Fwd: Samba and referrals in LDAP

Marshall, Joshua MarshallJ at switch.aust.com
Mon Feb 25 18:08:02 GMT 2002

Hi All,

I'd like to submit this patch for inclusion into the samba code. It is a 
patch which is clean against samba 2.2.3a.

It allows a Samba PDC which is connected to a slave ldap server to 
add/modify/delete entries on the master ldap server. The details are in 
the below email.

I'm not subscribed to the samba-patches or samba-technical lists 
(subscribed to samba) so if you have any comments please email me directly


Joshua Marshall
Systems Support Engineer
Union Switch & Signal Pty Ltd
Ph: (07) 3868 9371
Fx: (07) 3268 2219
----- Forwarded by Joshua Marshall/AU/USS on 26/02/2002 11:42 AM -----

Joshua Marshall
24/01/2002 12:48 PM

        To:     Gerald Carter <jerry at samba.org>
        cc:     samba at samba.org
        Subject:        Re: Samba and referrals in LDAP

Hi Jerry,

I managed to work out what was happening before you posted this.

When communicating with a slave ldap, and an add/change/delete request is 
sent to the server, the ldap server replies with an error code which 
refers the client software (in this case samba) to the master ldap server.

It is up to the client software then to connect to the master ldap server 
and resubmit the request. The problem with the simple binding is that 
referrals are generally followed anonymously. This is fine for most 
lookups but for modifying the data there is a security issue allowing 
anonymous modifications.

In the configuration that samba uses, the authentication on both the 
master and slave server is the same. So what needs to be added to the 
current implementation is a way to get the referral to use the same 
authentication to the master server. This is easily done by using the 
rebindproc() function from the openldap libraries. What this does is if a 
referral takes place, it calls a particular function who's job it is to 
authenticate to the new ldap server. Once that's done the request is 
submitted to the master ldap and the change is allowed.

I put together the required changes to pdb_ldap.c and have tested it in 
both ssl and non-ssl modes, and it works wonderfully. Please can you 
consider adding the following patch to the cvs tree (patch is against 
pdb_ldap.c cvs version

I now have a Samba PDC with an SSL-secured LDAP backend that works in a 
distributed master-slave configuration (the slaves are remote offices with 
a local Samba PDC to handle logon requests for the LAN). Thanks go to the 
Samba team to make all of this possible.


Joshua Marshall
Systems Support Engineer
Union Switch & Signal Pty Ltd
Ph: (07) 3868 9371
Fx: (07) 3268 2219
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pdb_ldap.patch
Type: application/octet-stream
Size: 1647 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020225/b7d713bf/pdb_ldap.obj

More information about the samba-technical mailing list