web2ldap for Samba4 (was: Samba 4 alpha 4: LDAP Authentication and Users)

Andrew Bartlett abartlet at samba.org
Sat Jun 28 08:37:34 GMT 2008

On Fri, 2008-06-27 at 16:38 +0200, Michael Ströder wrote:
> Andrew Bartlett wrote:
> > cn=administrator,cn=users,dc=your,dc=realm or even
> > administrator at YOUR.REALM (but your client may impose a client-side
> > restriction preventing using this Microsoft extension). 
> > 
> > One client that we know works is phpLDAPadmin (runs as php scripts on
> > your samba server),
> I hope you don't mind that I mention web2ldap as a LDAPv3 client 
> suitable for Samba4 which also supports this without the need to 
> pre-configure it. ;-)

Is there any settings at all?  (Such as a default server etc?).  I'm
particularly interested in having it connect to an ldapi socket on the
host, but it would not be safe to allow users to specify this remotely. 

> In the latest release (as of today ;-) I've added a functionality which 
> also shows the user's DN even if the user bound with simple bind using 
> his UPN.
> Besides the interactive user-interface you can form bookmarks with 
> almost arbitrary LDAP URLs passed as query string to web2ldap. I'll use 
> this in my examples here.
> You can try it by running web2ldap as stand-alone demon (simply by 
> invoking "python <web2ldap-source>/sbin/web2ldap -d off" on the 
> command-line) and enter in the browser:
> http://localhost:1760/web2ldap?ldap://dc.example.com/????bindname=username@EXAMPLE.COM,X-BINDPW=password
> It uses the defaultNamingContext as search root if not told otherwise.
> Without user's password in the URL you'll be prompted for the password:
> http://localhost:1760/web2ldap?ldap://dc.example.com/????bindname=username@EXAMPLE.COM
> Set "User entry search filter" to empty string for switching off 
> anonymous user search.
> If you have pydns installed and your DNS setup is correct (SRV RRs) you 
> can even use this URL to let web2ldap locate a DC via DNS:
> http://localhost:1760/web2ldap?ldap:///dc=example,dc=com????bindname=username@EXAMPLE.COM
> And if you're running web2ldap as a user who obtained a TGT (via kinit) 
> before you can use LDAP SASL bind with mech GSSAPI (needs python-ldap 
> and OpenLDAP libs to be built with SASL support):
> http://localhost:1760/web2ldap?ldap:///dc=example,dc=com????x-saslmech=GSSAPI

Have you looked into mod_auth_kerb and forwardable tickets?

> Unfortunately since AD W2K3 does not support Who Am I? ext. op. the bind 
> information of GSSAPI can not be displayed. In case this LDAPv3 ext.op. 
> is supported it will retrieve the authz-DN the LDAP reports for this 
> binding. I've heard that W2K8 supports this but I could not test it yet.

It would be interesting to add this extended operation to Samba4 as

> web2ldap contains some AD-specific plugin classes which displays some 
> AD-specific attributes more nicely and some classes let you even tweak 
> the attributes (e.g. logonHours as multi-line X-XX field). See file 
> <web2ldap-source>/etc/web2ldap/web2ldapcnf/plugins/activedirectory.py to 
> get the idea behind that.
> Furthermore:
> - Support for client-side setting of Samba password hashes, etc. pp.
> - Have fun with the schema browser. Yes, it can handle AD's DIT content 
> rules (and more). Direct links into AD's schema configuration context.
> See also http://www.web2ldap.de/features.html

We have been looking around for good GUIs for Samba4's LDAP server ever
since the AJAX-style LDB browser was ripped out a year ago.  

Is it packaged for major distributions?  I can't find it in Fedora. 

Perhaps someone should start a wiki page with notes on the working (and
not so working) LDAP clients for Samba4, so that future administrators
know where to start?


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080628/2944939f/attachment.bin

More information about the samba-technical mailing list