[Samba] Synchronising password of some AD users with an external LDAP?

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Tue Feb 26 09:16:34 MST 2013

True, webservers can authenticate against AD in a similar fashion to
other LDAPs. But that's not the whole story.

The thing is that Samba 4 is designed from a ground up with AD in mind,
and AD itself has been designed with workstation authentication and NT4
client compatibility in mind. All this adds a lot of complexity to the
system--and to the schema itself--that isn't in my opinion really
benefical. Also, manually editing the AD schema, and especially removing
objectclasses and/or attributes from the default schema, is generally
regarded as a big no-no. If I'd have to do this with AD, I'd use AD LDS,
but that isn't an option with Samba (which is perfectly understandable,
as on Linux, unlike Windows, there are many alternatives).

However, after a lot of googling it appears that there should be a way
to make OpenLDAP to accept simple binds both with and without kerberos
backing, using SASL as an authentication vehicle:

Perhaps I'll try that route.

Pekka L.J. Jalkanen

On 26.2.2013 16:13, Daniel Müller wrote:
> Apache can authenticate against samba4 ads the same way as if it were
> openldap.
> http://wiki.samba.org/index.php/Samba4/beyond
> Good Luck
> Daniel
> -----------------------------------------------
> EDV Daniel Müller
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
> Auftrag von Pekka L.J. Jalkanen
> Gesendet: Dienstag, 26. Februar 2013 15:01
> An: samba at lists.samba.org
> Betreff: [Samba] Synchronising password of some AD users with an external
> I'm in a situation where I should establish an external (i.e. non-AD) LDAP
> directory for my employer for various web-based authentication purposes. I
> don't think that Samba--or Windows AD, for that matter--in and itself would
> be the best tool for this purpose; so far I've been reviewing 389 DS,
> ApacheDS, OpenDJ and plain old OpenLDAP, but have made no final decision
> yet.
> Now however, it would be beneficial, even if not strictly speaking
> necessary, if I could automatically synchronise the passwords of certain
> accounts between that LDAP and our AD; most sensible solution here would
> probably be to do it between the LDAP users having a corresponding AD
> account belonging to a specific AD OU. Other than passwords, the accounts
> and their attributes themselves should stay separate.
> I know that if I were running a Windows AD, I could most likely accomplish
> what I want with--if nothing else--the 389 DS by using DS-provided Password
> Sync Service (see
> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/
> html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html
> for more information).
> However, our goal is to completely migrate our AD to Samba 4, so committing
> to any software that depends on the continued availability of a Windows DC
> simply won't do.
> How could I accomplish this synchronisation with Samba 4? Can anyone nudge
> me to the right direction? Or is possible at all?
> Pekka L.J. Jalkanen
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list