web2ldap for Samba4
michael at stroeder.com
Sat Jun 28 13:36:51 GMT 2008
Andrew Bartlett wrote:
>> I hope you don't mind that I mention web2ldap as a LDAPv3 client
>> suitable for Samba4 which also supports this without the need to
>> pre-configure it. ;-)
> Is there any settings at all?
You can tweak quite a lot with a cascaded configuration:
> (Such as a default server etc?).
There's no such thing like a default server. You can define a list of
LDAP URLs with optional description to appear in the select list on the
> I'm particularly interested in having it connect to an ldapi socket
> on the host, but it would not be safe to allow users to specify this
A web2ldap user can specify arbitrary ldapi:/// URLs himself. In general
web2ldap does not enforce any kind of authorization and IMO it would not
make sense at all. You have to disallow LDAPI access by appropriate OS
level authorization (file ownership/permissions) similar like you have
to restrict TCP/IP access to LDAP servers by network configuration if
needed. To restrict by ownership/permissions web2ldap can run as a
separate system user.
>> And if you're running web2ldap as a user who obtained a TGT (via kinit)
>> before you can use LDAP SASL bind with mech GSSAPI (needs python-ldap
>> and OpenLDAP libs to be built with SASL support):
> Have you looked into mod_auth_kerb and forwardable tickets?
I'd like to use SASL/GSSAPI with forwardable tickets (probably
self-implemented SPNEGO if possible). Unfortunately I have to stick what
the OpenLDAP client API provides. AFAIK I cannot preinitialize a GSSAPI
context and pass that to the OpenLDAP client libs during SASL bind.
Does you ldb module for Python provide such capabilities?
Another work-around for something like this would be authenticating the
end-user (e.g. with SSL client certs, SPNEGO etc.) and then map this
identity to a LDAP authz DN then using the Proxy Authorization Control
to let LDAP operations happen on behalf of the authenticated user with
the server-based access control.
So therefore I plan to let web2ldap bind with a default identity
(service account) to the LDAP server.
>> Unfortunately since AD W2K3 does not support Who Am I? ext. op. the bind
>> information of GSSAPI can not be displayed. In case this LDAPv3 ext.op.
>> is supported it will retrieve the authz-DN the LDAP reports for this
>> binding. I've heard that W2K8 supports this but I could not test it yet.
> It would be interesting to add this extended operation to Samba4 as
This ext.op. shows errors in SASL configuration quite quickly.
> We have been looking around for good GUIs for Samba4's LDAP server ever
> since the AJAX-style LDB browser was ripped out a year ago.
I don't know whether it's something most people would consider a "good
GUI" since there are no general criteria for this. But it works pretty
well with AD. I'm using it to set attributes for which there are no
input fields in the MMC (e.g. employeeNumber).
> Is it packaged for major distributions?
No. But once you have the required modules installed you can simply
unpack and run it as described in my former e-mail. Most modules are
available in major distributions but can e.g. be compiled to RPMs with
Python's DistUtils by invoking 'python setup.py bdist_rpm'. With 'python
<web2ldap-source>/sbin/checkinst.py' you can check on what's already
installed on your system.
More information about the samba-technical