[Samba] Synchronising password of some AD users with an external LDAP?

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Tue Feb 26 07:01:29 MST 2013

I'm in a situation where I should establish an external (i.e. non-AD)
LDAP directory for my employer for various web-based authentication
purposes. I don't think that Samba--or Windows AD, for that matter--in
and itself would be the best tool for this purpose; so far I've been
reviewing 389 DS, ApacheDS, OpenDJ and plain old OpenLDAP, but have made
no final decision yet.

Now however, it would be beneficial, even if not strictly speaking
necessary, if I could automatically synchronise the passwords of certain
accounts between that LDAP and our AD; most sensible solution here would
probably be to do it between the LDAP users having a corresponding AD
account belonging to a specific AD OU. Other than passwords, the
accounts and their attributes themselves should stay separate.

I know that if I were running a Windows AD, I could most likely
accomplish what I want with--if nothing else--the 389 DS by using
DS-provided Password Sync Service (see
for more information).

However, our goal is to completely migrate our AD to Samba 4, so
committing to any software that depends on the continued availability of
a Windows DC simply won't do.

How could I accomplish this synchronisation with Samba 4? Can anyone
nudge me to the right direction? Or is possible at all?

Pekka L.J. Jalkanen

More information about the samba mailing list