[Samba] LDAP with Samba4

Rowland Penny rowlandpenny at googlemail.com
Tue Mar 10 04:18:38 MDT 2015

On 10/03/15 10:10, Adi Kriegisch wrote:
> Hey!
> Thank you for your answers!
>>> A full-blown OpenLDAP server is able to do replication.
>>> The advantage of this is that servers/services may run without having
>>> access to the master OpenLDAP server and there is more: using decent crypto
>>> settings for the connection slows down lookups; another reason for using
>>> LDAP on localhost (or even better ldapi).
>> AD does replication and if required, you can run openldap on the
>> same machine as AD, but you cannot run it on ports 389 & 686.
> I doubt AD replication will scale to 50+ machines easily and I am not sure
> I want the full AD stack on all of those machines.
> The OpenLDAP is "just" acting as a proxy which means it cannot do
> replication on its own.
>>>> I believe that there is (or is that was?) some work going on to try
>>>> and make a samba4 AD DC use Openldap instead of the built ldap, but
>>>> it seems to have gone quiet on that front lately.
>>> Too bad. Do others then manually sync accounts between OpenLDAP and
>>> Samba/AD? Is there an interface that (kind of) streams out LDIF-Changesets?
>>> Is there a way to get plain LDIF out of Samba/AD?
>> I cannot speak for other users, but I am sure that somebody is doing
>> what you want to do, but I also think most people will be using AD
>> just for authentication. You can extract LDIFs from AD, but they are
>> not exactly like Openldap ones.
> Would be great to hear of one of those! :)
> Are those LDIFs rather full tree dumps or incrementals? Or in other words:
> would I be required to parse the full AD tree and implement some kind of
> syncing or is it possible to get just the changes?
> Thanks for your help!
> -- Adi

Ah, right, I understand what you want a bit better now. Lets take 
replication first, AD replicates everything between DCs without any 
intervention, clients then auth to a DC and obtain the required info.

I think your problem is that you are thinking in Unix LDAP terms when 
you should be thinking in windows AD terms, you need to do some 
searching to see if what you need to work, will work with a windows AD 
domain and if it will, it should then work with a samba AD domain.


More information about the samba mailing list