A few things to memorize about installing OpenLDAP with Samba and LAM:
Enable SSL
# File: ldap-ssl.ldif # ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap-ssl.ldif dn: cn=config add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/server.key - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/server.crt - add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/DigiCertCA.crt
Make sure that OpenLDAP is allowed to read those files. Additionally, apparmor denied access to these files, so I had to allow this specifically for slapd.
After this, I updated the value SLAPD_SERVICES in /etc/default/slapd: SLAPD_SERVICES=“ldapi:/// ldaps:///“
Deny anonymous access
# File: ldap-ssl.ldif
# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap-ssl.ldif
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
I created an additional organisational unit ou=services,dc=example,dc=com where all services are listed. This is also a great way of documenting which services exist in the network.
Secure access to sambaNTPassword (in the default installation, only access to userPassword is secured):
# File: updateOlcAcess.ldif
# ldapmodify -Y EXTERNAL -H ldapi:/// -f updateOlcAccess.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,sambaNTPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange,sambaPwdLastSet by self write by * read
olcAccess: {2}to * by * read
Allow ‚otherMailbox‘ values
We want to save additional mail addresses (e.g. when we want to reach the user privately). For this we use the ‚otherMailbox‘ attribute, which is not available in the normal schemas. We use extensibleObject for this:
# File: otherMailbox.ldif dn: cn=user,ou=people,dc=example,dc=com changetype: modify add: objectClass objectClass: extensibleObject - add: otherMailbox otherMailbox: user@external.com