LDAP support in SAMBA
Jan Du Caju
Jan.DuCaju at cc.kuleuven.ac.be
Mon Sep 24 07:03:07 GMT 2001
Hi,
At our university some faculties/departments will convert from
a banyan vines network to a linux samba environment. To avoid
locally defining users on decentral administered samba servers
which are already defined in the central ldap servers for other
authentication purposes :-) ldap support in samba is definitely
in favour. So we downloaded Shahms E. King patch
(http://sking.mesd.k12.or.us/) and did some testing. We are very
excited about it and like to help out.
We did some code modifications to allow us to have some needed
(at least of us ;-) enhancements.
I know we should have looked first at the TODO page
http://ftp.easynet.be/samba/TODO.html
and contacted you but as we didn't I just list them and wait
for suggestions/instructions
1) redundancy enhancement
More specific to be able to specify more than 1 ldap server so
in case the first specified is unreachable the next (containing
the same info :) is tried:
modification of ldap.c and used a different format for the ldap
server definition in smb.conf:
ldap server = <ldapserver_1>[:port][,<ldapsever_X>[:port]]*
samba-ldap-backup.patch to be applied against samba-2.1.1a with
Shahms E. King patch (samba-ldap.patch)
2) a fall back to the local smb password file
Due to our complex environment where the samba servers are/will
be managed decentral the local administrators need to be able
to add temporary users locally which do/will not appear in the
central ldap servers. Similar it would be better to define the
user root (needed to add machine accounts in a Windows domain)
locally.
So changes were made to be able to specify in the smb.conf file
the order the backend db will be consulted. Modification of info
will only be possible in the db where it was found.
For the commands like smbpasswd we added an argument to specify
the backend that should be updated.
samba-ldap-backup-localfallback.patch to be applied against
samba-2.1.1a with Shahms E. King patch (samba-ldap.patch)
3) We want to help coding the password and group backend
(especially ldap ;)
Patches against CVS tag SAMBA_2_2 are coming up.
Koen & Jan.
--------------------------------------------------------
Jan Du Caju Jan.DuCaju at kulnet.kuleuven.ac.be
KULeuvenNet LUDIT K.U.Leuven
de Croylaan 52A 3001 Leuven Belgium
http://www.kuleuven.ac.be/studeng/a_totaal/index_eng.htm
--------------------------------------------------------
-------------- next part --------------
diff -r sambachahms/source/passdb/ldap.c samba-2.2.1a/source/passdb/ldap.c
53a54,57
> #ifndef LDAP_PORT
> #define LDAP_PORT 389
> #endif
>
62a67
>
69c74
< ldap_open_connection (LDAP ** ldap_struct)
---
> ldap_open_connection (LDAP ** ldap_struct,char *ldapserver, int ldapport)
71d75
< int port;
74,82c78,81
< if (lp_ldap_ssl () == LDAP_SSL_ON && lp_ldap_port () == 389)
< {
< port = 636;
< }
< else
< {
< port = lp_ldap_port ();
< }
< if ((*ldap_struct = ldap_init (lp_ldap_server (), port)) == NULL)
---
>
> DEBUG(3, ("ldap_open_connection: to server '%s'\n",ldapserver));
>
