[Samba] LDAP versus LDAPSAM

Philip Juels pjuels at rics.bwh.harvard.edu
Mon Feb 2 17:26:15 GMT 2004 

Well, I work for a large genetics research facility within an even 
larger healthcare provider network.   What we're doing is creating a 
web/jboss-based LIMS (Laboratory Information Management System), and 
attached to that we have a repository (on a separate machine) for user 
data that jboss automatically sets up for each user.  However, since we 
wish to give users the option of accessing to their data outside of the 
LIMS portal, we naturally selected samba to be the filesystem 
abstraction.  Since our LIMS authenticates users against our ldap server 
(and creates users on the fly), for consistency/convenience we wanted 
the samba data server to authenticate against the same ldap server.

The trick is these users would be accessing the samba server via Win2k 
clients that are part of a separate Windows domain that we have no 
control over  So, I'm not sure if  setting up a samba PDC would help 
us.  Given this we chose to use an openldap solution for user 
authentication across our jboss, database, and fileservers.  I'm stuck 
trying to set up user authentication via ldap for samba connections.

We did try PAM+LDAP, but PAM doesn't support encryption.

--Phil

Craig White wrote:

>On Mon, 2004-02-02 at 07:59, Philip Juels wrote:
>  
>
>>Hi all,
>>
>>What exactly is the difference between ldap and ldapsam compilations? 
>>What functional differences are there for samba?  I assume you can do
>>user authentication with just ldap?
>>    
>>
>---
>why would you assume that? samba has always maintained it's own db for
>user accounts - the posix attributes don't contain information fields
>necessary for samba usage.
>
>LDAP is it's own entity - ldapsam is just one of several options for
>backend storage of users/groups/computers that have significance in a
>Windows network
>---
>  
>
>>  Is ldapsam only necessary for PDC
>>functionality?
>>    
>>
>---
>ldapsam isn't necessary for PDC functionality - but some backend type is
>necessary for samba functionality. The choice of which one to use and
>how to use it is yours.
>---
>  
>
>>There seems to be loads of documentation on Samba-as-PDC-to-LDAP, but
>>virtually none that I could find for just samba-to-ldap (over TLS, so
>>no PAM)
>>    
>>
>---
>do you have other services that authenticate to LDAP without PAM? if so,
>why not try to implement the model that you've already got in place?
>---
>  
>
>> user authentication (I'm not interested in setting up a
>>samba-based PDC, although I will if I have to).
>>    
>>
>---
>I haven't figured out why you would have to make a samba PDC but you
>haven't figured out what you want to do. If you have LDAP & PAM already
>handling authentication for resource level stuff, this may be all you
>need and just using a simple backend like passwd backend or tdbsam
>backend to store users & groups & machines stuff. Unless you fully
>integrate with LDAP (ldapsam), there is only your scripting to try to
>link the LDAP users & passwords to samba.
>
>Craig
>
>  
>

More information about the samba mailing list