[Samba] A question to Samba developers (or experienced users) about connections to a LDAP server using Unix sockets (LDAPI)

Miguel Medalha miguelmedalha at sapo.pt
Wed Feb 10 18:44:32 MST 2010

> You can also specify the LDAPI socket path if your OpenLDAP server is
> listening in a 'non-standard' location, like:
> passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldap2.4%2fldapi
> You have to escape the "/" elements of the path.

Thank you for helping me search in the right direction.

By default, CentOS Directory Server 8.10 (=Red Hat 389 Directory Server 
8.10 or 389 Directory Server 1.1) creates a socket under 
/var/run/slapd-<your instance>.socket"". So I have:

     passdb backend = ldapsam:ldapi://%2fvar%2frun%2fslapd-<your 

This is now working. I even managed to combine this with 
"ldapsam:trusted" + "ldapsam:editposix" so that I don't have to use 
external scripts to manage accounts.

Some obstacles remain: "getent shadow" does no return the LDAP-only 
users, although "getent passwd" and "getent group" work as expected. No 
shadow entries are present in the LDAP database, so it seems to me that 
either pdbedit or smbpasswd are not creating those entries or there is 
something missing in the database configuration, such as appropriate ACLs.

Also, with "ldap passwd sync" enabled, pdbedit and smbpasswd are not 
able to create a users's password, giving the following message:

ldapsam_modify_entry: LDAP Password could not be changed for user <x> : 
Confidentiality required
Operation requires a secure connection.

It only works with "ldap passwd sync = no".

I will look into both these issues next.
Thank you

PS - For now, I don't know if I will adopt this connection over Unix 
sockets, since there appears to be a bug in the cuurent implementation:

LDAPI: activation of LDAPI UNIX socket causes serious performance issues 
in TCP/IP searches

The above page also contains a patch. I will look into it.

More information about the samba mailing list