> if (lp_ldap_ssl () == LDAP_SSL_ON && ldapport == 389)
84,85c83
< DEBUG (0, ("The LDAP server is not responding !\n"));
< return (False);
---
> ldapport = 636;
86a85,91
>
> if ((*ldap_struct = ldap_init (ldapserver, ldapport)) == NULL)
> {
> DEBUG (0, ("The LDAP server is not responding !\n"));
> return (False);
> }
>
557a563,649
>
> /* BEGIN KOEN koen.muylkens at student.kuleuven.ac.be*/
>
> /********************************************************************
> make ldap-connection to ldap server(s) (with backup)
> ********************************************************************/
> /* ldapserverstring in smb.conf is "ldapserver1:ldapport1,ldapserver2:ldapport2,....." */
>
> static BOOL
> find_ldap_server(LDAP ** ldap_struct)
> {
> int notConn=1;
> char *strptr;
> DEBUG (3, ("find_ldap_server: ldapserverstring is '%s'\n", lp_ldap_server()));
> strptr = lp_ldap_server();
>
> while (notConn)
> {
> char *srvsep, *portsep;
> int port;
> srvsep = strchr(strptr, ',');
> if (srvsep != NULL) {
> if (srvsep == strptr) {
> DEBUG (0, ("missing ldap server[:port] specification !\n"));
> return False;
> }
> *srvsep = '\0';
>
> portsep = strchr(strptr, ':');
> if (portsep != NULL) {
>
> if (portsep == strptr) {
> DEBUG (0, ("Missing ldap server address before :port\n"));
> return False;
> }
> else if (portsep[1] == '\0') {
> DEBUG (0, ("No port specified after colon\n"));
> return False;
> }
> port = atoi(portsep + 1);
> if (!port) {
> DEBUG (0, ("Port must be numeric\n"));
> return False;
> }
> *portsep = '\0';
>
> } else {
> port = lp_ldap_port();
> }
> }
> else port = lp_ldap_port();
> DEBUG (0, ("try to open connection to ldap server '%s' on port %d\n",strptr,port));
>
> if (!ldap_open_connection (ldap_struct,strptr,port))
> {
> DEBUG (0, ("ldap_system_backup: could not open connection !\n"));
> return False;
> }
> if (!ldap_connect_system (*ldap_struct))
> {
> DEBUG (0, ("ldap_system_backup: The LDAP server is not responding !\n"));
>
> ldap_unbind (*ldap_struct);
> if (srvsep == NULL)
> {
> return False;
> }
> else
> {
> strptr = srvsep + 1;
> DEBUG(0, ("ldap_system_backup: going to alternative ldap server(s)\n"));
> if(srvsep != NULL) { *srvsep = ','; }
> if(portsep != NULL) { *portsep = ':'; }
> }
> }
> else
> {
> notConn=0;
> DEBUG(0, ("ldap_system_backup: Succesful connection to an ldap server\n"));
> }
> }
> return True;
> }
>
> /* END KOEN */
>
>
566,573c658,662
<
< if (!ldap_open_connection (&global_ldap_ent.ldap_struct))
< {
< return False;
< }
< if (!ldap_connect_system (global_ldap_ent.ldap_struct))
< {
< ldap_unbind (global_ldap_ent.ldap_struct);
---
>
> /* KOEN */
>
> if (!find_ldap_server(&global_ldap_ent.ldap_struct))
> {
575,576c664,665
< }
<
---
> }
>
612a702
> DEBUG(3,("unbinding ldap\n"));
652c742
< LDAPMessage *entry;
---
> LDAPMessage *entry;
654c744
< if (!ldap_open_connection (&ldap_struct))
---
> if (!find_ldap_server(&ldap_struct))
656,660c746
< if (!ldap_connect_system (ldap_struct))
< {
< ldap_unbind (ldap_struct);
< return False;
< }
---
>
701,707c787,794
< if (!ldap_open_connection (&ldap_struct))
< return False;
