Fedora DS Support

Andrew Bartlett abartlet at samba.org
Wed Aug 26 17:18:31 MDT 2009

On Wed, 2009-08-26 at 18:54 -0400, Dmitri Pal wrote:
> Andrew Bartlett wrote:
> > On Wed, 2009-08-26 at 14:35 -0400, Endi Sukma Dewata wrote:
> >   
> >> Andrew,
> >>
> >> Attached is the patch created against the master branch. I haven't been
> >> able to test it because I'm still having a build problem with the
> >> master branch. So please feel free to try it. I'll let you know when I
> >> can get it to work. Thanks.
> >>     
> >
> > Endi,
> >
> > Thanks for getting back to me quickly, as it means I can help redirect
> > your efforts.  It seems I must have been unclear about the future of
> > those particular changes.  We must remove them - not re-add them.  
> >
> > Setting that ACI makes Fedora DS completely insecure - because it
> > changes the ACL on each partition to be 'anonymous may do anything'.  It
> > was a great hack when we first started this, but it must not be revived.
> >
> > The patch I need from you, against master, is best summed up as:
> > 'whatever is needed to make Fedora DS work as a backend, as pass as much
> > of make test as possible, using SASL authentication between Samba4 and
> > Fedora DS'. 
> >
> > The background to this is that I reworked the OpenLDAP backend to use
> > secure SASL authentication and strict access control between Samba4 and
> > OpenLDAP many months ago, but did not upgrade Fedora DS to that same
> > level of support.  The Fedora DS backend needs to be upgraded to this
> > same level of maturity. 
> >
> > Thanks,
> >
> > Andrew Bartlett
> >
> >   
> I wonder if the ldapi should be used in this case. It was added recently
> to 389 and IPA already takes advantage of it.
> It is local LDAP over domain sockets.

Yes.  In fact Samba4 only supports the use of ldapi (I've recently
removed the support for LDAP over TCP from our provision scripts).  

For the moment, I'm requiring SASL authentication over that ldapi

Just in case you were wondering, I know about the EXTERNAL SASL
mechanism - indeed, I lobbied to have it added to Fedora DS about 3
years ago.  (We just don't use it yet)

> Since the back end is local to the Samba instance the ldapi can be used
> in this case.
> It would be faster and I bet a bit simpler. 

That's exactly why we use it.  :-)

> Endi you can ask Rob and
> Rich for help with this.
> What occurred to me is that 389 is a platform specific back end. Would
> not build for Windows for example or on AIX.
> I do not know on what level the Samba back end driver detects if the DS
> is available on the  platform but in case of LDAPI it definitely should
> be taken into account and checked at some level.

It is a very poor OS that does not support unix domain sockets - Samba4
won't function on one without in any case.

Using ldapi is actually vital to 'make test', as otherwise we would risk
exposing our test environment to the 'real word' on a real TCP socket.
Unix domain sockets can be easily hidden inside private directories. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090827/0f07363a/attachment.pgp>

More information about the samba-technical mailing list