web2ldap for Samba4 (was: Samba 4 alpha 4: LDAP Authentication and
Users)
Michael Ströder
michael at stroeder.com
Fri Jun 27 14:38:32 GMT 2008
Andrew Bartlett wrote:
> cn=administrator,cn=users,dc=your,dc=realm or even
> administrator at YOUR.REALM (but your client may impose a client-side
> restriction preventing using this Microsoft extension).
>
> One client that we know works is phpLDAPadmin (runs as php scripts on
> your samba server),
I hope you don't mind that I mention web2ldap as a LDAPv3 client
suitable for Samba4 which also supports this without the need to
pre-configure it. ;-)
In the latest release (as of today ;-) I've added a functionality which
also shows the user's DN even if the user bound with simple bind using
his UPN.
Besides the interactive user-interface you can form bookmarks with
almost arbitrary LDAP URLs passed as query string to web2ldap. I'll use
this in my examples here.
You can try it by running web2ldap as stand-alone demon (simply by
invoking "python <web2ldap-source>/sbin/web2ldap -d off" on the
command-line) and enter in the browser:
http://localhost:1760/web2ldap?ldap://dc.example.com/????bindname=username@EXAMPLE.COM,X-BINDPW=password
It uses the defaultNamingContext as search root if not told otherwise.
Without user's password in the URL you'll be prompted for the password:
http://localhost:1760/web2ldap?ldap://dc.example.com/????bindname=username@EXAMPLE.COM
Set "User entry search filter" to empty string for switching off
anonymous user search.
If you have pydns installed and your DNS setup is correct (SRV RRs) you
can even use this URL to let web2ldap locate a DC via DNS:
http://localhost:1760/web2ldap?ldap:///dc=example,dc=com????bindname=username@EXAMPLE.COM
And if you're running web2ldap as a user who obtained a TGT (via kinit)
before you can use LDAP SASL bind with mech GSSAPI (needs python-ldap
and OpenLDAP libs to be built with SASL support):
http://localhost:1760/web2ldap?ldap:///dc=example,dc=com????x-saslmech=GSSAPI
Unfortunately since AD W2K3 does not support Who Am I? ext. op. the bind
information of GSSAPI can not be displayed. In case this LDAPv3 ext.op.
is supported it will retrieve the authz-DN the LDAP reports for this
binding. I've heard that W2K8 supports this but I could not test it yet.
web2ldap contains some AD-specific plugin classes which displays some
AD-specific attributes more nicely and some classes let you even tweak
the attributes (e.g. logonHours as multi-line X-XX field). See file
<web2ldap-source>/etc/web2ldap/web2ldapcnf/plugins/activedirectory.py to
get the idea behind that.
Furthermore:
- Support for client-side setting of Samba password hashes, etc. pp.
- Have fun with the schema browser. Yes, it can handle AD's DIT content
rules (and more). Direct links into AD's schema configuration context.
See also http://www.web2ldap.de/features.html
Ciao, Michael.
--
Michael Ströder
E-Mail: michael at stroeder.com
http://www.stroeder.com
More information about the samba-technical
mailing list