< if (!ldap_connect_system (ldap_struct))
< {
< ldap_unbind (ldap_struct);
< return False;
< }
---
> /* KOEN */
>
> if (!find_ldap_server(&ldap_struct))
> {
> return False;
> }
>
>
748,752c835,838
< if (!ldap_open_connection (&ldap_struct))
< return False;
< if (!ldap_connect_system (ldap_struct))
< {
< ldap_unbind (ldap_struct);
---
> /* KOEN */
>
> if (!find_ldap_server(&ldap_struct))
> {
754a841
>
798,801d884
<
< if (!ldap_open_connection (&ldap_struct))
< return False;
<
804,807c887,890
< if (!ldap_connect_system (ldap_struct))
< {
< ldap_unbind (ldap_struct);
< DEBUG (0, ("Failed to delete user %s from LDAP.\n", sname));
---
> /* KOEN */
>
> if (!find_ldap_server(&ldap_struct))
> {
809c892
< }
---
> }
858,859c941,944
< if (!ldap_open_connection (&ldap_struct)) /* open a connection to the server */
< {
---
> /* KOEN */
>
> if (!find_ldap_server(&ldap_struct))
> {
861,868c946,947
< }
<
< if (!ldap_connect_system (ldap_struct)) /* connect as system account */
< {
< ldap_unbind (ldap_struct);
< return False;
< }
<
---
> }
>
920,924d998
<
< if (!ldap_open_connection (&ldap_struct)) /* open a connection to the server */
< {
< return False;
< }
926,931c1000,1006
< if (!ldap_connect_system (ldap_struct)) /* connect as system account */
< {
< ldap_unbind (ldap_struct);
< return False;
< }
<
---
> /* KOEN */
>
> if (!find_ldap_server(&ldap_struct))
> {
> return False;
> }
>
1008,1009c1083,1085
< return &global_ldap_ent;
<
---
> {
> return &global_ldap_ent;
> }
1049a1126
>
-------------- next part --------------
diff -r sambachahms/source/include/includes.h samba-2.2.1a/source/include/includes.h
787a788,790
> /* KOEN */
> #define USE_SMBPASS_DB 1
>
diff -r sambachahms/source/include/proto.h samba-2.2.1a/source/include/proto.h
1711a1712
> char *lp_passwd_db_list(void);
1958c1959
< BOOL initialize_password_db(void);
---
> BOOL initialize_password_db(int type);
diff -r sambachahms/source/param/loadparm.c samba-2.2.1a/source/param/loadparm.c
215c215,219
< #endif /* WITH_LDAP */
---
> #endif
> /* WITH_LDAP */
>
> /*KOEN*/
> char *szPasswdDbList;
963a968,970
> /*KOEN*/
> {"password db list", P_STRING, P_GLOBAL, &Globals.szPasswdDbList, NULL, NULL, 0},
>
1325a1333,1336
>
> /* KOEN */
> string_set(&Globals.szPasswdDbList, "ldap,file");
>
1501a1513,1516
>
> /*KOEN*/
> FN_GLOBAL_STRING(lp_passwd_db_list, &Globals.szPasswdDbList)
>
diff -r sambachahms/source/passdb/ldap.c samba-2.2.1a/source/passdb/ldap.c
53a54,57
> #ifndef LDAP_PORT
> #define LDAP_PORT 389
> #endif
>
62a67
>
69c74
< ldap_open_connection (LDAP ** ldap_struct)
---
> ldap_open_connection (LDAP ** ldap_struct,char *ldapserver, int ldapport)
71d75
< int port;
74,82c78,81
< if (lp_ldap_ssl () == LDAP_SSL_ON && lp_ldap_port () == 389)
< {
< port = 636;
< }
< else
< {
< port = lp_ldap_port ();
< }
< if ((*ldap_struct = ldap_init (lp_ldap_server (), port)) == NULL)
---
>
> DEBUG(3, ("ldap_open_connection: to server '%s'\n",ldapserver));
>
> if (lp_ldap_ssl () == LDAP_SSL_ON && ldapport == 389)
84,85c83
< DEBUG (0, ("The LDAP server is not responding !\n"));
< return (False);
---
> ldapport = 636;
86a85,91
