[Samba] A question to Samba developers (or experienced users) about connections to a LDAP server using Unix sockets (LDAPI)
miguelmedalha at sapo.pt
Wed Feb 10 18:44:32 MST 2010
> You can also specify the LDAPI socket path if your OpenLDAP server is
> listening in a 'non-standard' location, like:
> passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldap2.4%2fldapi
> You have to escape the "/" elements of the path.
Thank you for helping me search in the right direction.
By default, CentOS Directory Server 8.10 (=Red Hat 389 Directory Server
8.10 or 389 Directory Server 1.1) creates a socket under
/var/run/slapd-<your instance>.socket"". So I have:
passdb backend = ldapsam:ldapi://%2fvar%2frun%2fslapd-<your
This is now working. I even managed to combine this with
"ldapsam:trusted" + "ldapsam:editposix" so that I don't have to use
external scripts to manage accounts.
Some obstacles remain: "getent shadow" does no return the LDAP-only
users, although "getent passwd" and "getent group" work as expected. No
shadow entries are present in the LDAP database, so it seems to me that
either pdbedit or smbpasswd are not creating those entries or there is
something missing in the database configuration, such as appropriate ACLs.
Also, with "ldap passwd sync" enabled, pdbedit and smbpasswd are not
able to create a users's password, giving the following message:
ldapsam_modify_entry: LDAP Password could not be changed for user <x> :
Operation requires a secure connection.
It only works with "ldap passwd sync = no".
I will look into both these issues next.
PS - For now, I don't know if I will adopt this connection over Unix
sockets, since there appears to be a bug in the cuurent implementation:
LDAPI: activation of LDAPI UNIX socket causes serious performance issues
in TCP/IP searches
The above page also contains a patch. I will look into it.
More information about the samba