[Samba] LDAP with Samba4

[Rowland Penny]

On 10/03/15 07:36, Adi Kriegisch wrote:
> Hi!
>
>>> The question is how can we continue to use a LDAP server for authentication
>>> while keeping accounts and passwords in sync?
>>> Is there still some development going on for the OpenLDAP backend of
>>> Samba4[1]?
>>> How did others solve such a situation?
>> Hi, just what are the services that need to authenticate via ldap ?
>>
>> There is a page on the samba wiki about authenticating to samba4 AD:
> Thanks for the pointer; this can indeed be done for some of the services.
> But what I am about to loose is local authentication and independence of
> services:

You can still have local Unix users and services, you just cannot have 
users, groups etc with the same name in AD.

> A full-blown OpenLDAP server is able to do replication.
> The advantage of this is that servers/services may run without having
> access to the master OpenLDAP server and there is more: using decent crypto
> settings for the connection slows down lookups; another reason for using
> LDAP on localhost (or even better ldapi).

AD does replication and if required, you can run openldap on the same 
machine as AD, but you cannot run it on ports 389 & 686.

>> I believe that there is (or is that was?) some work going on to try
>> and make a samba4 AD DC use Openldap instead of the built ldap, but
>> it seems to have gone quiet on that front lately.
> Too bad. Do others then manually sync accounts between OpenLDAP and
> Samba/AD? Is there an interface that (kind of) streams out LDIF-Changesets?
> Is there a way to get plain LDIF out of Samba/AD?
>

I cannot speak for other users, but I am sure that somebody is doing 
what you want to do, but I also think most people will be using AD just 
for authentication. You can extract LDIFs from AD, but they are not 
exactly like Openldap ones.

Rowland