>
> if ((*ldap_struct = ldap_init (ldapserver, ldapport)) == NULL)
> {
> DEBUG (0, ("The LDAP server is not responding !\n"));
> return (False);
> }
>
557a563,649
>
> /* BEGIN KOEN koen.muylkens at student.kuleuven.ac.be*/
>
> /********************************************************************
> make ldap-connection to ldap server(s) (with backup)
> ********************************************************************/
> /* ldapserverstring in smb.conf is "ldapserver1:ldapport1,ldapserver2:ldapport2,....." */
>
> static BOOL
> find_ldap_server(LDAP ** ldap_struct)
> {
> int notConn=1;
> char *strptr;
> DEBUG (3, ("find_ldap_server: ldapserverstring is '%s'\n", lp_ldap_server()));
> strptr = lp_ldap_server();
>
> while (notConn)
> {
> char *srvsep, *portsep;
> int port;
> srvsep = strchr(strptr, ',');
> if (srvsep != NULL) {
> if (srvsep == strptr) {
> DEBUG (0, ("missing ldap server[:port] specification !\n"));
> return False;
> }
> *srvsep = '\0';
>
> portsep = strchr(strptr, ':');
> if (portsep != NULL) {
>
> if (portsep == strptr) {
> DEBUG (0, ("Missing ldap server address before :port\n"));
> return False;
> }
> else if (portsep[1] == '\0') {
> DEBUG (0, ("No port specified after colon\n"));
> return False;
> }
> port = atoi(portsep + 1);
> if (!port) {
> DEBUG (0, ("Port must be numeric\n"));
> return False;
> }
> *portsep = '\0';
>
> } else {
> port = lp_ldap_port();
> }
> }
> else port = lp_ldap_port();
> DEBUG (0, ("try to open connection to ldap server '%s' on port %d\n",strptr,port));
>
> if (!ldap_open_connection (ldap_struct,strptr,port))
> {
> DEBUG (0, ("ldap_system_backup: could not open connection !\n"));
> return False;
> }
> if (!ldap_connect_system (*ldap_struct))
> {
> DEBUG (0, ("ldap_system_backup: The LDAP server is not responding !\n"));
>
> ldap_unbind (*ldap_struct);
> if (srvsep == NULL)
> {
> return False;
> }
> else
> {
> strptr = srvsep + 1;
> DEBUG(0, ("ldap_system_backup: going to alternative ldap server(s)\n"));
> if(srvsep != NULL) { *srvsep = ','; }
> if(portsep != NULL) { *portsep = ':'; }
> }
> }
> else
> {
> notConn=0;
> DEBUG(0, ("ldap_system_backup: Succesful connection to an ldap server\n"));
> }
> }
> return True;
> }
>
> /* END KOEN */
>
>
566,573c658,662
<
< if (!ldap_open_connection (&global_ldap_ent.ldap_struct))
< {
< return False;
< }
< if (!ldap_connect_system (global_ldap_ent.ldap_struct))
< {
< ldap_unbind (global_ldap_ent.ldap_struct);
---
>
> /* KOEN */
>
> if (!find_ldap_server(&global_ldap_ent.ldap_struct))
> {
575,576c664,665
< }
<
---
> }
>
612a702
> DEBUG(3,("unbinding ldap\n"));
652c742
< LDAPMessage *entry;
---
> LDAPMessage *entry;
654c744
< if (!ldap_open_connection (&ldap_struct))
---
> if (!find_ldap_server(&ldap_struct))
656,660c746
< if (!ldap_connect_system (ldap_struct))
< {
< ldap_unbind (ldap_struct);
< return False;
< }
---
>
701,707c787,794
< if (!ldap_open_connection (&ldap_struct))
< return False;
< if (!ldap_connect_system (ldap_struct))
< {
< ldap_unbind (ldap_struct);
< return False;
< }
---
> /* KOEN */
>
> if (!find_ldap_server(&ldap_struct))
> {
> return False;
