AW: Suitable replacement of OpenLDAP

Ronge, Matthias Matthias.Ronge at mik-center.de
Tue Sep 7 16:33:50 UTC 2021 

Dear Rowland,

Thank you very much for your response.

> What do you use the LDAP for?

There are two things. One is the login, but we could separate that. That is not the point here.

The web application writes a user record in the LDAP for each login that is created. The result is a Linux user (with PAM-LDAP / NSSwitch. To be honest, I still haven't understood exactly what is doing what.) In the Samba config, there is a generic entry for “user homes”, so that when the user is created, the user has a home CIFS share and can access it as a Windows network drive:

----------------
[homes]
comment = Home Directories
path = /usr/local/kitodo/users/%U
read only = no
browseable = no
valid users = %S
guest ok = no
inherit permissions = yes
----------------

This is used to upload the scans. For a single book, that could be 250 pages (maybe 50 or maybe 2,500 however), 20 MB each (but it could also scans of maps, with 6 GB in one file). That has to be uploaded to the server. When this was invented a decade ago, it couldn't be uploaded through a web browser. This is also a performance question. So, let's say 5 GB have to be pushed onto the server as quickly as possible; in the same building, no WAN.¹ This happens via the CIFS drive. The web application creates a symbolic link in the user home for the process that the user is currently working on, so the data is written directly into the process on Linux. The scanner PC is configured so that it automatically copies the scans to the drive after scanning.


>> you should be aware that Samba is actively working on removing 
>> SMBv1, this will mean that you will no longer be able to use 
>> openldap with Samba. This will not happen at once, it may be a year 
>> or so, but it will happen, so I suggest you start planning to 
>> upgrade to Samba AD or similar
>
> Ah, that was myself and it still holds true.

I really appreciate meeting you again here.

> You probably do not need to change your web application code much, just how
> you interact with Samba.

Well, the web application does not yet interact directly with Samba, but rather, the web application writes user records in LDAP, and from there, Samba picks it up. This happens automatically once it is set up.

As I said, for me the simplest solution is the most valued. And if for new user a sudo script edits the smb.cnf file. Who cares? (If I have to restart the daemon and it breaks ongoing uploads, that would of course be annoying and a solution would have to be found, but maybe we can resolve it this way.)


>> What does this LDAP server AD have to be?
>
> Samba can now be run as an Active Directory Domain Controller (or AD) and it
> comes with LDAP, DNS and kerberos built in.

I don't understand this in detail. (For you to know, I'm a Java developer, but not a network specialist.) I created a ticket on GitHub on our software², and another admin wrote that there could be conflicts in the same network if it was already there another AD directory there. I don't know if that's actually the case. And with Kerberos, I thought that had something to do with telephony; I have no precise knowledge of this. (I want to emphasize that I am willing to learn about it if I need to. Just, at the moment, that doesn't say much to me.)


>>  Or is there anything like it?
>
> From the sound of it, you are running Samba as an NT4-style Domain
> controller, there are other solutions, freeipa for one, but this (as far as
> I am aware) allow shares.

Can someone mount Freeipa as a network drive under Windows? What do I need for a service on the Linux server? I don't want to downplay Samba here. It has served us well for many years.

>>  Why is OpenLDAP not a solution to use in the future?
>
> You may be able to continue to use openldap, just not with Samba in the
> long term.

For us, OpenLDAP only serves for the communication of the existing users to Samba, so, without Samba supporting it, using OpenLDAP makes no sense.


>> If there is a simple solution to this, I'll be more than happy to use 
>> it. That means, for example, to do without LDAP altogether, and 
>> instead implement a sudo script that edits the smb.cnf file for new 
>> users, and everything works without LDAP, which is great, too. Just 
>> that we have a solution ready for the future.
>
> Planning for the future is good, at the moment you can continue to use your
> existing setup. Can you point me at the portion of your code where you
> setup openldap and the schemas you are using ? That way I can advise what
> needs to be modified.

There is no code for setting it up; we have to do this manually for each server. There are installation instructions in English here:

https://github.com/kitodo/kitodo-production/wiki/Installation-instructions-for-Kitodo.Production-2.3.1

Sections 1.1.2, 1.1.3, 5, 10 and 12 are related to this.

I think, in the source code, this is where the new user entry is written in LDAP:

https://github.com/kitodo/kitodo-production/blob/master/Kitodo/src/main/java/org/kitodo/production/services/data/LdapServerService.java#L169-L173

As I said, I don't really know why all these fields are created and what is in them and why.

Kind regards,
Matthias Ronge


1) There are also set-ups using WAN, but we typically use WebDAV or something else, because Samba seems unstable; I'm sorry to say so. I think the problem is not the Samba implementation, but the implementation within MS Windows, however, we see the system (Explorer, task bar, etc.) freezes when the network hiccups. Anyway: for business use, were minutes do count, it doesn't make sense.

2) https://github.com/kitodo/kitodo-production/issues/4646

More information about the samba-technical mailing list