[PATCH] Merge LDAP into pluggable Passdb

Stefan (metze) Metzmacher metze at metzemix.de
Mon Jan 28 07:53:10 GMT 2002 

you wrote:
 >This patch merges LDAP into the plugable passdb mechanism.
 >
 >I'm not currently proposing this patch for inclusion, because Jerry
 >wants some sanity between Samba 2.2 and HEAD.
 >
 >This patch also introduces the 'ldap uri' concept that Samba-TNG were
 >toying with recently - and removes the ldap server and ldap port
 >smb.conf parameters.  Instead, servers are listed in a URI format after
 >the colon in the 'passdb backend' parameter.
 >
 >EG:
 >
 >ldapsam:ldap://localhost
 >
 >or
 >
 >ldapsam:ldaps://localhost.
 >
 >The ldaps stuff doesn't seem to work for now - I'll need to chase this
 >up.  But basic functionality is intact, and it is now run-time
 >selectable.  Posted for *comment*, I don't expect it to be particularly
 >useful to anyone...
 >
 >I suspect I'm going to get very familiar with LDAP very quickly...
 >
 >Andrew Bartlett

I think it's not nice use the 'ldap uri' concept as paramters in the 
'passdb backend'  option. If you do so it would be nice if all config 
options are listed there!

in this way:
passdb backend = 
ldapsam:ldap://ldap.domain.com/&admindn=uid=admin,o=domain,c=com&filter=(&(uid=%u)(objectClass=sambaAccount)) 



I would prefer to use

-       only the ldap server, ldap port, .. parameters.
or:
-       the ldap paramters in /etc/ldap.conf witch is also used by pam_ldap
         and nss_ldap. And add samba spezific paramters to it. So that the
         ldapsam module is independent to the smb.conf.

Tell me if I could do some work for you?!

metze

in the ldap.conf:
----------------------------------------------------------------------
#### use host,port combination
host  ldap.domain.com
port   389
# or uri ( over writes host,port combination)
uri     ldap://ldap.domain.com/
## to spezify the server and port

# the ldap suffix is the base parameter
base    ou=users, o=domain, c=com

# use ldap_version, scope, deref, referrals, timelimit, bind_timelimit,
# ssl and tls_* parameters

smb_admin_dn    uid=smb-admin, ou=users, o=domain, c=com
# the admin password is stored in the secret.tdb as currently done!
smb_filter      (&(uid=%u)(objectClass=sambaAccount))
---------------------------------------------------------------------------------------


ldap.conf from pam_ldap and nss_ldap
-----------------------------------------------------
# @(#)$Id: ldap.conf,v 1.24 2001/09/20 14:12:26 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
host 127.0.0.1

# The distinguished name of the search base.
base dc=padl,dc=com

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=padl,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind timelimit
#bind_timelimit 30

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

...

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# SAMBA administrator dn
#smb_admin_dn

# SAMBA search filter
#smb_filter

MfG
metze

Stefan "metze" Metzmacher <metze at metzemix.de>

More information about the samba-technical mailing list