> }
>
>
748,752c835,838
< if (!ldap_open_connection (&ldap_struct))
< return False;
< if (!ldap_connect_system (ldap_struct))
< {
< ldap_unbind (ldap_struct);
---
> /* KOEN */
>
> if (!find_ldap_server(&ldap_struct))
> {
754a841
>
798,801d884
<
< if (!ldap_open_connection (&ldap_struct))
< return False;
<
804,807c887,890
< if (!ldap_connect_system (ldap_struct))
< {
< ldap_unbind (ldap_struct);
< DEBUG (0, ("Failed to delete user %s from LDAP.\n", sname));
---
> /* KOEN */
>
> if (!find_ldap_server(&ldap_struct))
> {
809c892
< }
---
> }
858,859c941,944
< if (!ldap_open_connection (&ldap_struct)) /* open a connection to the server */
< {
---
> /* KOEN */
>
> if (!find_ldap_server(&ldap_struct))
> {
861,868c946,947
< }
<
< if (!ldap_connect_system (ldap_struct)) /* connect as system account */
< {
< ldap_unbind (ldap_struct);
< return False;
< }
<
---
> }
>
920,924d998
<
< if (!ldap_open_connection (&ldap_struct)) /* open a connection to the server */
< {
< return False;
< }
926,931c1000,1006
< if (!ldap_connect_system (ldap_struct)) /* connect as system account */
< {
< ldap_unbind (ldap_struct);
< return False;
< }
<
---
> /* KOEN */
>
> if (!find_ldap_server(&ldap_struct))
> {
> return False;
> }
>
1008,1009c1083,1085
< return &global_ldap_ent;
<
---
> {
> return &global_ldap_ent;
> }
1049a1126
>
diff -r sambachahms/source/passdb/passdb.c samba-2.2.1a/source/passdb/passdb.c
62a63,65
> /*KOEN*/
> BOOL use_alternative_passdb=False;
>
67,82c70
< BOOL initialize_password_db(void)
< {
< if (pdb_ops)
< {
< return True;
< }
<
< #ifdef WITH_NISPLUS
< pdb_ops = nisplus_initialize_password_db();
< #elif defined(WITH_LDAP)
< pdb_ops = ldap_initialize_password_db();
< #elif defined(WITH_TDBPWD)
< pdb_ops = tdb_initialize_password_db();
< #else
< pdb_ops = file_initialize_password_db();
< #endif
---
> /*KOEN koen.muylkens at student.kuleuven.ac.be */
83a72,96
> BOOL initialize_password_db(int type)
> {
> switch(type)
> {
> case 0:
> pdb_ops = file_initialize_password_db();
> break;
> case 1:
> #ifdef WITH_NISPLUS
> pdb_ops = nisplus_initialize_password_db();
> #endif
> break;
> case 2:
> #ifdef WITH_LDAP
> pdb_ops = ldap_initialize_password_db();
> #endif
> break;
> case 3:
> #ifdef WITH_TDBPWD
> pdb_ops = tdb_initialize_password_db();
> #endif
> break;
> default:
> pdb_ops = NULL;
> }
87d99
<
101c113
< return pdb_ops->startsmbpwent(update);
---
> return pdb_ops->startsmbpwent(update);
116c128
< pdb_ops->endsmbpwent(vp);
---
> return pdb_ops->endsmbpwent(vp);
121c133
< *************************************************************************/
---
> **************************************************************************/
125c137
< return pdb_ops->getsmbpwent(vp);
---
> return pdb_ops->getsmbpwent(vp);
134c146
< return pdb_ops->add_smbpwd_entry(newpwd);
---
> return pdb_ops->add_smbpwd_entry(newpwd);
148c160
< return pdb_ops->mod_smbpwd_entry(pwd, override);
---
> return pdb_ops->mod_smbpwd_entry(pwd, override);
157c169
< return pdb_ops->del_smbpwd_entry(name);
---
> return pdb_ops->del_smbpwd_entry(name);
163a176,177
> /* KOEN koen.muylkens at student.kuleuven.ac.be */
