[Samba] understanding the ldap backend
Adam Williams
awilliam at mdah.state.ms.us
Wed Feb 20 07:33:53 GMT 2008
ml at bortal.de wrote:
> Hello List,
>
> i am trying to understand the LDAP-backend i just set up. Maybe
> someone can help me a little understanding the whole magic.
>
> In smb.conf i have my smbldap-tools scripts:
> # use the smbldap-tools scripts
> add user script = /usr/sbin//smbldap-useradd -m "%u"
> delete user script = /usr/sbin//smbldap-userdel "%u"
> add machine script = /usr/sbin//smbldap-useradd -w "%u"
> add group script = /usr/sbin//smbldap-groupadd -p "%g"
> delete group script = /usr/sbin//smbldap-groupdel "%g"
> add user to group script = /usr/sbin//smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin//smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/sbin//smbldap-usermod -g "%g" "%u"
>
>
> and some ldap specific stuff:
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap admin dn = cn=Manager,dc=example,dc=net
> ldap suffix = dc=example,dc=net
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Users
> idmap backend = ldap://127.0.0.1
> #ldap ssl = start tls
> ldap delete dn = Yes
>
>
>
> 1.) Now how does the authentification excatly work? Does samba talk
> directly to the ldap database and verifies user/password?
> 2.) I guess changing/deleting passwords/users is beeing made by the
> smblda-tools.
> 3.) How does samba get the user ids? By contacting the ldap database
> directl again?
> 4.) How does samba get he user/group of files and folders? By nss?
> 5.) Has samba got anything to do with nss/libnss-ldap?
>
>
> Thanks, Mario
1) yes
2) you can use smbldap-passwd to change a user's password if you want to
set the passwd chat, unix password sync, etc. or you can just set ldap
passwd sync = yes and let samba handle the password changing directly
3)yes
4) yes
5) i think so, i have nss_ldap working because my users need shell
access for database/html work. i've never tried getting samba going
without using nss_ldap for user auth. i don't know if samba can look up
the users directly or if it gets their user, group, machine accounts via
nss_ldap. but nss_ldap is trivial to get working.
More information about the samba
mailing list