web2ldap for Samba4 (was: Samba 4 alpha 4: LDAP Authentication
and Users)
Andrew Bartlett
abartlet at samba.org
Sat Jun 28 08:37:34 GMT 2008
On Fri, 2008-06-27 at 16:38 +0200, Michael Ströder wrote:
> Andrew Bartlett wrote:
> > cn=administrator,cn=users,dc=your,dc=realm or even
> > administrator at YOUR.REALM (but your client may impose a client-side
> > restriction preventing using this Microsoft extension).
> >
> > One client that we know works is phpLDAPadmin (runs as php scripts on
> > your samba server),
>
> I hope you don't mind that I mention web2ldap as a LDAPv3 client
> suitable for Samba4 which also supports this without the need to
> pre-configure it. ;-)
Is there any settings at all? (Such as a default server etc?). I'm
particularly interested in having it connect to an ldapi socket on the
host, but it would not be safe to allow users to specify this remotely.
> In the latest release (as of today ;-) I've added a functionality which
> also shows the user's DN even if the user bound with simple bind using
> his UPN.
>
> Besides the interactive user-interface you can form bookmarks with
> almost arbitrary LDAP URLs passed as query string to web2ldap. I'll use
> this in my examples here.
> You can try it by running web2ldap as stand-alone demon (simply by
> invoking "python <web2ldap-source>/sbin/web2ldap -d off" on the
> command-line) and enter in the browser:
>
> http://localhost:1760/web2ldap?ldap://dc.example.com/????bindname=username@EXAMPLE.COM,X-BINDPW=password
>
> It uses the defaultNamingContext as search root if not told otherwise.
>
> Without user's password in the URL you'll be prompted for the password:
> http://localhost:1760/web2ldap?ldap://dc.example.com/????bindname=username@EXAMPLE.COM
> Set "User entry search filter" to empty string for switching off
> anonymous user search.
>
> If you have pydns installed and your DNS setup is correct (SRV RRs) you
> can even use this URL to let web2ldap locate a DC via DNS:
> http://localhost:1760/web2ldap?ldap:///dc=example,dc=com????bindname=username@EXAMPLE.COM
>
> And if you're running web2ldap as a user who obtained a TGT (via kinit)
> before you can use LDAP SASL bind with mech GSSAPI (needs python-ldap
> and OpenLDAP libs to be built with SASL support):
> http://localhost:1760/web2ldap?ldap:///dc=example,dc=com????x-saslmech=GSSAPI
Have you looked into mod_auth_kerb and forwardable tickets?
> Unfortunately since AD W2K3 does not support Who Am I? ext. op. the bind
> information of GSSAPI can not be displayed. In case this LDAPv3 ext.op.
> is supported it will retrieve the authz-DN the LDAP reports for this
> binding. I've heard that W2K8 supports this but I could not test it yet.
It would be interesting to add this extended operation to Samba4 as
well.
> web2ldap contains some AD-specific plugin classes which displays some
> AD-specific attributes more nicely and some classes let you even tweak
> the attributes (e.g. logonHours as multi-line X-XX field). See file
> <web2ldap-source>/etc/web2ldap/web2ldapcnf/plugins/activedirectory.py to
> get the idea behind that.
>
> Furthermore:
> - Support for client-side setting of Samba password hashes, etc. pp.
> - Have fun with the schema browser. Yes, it can handle AD's DIT content
> rules (and more). Direct links into AD's schema configuration context.
>
> See also http://www.web2ldap.de/features.html
We have been looking around for good GUIs for Samba4's LDAP server ever
since the AJAX-style LDB browser was ripped out a year ago.
Is it packaged for major distributions? I can't find it in Fedora.
Perhaps someone should start a wiki page with notes on the working (and
not so working) LDAP clients for Samba4, so that future administrators
know where to start?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080628/2944939f/attachment.bin
More information about the samba-technical
mailing list