[Samba] Samba and LDAP backend - howto docs problems?

Norman Dressler ndressler at dinmar.com
Wed Mar 10 21:11:02 GMT 2004 

On Wednesday 10 March 2004 12:55 pm, Graham Leggett wrote:
> John H Terpstra wrote:
> >>Samba's LDAP configuration exists in the smb.conf file. pam_ldap /
> >>nss_ldap's configuration exists in the ldap.conf file.
> >
> > Samba works with OpenLDAP, Sun iPlanet (Identity Server), IBM Tivoli
> > Directory server, CA's product, Novell eDirectory, etc. So precisely how
> > do you suggest we integrate all of these plus Samba so there is no
> > duplication _AND_ so that the resulting code can be maintained?
>
> All the software you've listed are LDAP servers, I was referring to
> nss_ldap, an LDAP client whose config is found in /etc/ldap.conf, which
> as you explain below is required for a proper functioning Samba + LDAP
> system.
>
> I understand that nss_ldap runs on a number of platforms, which means it
> is reasonably safe to assume that /etc/ldap.conf will be there, and if
> it's not there, the existing LDAP config directives can be used as a
> fallback, or Samba can be taught other places to look for the system's
> LDAP config.
>
> > In my opinion, Samba has to remain independant of ALL system tools.
>
> I agree, but Samba requires nss_ldap - if Samba is to maintain a
> separate LDAP config from nss_ldap, then I would say that Samba should
> not need the services of nss_ldap - it should be able to query this
> information for itself.


I have to agree with Graham.  nss_ldap is a dependency for many reasons.  
First and formost is to control access to your files at the unix level.  
Without relating the samba groups to posix groups in some fashion, you either 
have to open your files up to the world with no security or your users won't 
be able to access them.

As an example, Domain Users in the Samba world tells Samba that these users 
are part of its domain.  Fine, but without it corresponding as a posix group 
AND being recognized from the same repository like ldap (through nss_ldap), 
you won't access any files with that membership.  

I've always had to get my LDAP working on the OS level first, then work on the 
Samba side.

Norm

More information about the samba mailing list