Suitable replacement of OpenLDAP

Tue Sep 7 15:26:52 UTC 2021

On Tue, 2021-09-07 at 14:34 +0000, Ronge, Matthias via samba-technical
wrote:
> Dear list members,
> 
> I am turning to you today about a complex problem, perhaps you can
> give us a better understanding of what we need to do. We are
> developers in an open source community that maintains a program that
> is used to describe scans and display them online.¹ It's a web
> application. The program has a source code history of more than a
> decade. None of us have been in it since the beginning, but I've been
> in it for the longest: over eight years. There's support for LDAP in
> there.

What do you use the LDAP for ? (note: at this point I haven't read your
source code.)

>  On the one hand, this allows you to log on, but also, if the
> underlying operating system is correctly configured, a Linux user is
> created for each user and he/she has CIFS available in his home
> folder in order to upload scans. The application always creates
> symbolic links in the home folder for the processes that the user is
> currently working on. The whole thing was very cleverly thought out
> back then. But all of this was in place before my time, more than
> eight years into the past of today.
> 
> One must install Samba scheme in LDAP, and in the application, one
> must set up LDAP server, and an “LDAP group”, with many values from
> Samba scheme. We know (roughly) what we have to write in the fields
> for this to work, but none of us has a deeper understanding of what
> is behind it. Maybe not all of it makes sense or is semantically
> correct, but someone in the past noticed “oh, it works” and it has
> been used that way ever since. We are willing to learn.
> 
> My question: In one of the inquiries on Ask Ubuntu², I was told:
> 
> > you should be aware that Samba is actively working on removing
> > SMBv1,
> > this will mean that you will no longer be able to use openldap with
> > Samba. This will not happen at once, it may be a year or so, but it
> > will
> > happen, so I suggest you start planning to upgrade to Samba AD or
> > similar

Ah, that was myself and it still holds true.

> 
> We have no real idea what that means. What do we have to change about
> this web application so that CIFS drives can be made available from
> the server in the future? Here I ask you for guidance and help.

You probably do not need to change your web application code much, just
how you interact with Samba.

> 
> What does this LDAP server AD have to be?

Samba can now be run as an Active Directory Domain Controller (or AD)
and it comes with LDAP, DNS and kerberos built in.

>  Or is there anything like it?

>From the sound of it, you are running Samba as an NT4-style Domain
controller, there are other solutions, freeipa for one, but this (as
far as I am aware) allow shares.

>  Why is OpenLDAP not a solution to use in the future?

You may be able to continue to use openldap, just not with Samba in the
long term.

>  Is SMBv1 the same as OpenLDAP?

No, openldap is a directory service and SMB is a windows protocol.

>  Why are you removing it?

It is not being removed, it is just SMBv1 that will, ultimately, be
removed, SMBv2 and SMBv3 will still be used. Samba has started to
deprecate a lot of the parameters that an NT4-style domain depends on
and the NT4-style domains depend on SMBv1. Smbv1 is acient and very
insecure.

> 
> If there is a simple solution to this, I'll be more than happy to use
> it. That means, for example, to do without LDAP altogether, and
> instead implement a sudo script that edits the smb.cnf file for new
> users, and everything works without LDAP, which is great, too. Just
> that we have a solution ready for the future.

Planning for the future is good, at the moment you can continue to use
your existing setup. Can you point me at the portion of your code where
you setup openldap and the schemas you are using ? That way I can
advise what needs to be modified.

Rowland