>
166c180,238
< return pdb_ops->getsmbpwnam(name);
---
> struct smb_passwd *smbpass;
>
> if (!use_alternative_passdb)
> {
> char *passdblist;
> BOOL notFound=1;
> int passdb;
>
> passdblist=(char*)lp_passwd_db_list();
> while (notFound)
> {
> char *passdbsep;
> passdbsep = strchr(passdblist, ',');
> if (passdbsep!=NULL) *passdbsep = '\0';
>
> switch(*passdblist)
> {
> case 's':
> DEBUG(3,("trying SMB passdb\n"));
> passdb=0;
> break;
> case 'n':
> DEBUG(3,("trying NIS passdb\n"));
> passdb=0;
> break;
> case 'l':
> passdb=2;
> DEBUG(3,("trying LDAP passdb\n"));
> break;
> case 't':
> passdb=3;
> DEBUG(3,("trying TDB passdb\n"));
> break;
> default:
> DEBUG(3,("no passdb found\n"));
> }
>
> if (!initialize_password_db(passdb))
> return NULL;
>
> smbpass = pdb_ops->getsmbpwnam(name);
>
> if (NULL == smbpass)
> {
> DEBUG(0,("search for '%s' failed \ngoing to next passdb\n",passdblist));
> if (passdbsep !=NULL)
> {
> passdblist = passdbsep+1;
> *passdbsep = ',';
> }
> else return NULL;
> }
> else
> notFound=0;
> }
> }
> else smbpass = pdb_ops->getsmbpwnam(name);
>
> return smbpass;
168a241
>
343,344c416,417
< {
< return pdb_ops->add_sam21pwd_entry(pwd);
---
> {
> return pdb_ops->add_sam21pwd_entry(pwd);
diff -r sambachahms/source/smbd/server.c samba-2.2.1a/source/smbd/server.c
773,774c773,774
<
< if(!initialize_password_db()) {
---
>
> if(!initialize_password_db(0)) {
777c777
<
---
>
diff -r sambachahms/source/utils/smbpasswd.c samba-2.2.1a/source/utils/smbpasswd.c
31a32,34
> /*KOEN*/
> extern BOOL use_alternative_passdb;
>
33a37
> static BOOL alternative_passwd_db=0;
65a70,71
> printf(" -O PASSDB override passdb specified in configfile\n");
> printf(" PASSDB= s(=samba), n(=nis), l(=ldap), t(=tdb)");
266,267c272
< char *remote_machine = NULL;
<
---
> char *remote_machine = NULL;
561a567,568
> int passdb;
>
574,578c581,625
< if(!initialize_password_db()) {
< fprintf(stderr, "Can't setup password database vectors.\n");
< exit(1);
< }
<
---
> /*KOEN*/
> if (getopt(argc,argv,"O:")=='O')
> {
> switch(optarg[0])
> {
> case 's':
> passdb=0;
> DEBUG(3,("smbpasswd.c: passdb is samba\n"));
> break;
> case 'n':
> passdb=1;
> DEBUG(3,("smbpasswd.c: passdb is nis\n"));
> break;
> case 'l':
> passdb=2;
> DEBUG(3,("smbpasswd.c: passdb is ldap\n"));
> break;
> case 't':
> passdb=3;
> DEBUG(3,("smbpasswd.c: passdb is tdb\n"));
> break;
> default:
> passdb=-1;
> DEBUG(3,("smbpasswd.c: passdb is configfile passdb\n"));
> }
> }
> else passdb=-1;
>
> if (passdb!=-1)
> {
> use_alternative_passdb=True;
> if(!initialize_password_db(passdb)) {
> fprintf(stderr, "Can't setup password database vectors.\n");
> exit(1);
> }
> }
> else
> {
> use_alternative_passdb=False;
> if(!initialize_password_db(0)) {
> fprintf(stderr, "Can't setup password database vectors.\n");
> exit(1);
> }
> }
>
619a667,749
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
diff -r sambachahms/source/web/swat.c samba-2.2.1a/source/web/swat.c
662c662
< if(!initialize_password_db()) {
---
> if(!initialize_password_db(0)) {
More information about the samba-technical
mailing list