OpenLDAP backend for Samba:

Martin Simons martin at
Tue Mar 12 08:37:42 UTC 2019

Dear Andrew,

It has been a while, but we discussed the OpenLDAP backend in the past.

Last year I worked for a big German automobile manufacturer in the 
PostgreSQL team. The PostgreSQL servers (4.500) had Non-Personal user 
accounts that had to be authenticated by an AD server. The 
authentication failed, due to time outs, to the extend that it made our 
operation unreliable. We worked around it and more or less patched the 
situation by rolling out HAProxy, proxying for about ten different AD 
servers, but even then the authentication failed occasionally raising 
high priority incident tickets. It failed in production areas, but also 
in driver support, just because the database did not start with a 
unauthenticated user account.

The real solution from my point of view would have been to authenticate 
against Linux OpenLDAP servers, being a slave of the AD Controller. The 
PostgreSQL servers would then authenticate using standard ldap-uri's. At 
the moment it is not possible, as far as I know, to have Linux OpenLDAP 
AD slave servers. So a Samba4 AD controller being a slave of the Master 
AD server could bridge the gap if it accommodates Linux OpenLDAP slaves.

IMHO it would be interesting to have Samba servers with an OpenLDAP 
backend to accommodate all machines one can think of in the IT 

Met vriendelijke groet,

Twitter: @Webhuis #TheCFEngineRoadshow

> G'Day Nadezhda,
> I'm just wondering what the status of this is, and if you expect to be
> making further progress on this in the near future?
> From your description below it seems that much of the infrastructure
> that was used for the previous OpenLDAP backend really isn't relevant
> any more.
> As you can see from my WIP patch set here:
> we can remove quite a bit of complexity if your work doesn't or isn't
> likely to need it.
> I don't mind keeping this if it will be useful, so it would be great to
> get an update on your efforts and chat this over sometime.
> Thanks!
> Andrew Bartlett
> On Wed, 2018-06-06 at 15:48 +0200, Nadezhda Ivanova via samba-technical
> wrote:
>> Something I missed:
>> The overlays are published under GPLv3, to be fully compatible with 
>> the
>> Samba licence. The only exceptions are modules like pguid.c, rdnval.c,
>> and usn.c which were written before and are not part of the project.
>> rdnval is now redundant and we have "fixed" the "name" attribute in 
>> the
>> schema,  and pguid and likely usn will be part of a larger module
>> dealing with constructed attributes.
>> Regards,
>> Nadya
>> On 06/06/2018 01:41 PM, Nadezhda Ivanova via samba-technical wrote:
>> > Hi Team,
>> > with
>> > The current progress on Symas's OpenLDAP as a backend, or rather, on
>> > LDAP server for Samba is now publicly available at
>> > git at
>> >
>> > The code is highly experimental, some of it hasn't been tested - we have
>> > only recently given up the idea of gradual replacement of Samba ldb
>> > modules, which proved impossible because of their interdependence, and
>> > started to test new code directly from OpenLDAP. A lot of the modules
>> > are investigation on how it is possible to re-use samba libraries inside
>> > OpenLDAP, mostly libcli/security.
>> >
>> > Currently the modules live in contrib/slapd-modules/samba4. Everything
>> > is subject to change, improvement, suggestions or contributions,
>> > possible even the structure of the modules themselves.
>> >
>> > I realize they should have been a subject of a talk at the SambaXP, but
>> > I wasn't able to submit one during the call for papers, so maybe next year.
>> >
>> > As you can see, we have been experimenting with things like loading the
>> > AD schema in OpenLDAP during Samba provisioning, which means we can drop
>> > object class and attributes mapping, with SD creation and access checks,
>> > the creation of some attributes like objectGuid and ObjectSID, etc.
>> >
>> > Thw way we used to work until recently is - provision Samba with the
>> > legacy OpenLDAP backend, then enable the overlay being tested, start
>> > OpenLDAP and execute some requests. This, however, is no longer possible
>> > as the legacy OpenLDAP backend has been completely broken for a while
>> > now, and we will need to reconcider the possible way Samba would
>> > communicate with OpenLDAP.
>> >
>> > We have a Samba repository with very old Samba code that we still use.
>> > It has some patches, but ti this point not a lot of changes have been
>> > made to Samba itself. Mostly we needed the libcli/security library to be
>> > public, and some changes have been made to the provisioning script. None
>> > of these have been proposed to the list, as they are just a working
>> > version for now and not a final one.
>> > The repository in question is this:
>> > git at
>> >
>> >
>> > I am at SambaXP until Friday morning if you'd like to ask me something,
>> > or just write, although I may be out of contact occasionally next week.
>> >
>> > Best Regards,
>> > Nadya

More information about the samba-technical mailing list