Fedora DS Support

Andrew Bartlett abartlet at samba.org
Mon Aug 31 17:20:06 MDT 2009


On Mon, 2009-08-31 at 19:00 -0400, Endi Sukma Dewata wrote:
> Andrew,
> 
> ----- "Andrew Bartlett" <abartlet at samba.org> wrote:
> 
> > >    In #3 I will add the SASL authentication. I might send another
> > >    patch here.
> > 
> > Good.  One particular task will be to figure out how to add a SASL user
> > into Fedora DS. (We add them to OpenLDAP using it's LDIF backend and
> > manually constructed LDIF).
> 
> I've been looking at the code and thinking to do this:
> 
> 1. Create cn=samba partition in FDS.
> 2. As FDS directory manager, add user cn=samba-admin,cn=samba to the
>    directory and set the password in clear text.
> 3. Setup SASL mapping for samba-admin to the above user.
> 4. Change the auth for Samba-to-FDS from anonymous to SASL as
>    samba-admin as in Samba-to-OpenLDAP.
> 
> Is this the correct approach? I've figured out how to do #1 and #3.

Yes, I think this is exactly the right approach.  The only other thing
you might consider is if you can create the cn=samba-admin,cn=samba user
via an 'initial LDIF' fragment into FDS. 

> I was trying to do #2 by adding another partition in samdb, but
> it seems that an LDB can only have one rootDomainNamingContext,
> so I can't add cn=samba because the root context is dc=samba,dc=example,
> dc=com. Another alternative is to do this by invoking ldapi directly,

Yes, you should do this against ldapi directly. 

> but I'm not sure how to do that from Python. Do you have an example?

There is actually a great example already in the script - see the code
that tries to see if an LDAP server is already bound to the ldapi
socket.  (This code is looking for the exception, but you will be
looking for and using the resulting context). 

This is on line 1358.

> About #4, where in the code does it set the anonymous connection for
> FDS and SASL for OpenLDAP?

Line 1648 sets this for OpenLDAP:
    # Set the username - done here because Fedora DS still uses the admin DN and simple bind
    result.credentials.set_username("samba-admin")

Line 1712 sets this to the Manager DN (not sure if that is actually
successful) for Fedora DS:

    result.credentials.set_bind_dn(names.ldapmanagerdn)

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090901/de9bec9c/attachment.pgp>


More information about the samba-technical mailing list