Suitable replacement of OpenLDAP

Ronge, Matthias Matthias.Ronge at mik-center.de
Tue Sep 7 14:34:49 UTC 2021


Dear list members,

I am turning to you today about a complex problem, perhaps you can give us a better understanding of what we need to do. We are developers in an open source community that maintains a program that is used to describe scans and display them online.¹ It's a web application. The program has a source code history of more than a decade. None of us have been in it since the beginning, but I've been in it for the longest: over eight years. There's support for LDAP in there. On the one hand, this allows you to log on, but also, if the underlying operating system is correctly configured, a Linux user is created for each user and he/she has CIFS available in his home folder in order to upload scans. The application always creates symbolic links in the home folder for the processes that the user is currently working on. The whole thing was very cleverly thought out back then. But all of this was in place before my time, more than eight years into the past of today.

One must install Samba scheme in LDAP, and in the application, one must set up LDAP server, and an “LDAP group”, with many values from Samba scheme. We know (roughly) what we have to write in the fields for this to work, but none of us has a deeper understanding of what is behind it. Maybe not all of it makes sense or is semantically correct, but someone in the past noticed “oh, it works” and it has been used that way ever since. We are willing to learn.

My question: In one of the inquiries on Ask Ubuntu², I was told:

> you should be aware that Samba is actively working on removing SMBv1,
> this will mean that you will no longer be able to use openldap with
> Samba. This will not happen at once, it may be a year or so, but it will
> happen, so I suggest you start planning to upgrade to Samba AD or similar

We have no real idea what that means. What do we have to change about this web application so that CIFS drives can be made available from the server in the future? Here I ask you for guidance and help.

What does this LDAP server AD have to be? Or is there anything like it? Why is OpenLDAP not a solution to use in the future? Is SMBv1 the same as OpenLDAP? Why are you removing it?

If there is a simple solution to this, I'll be more than happy to use it. That means, for example, to do without LDAP altogether, and instead implement a sudo script that edits the smb.cnf file for new users, and everything works without LDAP, which is great, too. Just that we have a solution ready for the future.

I've attached a screenshot of an “LDAP group” so you can get an idea of what this is about.

Any suggestions or help is appreciated.

Application source code: https://github.com/kitodo/kitodo-production

Kind regards,
Matthias Ronge

1) https://www.kitodo.org/en/software/kitodoproduction
2) https://askubuntu.com/a/1315541

-- 
Cell: +49 175 5821547 · Skype: paramaeleon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: LDAP group.png
Type: image/png
Size: 72840 bytes
Desc: LDAP group.png
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20210907/8384ebce/LDAPgroup.png>


More information about the samba-technical mailing list