OpenLDAP backend for Samba:

Andrew Bartlett abartlet at
Tue Mar 12 22:24:23 UTC 2019

On Tue, 2019-03-12 at 09:37 +0100, Martin Simons wrote:
> Dear Andrew,
> It has been a while, but we discussed the OpenLDAP backend in the past.
> Last year I worked for a big German automobile manufacturer in the 
> PostgreSQL team. The PostgreSQL servers (4.500) had Non-Personal user 
> accounts that had to be authenticated by an AD server. The 
> authentication failed, due to time outs, to the extend that it made our 
> operation unreliable. We worked around it and more or less patched the 
> situation by rolling out HAProxy, proxying for about ten different AD 
> servers, but even then the authentication failed occasionally raising 
> high priority incident tickets. It failed in production areas, but also 
> in driver support, just because the database did not start with a 
> unauthenticated user account.
> The real solution from my point of view would have been to authenticate 
> against Linux OpenLDAP servers, being a slave of the AD Controller. The 
> PostgreSQL servers would then authenticate using standard ldap-uri's. At 
> the moment it is not possible, as far as I know, to have Linux OpenLDAP 
> AD slave servers. So a Samba4 AD controller being a slave of the Master 
> AD server could bridge the gap if it accommodates Linux OpenLDAP slaves.
> IMHO it would be interesting to have Samba servers with an OpenLDAP 
> backend to accommodate all machines one can think of in the IT 
> Landscape.

G'Day Martin,

That certainly sounds frustrating.  My colleagues developed a similar
HAProxy solution for a client to ensure web applications that were
typically pointed at a single (Samba in this case) AD DC would still
function if one DC were unresponsive.  (Earlier versions of Samba's AD
DC could pause for a noticable period of time during replication). 

Regarding your situation, I don't think the OpenLDAP backend would
assist in the way you think, except that it may (or may not) be faster
than having a Samba AD DC in that role using our existing technologies.
   You could run Samba as an RODC for example. 

Specifically, the 'OpenLDAP backend' for our AD DC is not like the
previous one for NT4-like domains.  It wouldn't replicate with
'traditional' OpenLDAP servers (because it would need specific modules
and a specific schema).

That isn't to say that it is impossible to build the reverse of Samba's
'classicupgrade' process that would download passwords from AD and
teach OpenLDAP how to process a bind against them, in a traditional
layout and without the complex AD behaviours.  But that is orthogonal:
the code I'm discussing wouldn't help with that either.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT

More information about the samba-technical mailing list