[Samba] Migrate openLDAP into Samba AD

Rowland Penny rpenny at samba.org
Mon Jul 2 09:01:53 UTC 2018


On Mon, 2 Jul 2018 10:19:29 +0200
Jakob Lenfers via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> we moved (or still are moving) our users manually from our Samba NT4
> Domain with LDAP to a Samba AD (4.7.6). We had a few schema extensions
> in our openLDAP to feed some services (dovecot mail settings,
> nextcloud quota, ...). I would prefer to have only one place for our
> users, but I'm new to AD. I've read that I can extend the schema,
> which seems not too different from openLDAP, even though the
> documentation states it is a bit dangerous.
> 

You can extend the schema, Samba even supplies a script to turn
openldap schemas to Active directory ldifs and it has the imaginative
name of 'oLschema2ldif'

> So my questions are I guess:
> 
> - Is it feasible to authenticate and feed some user settings to
> services like dovecot and nextcloud with a Samba AD?

We have a wikipage for dovecot:

https://wiki.samba.org/index.php/Authenticating_Dovecot_against_Active_Directory

Try an internet search for 'nextcloud active directory' or 'nextcloud
kerberos'

> 
> - How would I edit my attributes? I doubt there will be a tab in the
> windows dialog (dsa.msc) we use now...

No you cannot use windows tools, but you could write your own scripts,
or use something like Linux Account Manager (LAM)

> 
> - Alternatively, is there a useful way to chain both services? As far
> as I've read, the AD cannot use openLDAP for passwords (which would
> have been great for me...), is it possible the other way around?

You can use openldap as an AD proxy, (yes, we also have a wiki page for
this:  https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD )
But you probably don't need to do this ;-)

Rowland




More information about the samba mailing list