Fedora DS Support

Andrew Bartlett abartlet at samba.org
Wed Sep 2 18:18:46 MDT 2009

On Wed, 2009-09-02 at 18:18 -0400, Endi Sukma Dewata wrote:
> Andrew,
> ----- "Andrew Bartlett" <abartlet at samba.org> wrote:
> > > Ok, I got it working now. I've verified in FDS access log that Samba is
> > > authenticated using SASL. Thanks for the instructions. Attached is the
> > > result.
> > Great!  (and yes, I'll need to look into the segfault once I reproduce
> > your success). 
> Attached is the patch for enabling the SASL auth against FDS.
> > We should just replace it with the samba mapping.  (Because we will
> > never bind using any other user, and normal users  - ie those in
> > dc=samba,dc=example,dc=com will not bind to the backend directly)
> I ended up using a new SASL mapping for samba-admin which I put in front
> of the other mappings. This is going to achieve the same result while still
> allowing the original mapping to continue to work. This is done by prefixing
> the samba-admin mapping with "z" because the ordering is based on reverse
> > My original work to spit 00core.ldif from the 'important, but not quite
> > core' schema is showing it's age.  You will probably need to re-adjust
> > the balance, while trying not to import the whole schema (due to
> > conflicts with the AD schema). 
> I've discussed this with FDS people and they will fix it. In the mean time,
> I was able to avoid the problem by importing the entries with setup-ds.pl
> and ldif2db. Previously I was using ldapi but it failed when the schema is
> incomplete.
> Another thing, I changed the provisioning script so that it creates 2
> credential objects: one for the directory manager (simple) and another
> for samba-admin (SASL). The script will use the directory manager
> credential for importing Samba objects. The samba-admin credential object
> will only be used for creating the secrets database. For OpenLDAP, these
> 2 credential objects will be identical (SASL), so everything should work
> the same as before.

I would really prefer we just had one user.  Is there a particular
reason to introduce this point of difference?

> Please let me know if you have any feedbacks about the patch. Thanks.

I'm not very happy about introducing the _fds.ldif files, nor the
contents of the ACI being proposed.  The fundamental task remains to
remove the anonymous access - the only user that should have access to
the DB is samba-admin - not the general case of any user.  Indeed, no
other users should even be permitted to bind (so you should remove, not
complement, the existing SASL mapping). 

Also, I was quite deliberate in choosing to remove the aci from the
schema.  If we place it in the Samba schema, then we show it to clients,
and must place it in an objectClass that we can validate etc.  

If we must create the access control 'in directory', and we can't do
that until we create the partition objects, then I would prefer (despite
my protest above) that we create the provision using the directory
manager, and use a direct ldapi-based edit of the database to add the

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090903/19f529cf/attachment.pgp>

More information about the samba-technical mailing list