Some remarks on Samba4 with OpenLDAP backend

[Michael Ströder]

HI!

I've tried to set up Samba4/OpenLDAP CVS-RE24 (communicating over LDAPI)
along these lines for interop testing with web2ldap:

http://wiki.samba.org/index.php/Samba4/LDAP_Backend/OpenLDAP

The article is a bit outdated regarding paths but now it works.

Note that web2ldap is capable of adding/modifying user accounts on MS AD
W2K3 and set the unicodePwd attribute just fine.

I hope you don't get this message wrong. The job including the
provisioning scripts is well done. Still I have some questions and remarks:

1. IMHO access to the LDAPI socket should also be possible for other
LDAP clients on the same system. E.g. I'm running my web2ldap as
separate user on the same system and probably I'd like to access the
OpenLDAP backend directly. So IMHO the socket file
<prefix>/private/ldap/ldapi should be moved to another directory where
other clients have access. Access control should happen in slapd itself
by ACLs (as already done).

2. There's no access to the subschema subentry allowed on the OpenLDAP
backend server for e.g. cn=samba-admin,cn=Samba. IMHO that's overly
restrictive and prevents schema-aware clients from doing the right
thing. I'd even allow anon access to the subschema subentry. (I have a
fallback schema in web2ldap but I'd prefer to properly deal with the
real schema with object classes 'user' and 'samba4Top'.)

3. A one-level search from root returns also subordinate entries of the
domain-level because of directive defaultsearchbase in slapd.conf. I
find this annoying. What's the rationale for adding this?
Fortunately the Samba4 demon on port 389 does not do this. But I'd
prefer the OpenLDAP demon to also behave "normally". I think this
directive should only be used in OpenLDAP when you have to integrate
LDAP clients not capable to use a search root at all.

4. Passwords are auto-generated. That's good. But they are passed as
command-line args. Since there's a bash history I consider this to be
bad practice. So passwords should be stored in <prefix>/private/ldap.

5. I forgot whether it was already considered on samba-technical to
implement SASL bind with mech EXTERNAL for the LDAPI connection between
smbd and slapd. This would allow to provision everything without a
password. (IIRC Fedora DS already has support for this or planned to
implement it.)

6. Are slapd and smbd supposed to run as root? I'd prefer to let them
both run as non-privileged dedicated Unix users, e.g. slapd -u openldap
-g openldap. This would have to be done in the provision script to get
ownership/permissions of the OpenLDAP database dir/files right.

7. Do you expect LDAP clients 1. to access smbd on port 389 to manage
user accounts like on AD or 2. should user accounts be directly managed
in the LDAP backend server? 1. would require that the AD schema is sent
out as subschema subentry by smbd. If I understand other messages on the
list correctly this is the plan. Right?

8. How can I encode/decode unicodePwd values from the slapcat-output?
Some Python module for that? It seems not to be the same value I send to
AD when setting the unicodePwd.

Ciao, Michael.