AW: Re: Samba4 and OpenLDAP

Holger Schmieder schmieder at schmieder.de
Sun Aug 14 11:21:30 GMT 2005 

Hallo Andrew,

thanks for the verry fast answer.  

Regarding your question: In my special case i have all the accounts and the passwords in OpenLDAP. The user can change the password on a website and with his windows-client (today with smb-ldap). There are some more applications auhtenticating is against the OpenLDAP-uid/userPassword -Attributes. 

O.k. if forgot, because of Clients 389 for samba-ldap must be. But now here comes up some more questions:

Question1: Do i have a chance (and if yes how) to extend the samba's ldap-schema with additional attributes (some private objectclasses) or can i forward request for unknown attributes to samba to another ldap-server ?
Or: if there is no client is authenticating against this server - (only via CDO wich is using RPC) - can i than map samba-ldap on another port allthough the main samba4 is on 389 ?
Or: can i implement your msrpc on another server without running smbd4 ?

Question2:
You spoke about a test backing parts samba4-ldap to tdb or another ldap. Do you have some more informations about this procedure ?

Question3:
why do you replay the ldap-base below every object again and again ? For example:
DC=SCHMIEDER1
	CN=Computers
		DC=SCHMIEDER1
->i saw that with Softerras LDAP-Admin


Hope you'll find some more minutes to answer this questions

Thanks in advanced
Holger



-----Ursprüngliche Nachricht-----
Von: Andrew Bartlett [mailto:abartlet at samba.org]
Gesendet: Sonntag, 14. August 2005 12:12
An: Holger Schmieder
Cc: samba-technical at lists.samba.org
Betreff: Re: Samba4 and OpenLDAP


On Sun, 2005-08-14 at 11:08 +0200, Holger Schmieder wrote:
> Hallo all,
> 
> Volker Lendecke said in an interview with golem.de the following:
> We will always support OpenLDAP - but maybe not in first release... 
> 
> I have to findout a solution wich connects an windows machine with 
> CDO to an linux-server with Scalix-Groupware. In fact that CDO is 
> using the epmapper and other RPC-services for authentication my 
> idea was to try this with samba4 - because i saw that the samba 
> team is working verry hard on the msrpc-implementation. Now i 
> played araound a little bit with samba4 and saw that the internal 
> ldap-server looks like an AD-Contoller. Thats pretty fine, but now 
> i have to findout two things to bring my demand forward:
> 1. i have to map the samba4-ldap to another port because 389 needs 
> the Scalix
> 2. i have to store the user-accounts in OpenLDAP because Scalix is 
> authenticating against OpenLDAP 

Specifically against OpenLDAP, or against an LDAP server in general?

> 3. All of them must be (because of CDO) on the same machine: Scalix 
> on 389, OpenLDAP on 398 and sama4-ldap anywhere.
> 
> Now my questions:
> - Does anybody tried to store the user in openldap tougehter with 
> samba4 ? - How to do this ?

This question means many different things, depending on what you care
about.  Firstly, Samba4 includes a backend which allows it to back on to
either a tdb, or an LDAP server.  We demonstrate this in some of our
tests (by backing an LDAP server on a tdb, then backing the rest of
Samba4 to that LDAP server).

However, the implementor wishing to back Samba4 onto OpenLDAP (or any
other LDAP server) has to first make that server use the AD schema, and
accept queries that assume that layout.  Either that, or implement
(somewhere) a mapping. 

Frankly this is hard - particularly for a 'perfect' mapping.  I hope we
might get a 'Samba3 migration' mapping, with major limitations, but even
that will be hard.

More reasonable is to have OpenLDAP load an AD-compatible schema, but
that often removes the reason people wanted to use OpenLDAP.

> - How can i map the samba-ldap to another port ?

If Samba is an domain controller using the AD logon protocols, then it
must listen to the LDAP port (client requirement).

> - is there some more documentation stuff for samba4 then on the 
> website and CVS.

Not really, but those interested in testing early SVN snapshots of
Samba4 can work with us either on this list, or #samba-technical on
irc.freenode.net.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

More information about the samba-technical mailing list