]

path = /data/samba/profiles

writeable = yes

browseable = no

read only = no

create mode = 0777

directory mode = 0777

[Documents]

comment = share to test samba

path = /data/documents

writeable = yes

browseable = yes

read only = no

valid users = "@Domain Users"

```

----------

## Naughtyus

Ok, thank you for your help!  I finally got past the UID problem - it had to do with my smbldap.conf and smbldap_bind.conf!  For anyone else who is trying to follow the guide I posted, make sure you set those files up (as in the directions *after* the LDAP steps) before you try to initialize the LDAP db.

----------

