web2ldap for Samba4

Michael Ströder michael at stroeder.com
Sat Jun 28 13:36:51 GMT 2008

Andrew Bartlett wrote:
>> I hope you don't mind that I mention web2ldap as a LDAPv3 client 
>> suitable for Samba4 which also supports this without the need to 
>> pre-configure it. ;-)
> Is there any settings at all?

You can tweak quite a lot with a cascaded configuration:

> (Such as a default server etc?).

There's no such thing like a default server. You can define a list of 
LDAP URLs with optional description to appear in the select list on the 
entry page.

> I'm particularly interested in having it connect to an ldapi socket
> on the host, but it would not be safe to allow users to specify this
> remotely.

A web2ldap user can specify arbitrary ldapi:/// URLs himself. In general 
web2ldap does not enforce any kind of authorization and IMO it would not 
make sense at all. You have to disallow LDAPI access by appropriate OS 
level authorization (file ownership/permissions) similar like you have 
to restrict TCP/IP access to LDAP servers by network configuration if 
needed. To restrict by ownership/permissions web2ldap can run as a 
separate system user.

>> And if you're running web2ldap as a user who obtained a TGT (via kinit) 
>> before you can use LDAP SASL bind with mech GSSAPI (needs python-ldap 
>> and OpenLDAP libs to be built with SASL support):
>> http://localhost:1760/web2ldap?ldap:///dc=example,dc=com????x-saslmech=GSSAPI
> Have you looked into mod_auth_kerb and forwardable tickets?

I'd like to use SASL/GSSAPI with forwardable tickets (probably 
self-implemented SPNEGO if possible). Unfortunately I have to stick what 
the OpenLDAP client API provides. AFAIK I cannot preinitialize a GSSAPI 
context and pass that to the OpenLDAP client libs during SASL bind.

Does you ldb module for Python provide such capabilities?

Another work-around for something like this would be authenticating the 
end-user (e.g. with SSL client certs, SPNEGO etc.) and then map this 
identity to a LDAP authz DN then using the Proxy Authorization Control 
to let LDAP operations happen on behalf of the authenticated user with 
the server-based access control.
So therefore I plan to let web2ldap bind with a default identity 
(service account) to the LDAP server.

>> Unfortunately since AD W2K3 does not support Who Am I? ext. op. the bind 
>> information of GSSAPI can not be displayed. In case this LDAPv3 ext.op. 
>> is supported it will retrieve the authz-DN the LDAP reports for this 
>> binding. I've heard that W2K8 supports this but I could not test it yet.
> It would be interesting to add this extended operation to Samba4 as
> well. 

This ext.op. shows errors in SASL configuration quite quickly.

> We have been looking around for good GUIs for Samba4's LDAP server ever
> since the AJAX-style LDB browser was ripped out a year ago.

I don't know whether it's something most people would consider a "good 
GUI" since there are no general criteria for this. But it works pretty 
well with AD. I'm using it to set attributes for which there are no 
input fields in the MMC (e.g. employeeNumber).

> Is it packaged for major distributions?

No. But once you have the required modules installed you can simply 
unpack and run it as described in my former e-mail. Most modules are 
available in major distributions but can e.g. be compiled to RPMs with 
Python's DistUtils by invoking 'python setup.py bdist_rpm'. With 'python 
<web2ldap-source>/sbin/checkinst.py' you can check on what's already 
installed on your system.

Ciao, Michael.

More information about the samba-technical mailing list