[Samba] Srvtools causes smbldap_open: cannot access LDAP when not root

Craig White craigwhite at azapple.com
Wed Mar 2 03:37:34 GMT 2005

On Wed, 2005-03-02 at 10:40 +0800, Doug Campbell wrote:

> >
> > Yes. I have to agree with Craig White here (I usually do ;) LDAP for me is
> > the be-all and end-all. i use it for across-platform authentication in
> > production for *everything* It is the corner stone to all services that my
> > users may use. If an application doesn't work with it, then that
> > application is useless to me. Examples of apps that use a single login and
> > password at one site I administer (runs 3 servers under RHAS3 using the
> > same LDAP DSA) are postfix smtp, Courier IMAP, Linux Terminal Server
> > Project, Pykota print quota admin, ssh and a Samba PDC. To be able to
> > master the LDAP part thoroughly, I chose to use source code and subscribe
> > to the 4-5 mailing lists dealing with this. Craig does the same.
> >
> > Get samba working without LDAP first, then make sure you master every
> > possible aspect of openldap and are completely confident with it. Then you
> > can adapt what you've done to Samba.
> I will do that.  Thanks for your time in patiently helping me through this.
I will say the unpopular thing that people don't want to hear.

Learning LDAP through samba is probably one of the most obtuse angles
that one can take and it seems certain to confound, confuse and
frustrate those who try. I know this because I spent 2 or 3 days trying
and said to myself - "self, this isn't teaching me what I need to know
about LDAP"

So I put Samba on the side - bought Gerry Carter's LDAP System
Administration book (great book by the way - perhaps a bit dated but
definitely tells you the things you NEED to know). Set up LDAP on the
base server, added some users, tested it out with various packages like
ssh, imap etc. By this time, I was comfortable with
ldapadd/ldapmodify/ldapsearch etc. I was working. I then began working
on LDAP ACL's. This took time but by then, I was getting the picture.
All in all, this probably took me a week to get a 'basic' understanding
of LDAP and I was able to add in Samba stuff.

You need to understand LDAP to the point of troubleshooting connections,
errors etc. Without this ability, and putting total reliance upon
something like the IDEALX tools to populate and maintain LDAP, at the
first problem you don't know where to look for causes, you don't know
how to solve these problems and you are begging lists for help and you
can't even accurately describe the problems you are having except in the
most general ways.

I understand what people are saying when they say, it seems to be
working fine except for...I've been there. It means that they don't know
what they are doing and have gotten lucky to a point. Samba/IDEALX is
not a turnkey system to create the LDAP backend that works out of the
box. In a way, I fear the day that some distribution packages it up with
that claim since it will engender a lot of 'Administrators' that don't
have a clue what they're doing...Point and click know not the
ramification administration is not a Windows patented technology I

I see all of the people like Steve Zeng - without a clue why things
aren't working. When I say, you really need to learn LDAP first - I get
a message back - why don't you give me some constructive feedback and I
think to myself, damn, I thought I just gave them the most constructive
advice that they could get - in case you haven't figured it out yet,
this is why I didn't respond to your personal email to me. (Doug - not

I have this saved in my 'subscriptions' file...
Thu, 14 Jun 2001 01:14:45 GMT  (Wed, 18:14 MST)

Welcome to the openldap-software mailing list!
I 'monitored' the list for nearly 2 1/2 years before I actually
implemented my first DSA. (I admit that I had used LDAP for a year and
didn't know what DSA meant - but had the humility to ask what it meant a
few weeks ago). I observed. I am on several other lists - I observe. I
am not that smart and it probably takes me longer than most but I know
that I am not willing to trust the most powerful system on my network to
work without doing everything that I can to understand how it works.
Knowledge is the power to take responsibility for what I do.

Lastly, if LDAP provides core authentication for users on the system,
are you gonna feel comfortable relying upon it when you can't operate
it, troubleshoot it, articulate how it is structured and/or define the
security methods you are using to protect it?


More information about the samba mailing list