web2ldap for Samba4 (was: Samba 4 alpha 4: LDAP Authentication and Users)

Michael Ströder michael at stroeder.com
Fri Jun 27 14:38:32 GMT 2008

Andrew Bartlett wrote:
> cn=administrator,cn=users,dc=your,dc=realm or even
> administrator at YOUR.REALM (but your client may impose a client-side
> restriction preventing using this Microsoft extension). 
> One client that we know works is phpLDAPadmin (runs as php scripts on
> your samba server),

I hope you don't mind that I mention web2ldap as a LDAPv3 client 
suitable for Samba4 which also supports this without the need to 
pre-configure it. ;-)
In the latest release (as of today ;-) I've added a functionality which 
also shows the user's DN even if the user bound with simple bind using 
his UPN.

Besides the interactive user-interface you can form bookmarks with 
almost arbitrary LDAP URLs passed as query string to web2ldap. I'll use 
this in my examples here.
You can try it by running web2ldap as stand-alone demon (simply by 
invoking "python <web2ldap-source>/sbin/web2ldap -d off" on the 
command-line) and enter in the browser:


It uses the defaultNamingContext as search root if not told otherwise.

Without user's password in the URL you'll be prompted for the password:
Set "User entry search filter" to empty string for switching off 
anonymous user search.

If you have pydns installed and your DNS setup is correct (SRV RRs) you 
can even use this URL to let web2ldap locate a DC via DNS:

And if you're running web2ldap as a user who obtained a TGT (via kinit) 
before you can use LDAP SASL bind with mech GSSAPI (needs python-ldap 
and OpenLDAP libs to be built with SASL support):

Unfortunately since AD W2K3 does not support Who Am I? ext. op. the bind 
information of GSSAPI can not be displayed. In case this LDAPv3 ext.op. 
is supported it will retrieve the authz-DN the LDAP reports for this 
binding. I've heard that W2K8 supports this but I could not test it yet.

web2ldap contains some AD-specific plugin classes which displays some 
AD-specific attributes more nicely and some classes let you even tweak 
the attributes (e.g. logonHours as multi-line X-XX field). See file 
<web2ldap-source>/etc/web2ldap/web2ldapcnf/plugins/activedirectory.py to 
get the idea behind that.

- Support for client-side setting of Samba password hashes, etc. pp.
- Have fun with the schema browser. Yes, it can handle AD's DIT content 
rules (and more). Direct links into AD's schema configuration context.

See also http://www.web2ldap.de/features.html

Ciao, Michael.

Michael Ströder
E-Mail: michael at stroeder.com

More information about the samba-technical mailing list