[Samba] Samba4 as a "plain LDAP" server?
Andrew Bartlett
abartlet at samba.org
Sun Mar 21 01:41:19 MDT 2010
On Mon, 2010-03-15 at 21:12 +0000, SMC wrote:
> This is probably an insane question, but I'm going to ask it anyway...
>
> Does Samba4's embedded LDAP server also support being used as an ordinary
> (*nix-style) LDAP authentication server, at least for simple, basic use cases?
>
> Or is it necessary to have the OpenLDAP backend running to handle normal LDAP
> authentication?
Actually, it's neither. The OpenLDAP backend of Samba4 is not generally
exposed, nor are the unix attributes currently set.
We do support the uidNumber attributes etc, but only in that we load a
schema that should allow them to be set. We don't currently set those
values when users are created, nor do we use them for Samba4's internal
idmap.
The best option at this time is to run Samba3's winbind against Samba4.
This ensures that all recursive groups are handled correctly, and that
Kerberos is used for authentication.
I do want Samba4 to be a good LDAP server for POSIX clients, and I hope
to make it better than AD is by supporting extensions such as the
'password set/change' extended operation. However, we must first be a
good AD domain controller, and we can't enable behaviours that are in
conflict with being an AD DC.
For example, we will soon enable ACL support that will block anonymous
access to our directory - while most POSIX clients prefer anonymous
searches.
I hope this clarifies things,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20100321/c89ac876/attachment.pgp>
More information about the samba
mailing list