Some remarks on Samba4 with OpenLDAP backend

Michael Ströder michael at stroeder.com
Fri Mar 20 22:01:53 GMT 2009


Andrew Bartlett wrote:
> On Fri, 2009-03-20 at 18:28 +0100, Michael Ströder wrote:
>> Andrew Bartlett wrote:
>>> On Fri, 2009-03-13 at 19:02 +0100, Michael Ströder wrote:
>>>> I hope you don't get this message wrong. The job including the
>>>> provisioning scripts is well done. Still I have some questions and remarks:
>>>>
>>>> 1. IMHO access to the LDAPI socket should also be possible for other
>>>> LDAP clients on the same system. E.g. I'm running my web2ldap as
>>>> separate user on the same system and probably I'd like to access the
>>>> OpenLDAP backend directly. So IMHO the socket file
>>>> <prefix>/private/ldap/ldapi should be moved to another directory where
>>>> other clients have access. Access control should happen in slapd itself
>>>> by ACLs (as already done).
>>> The reason it is done like this is because I would strongly prefer that
>>> the backend was not accessed directly.
>> Why? The OpenLDAP backend is a LDAPv3-compliant server already enforcing
>> a particular schema.
> 
> For me, this isn't a good enough reason:  Just because it can be done,
> does not mean it should be done.  
> 
> The stack of modules that Samba applies above the OpenLDAP server are
> there for a reason, and enforce restrictions and apply semantics above
> and beyond those applied by the backend.  That is why we don't allow
> windows clients to connect to the backend directly. 

I'm not talking about regular LDAP access for Windows clients. I meant
custom admin processes (e.g. for account syncing with external databases
etc.).

> For example, Samba maintains the 'name' attribute in OpenLDAP manually
> (mapping it to Samba4RDN).  If the backend were administered directly,
> nothing would keep 'name' in sync with the RDN.  
> 
> While I will ask for this to be corrected (as it would also remove a
> race), it gives you an idea of the things that stand in the way.

Since I know the weird AD schema a little bit I'm quite aware of what
you have to do in Samba4 regarding schema mapping.

> I'm still confused why you don't want to connect via Samba4.

E.g. SASL/EXTERNAL over Unix Domain Socket with mapping to an admin's
authz-DN for sync processes without having to provide a password. In
general I'd like to be able to do everything I'm used to do with
OpenLDAP if needed (obeying the DIT and schema requirements off course).

Ciao, Michael.


More information about the samba-technical mailing list