[Samba] LDAP access to Samba 4
Michael Wood
esiotrot at gmail.com
Fri Aug 31 00:51:06 MDT 2012
On 29 August 2012 21:48, Kristofer <kristofer at cybernetik.net> wrote:
> Hello,
>
> I am currently migrating from OpenLDAP to Samba 4 PDC, and I have a webpage (PHP/Apache) available for users so that they can change their password on the existing LDAP server.
>
> I attempted to adjust that script to change the password on the Samba 4 AD controller, but I get a "cannot connect" error to LDAP. The web server the password script is running on is not on the same machine as the Samba 4 controller, and is not joined to the AD domain. What is the best way to connect to the LDAP server from PHP to make this happen? Is there something with Kerberos I need to do? or am I going to have to fully join the machine to the domain before it can connect to LDAP?
You basically need to do whatever would be needed with a Windows AD server.
You'll need to do it over TLS (on port 636. Make sure you compiled
with GnuTLS support if you do this.) or using GSSAPI (Kerberos).
It goes something like this (pseudocode), I believe:
# Bind to the directory
ldap_simple_bind_s(userdn, oldpass)
# or: tokens = ldap.sasl.gssapi(); ldap_sasl_interactive_bind_s("", tokens)
oldencoded = encode_pass(oldpass)
newencoded = encode_pass(newpass)
modlist = make_modlist(oldencoded, newencoded)
ldap_modify_s(userdn, modlist)
####
The encoding works like this:
* First wrap the password in double quotes.
* Then encode it using UTF-16-le format.
so the string 'PASSWORD' would be encoded as '"\0P\0A\0S\0S\0W\0O\0R\0D\0"\0'
In Python this would be done like this:
encodedpass = ('"%s"' % password).encode("utf-16-le")
The modlist is basically a delete of the unicodePwd attribute followed
by an add with the new encoded password.
--
Michael Wood <esiotrot at gmail.com>
More information about the samba
mailing list