[Samba] helping to implement samba 4 AD with ldap backend

Marco Gaiarin gaio at sv.lnf.it
Thu Jul 16 07:42:56 UTC 2020 

Mandi! jmpatagonia via samba
  In chel di` si favelave...

> We don't understand why samba decides to use a builtin ldap and discard
> external ldap, is very annoying because in productions and largest
> environments need a lot off work and implies maintenance other ldap.

I'm not a samba developer, so i cannot answer tothe first part of the
question. But i suppose that the better answer is: 'because'. ;(

Afterall, samba IS an LDAP server: ok, it is not OpenLDAP, but can be
used exactly as OpenLDAP, clearly with a bit of differences. Mostly:

 + AD is a full hierarhical DB; plain LDAP too, but was tipically used
   flat; this mean less 'UID', more 'DN'.

 + group handling changed, because now 'nested groups' is possible.

 + no more anonymous bind


All this aspect can be taken into account; consider also that the 'AD
Schema' is more widespreadly used, eg many apps have 'connect to AD'
(where you put domain name and little more) and 'connect to LDAP'
(where to have to put all connection and schema detail).


For schemas, as stated by Rowland can be extendded too; consider that
the AD schema is naturally 'rich', so probably some schemas can be
discared.
Schemas can be 'converted' from the LDAP/OpenLDAP format to the AD
format with 'oLschema2ldif', in standard samba distribution (at least
in debian pacages).
Clearly because schemas are 'one way' (cannot be remove) do some
tests...


Last: what you want to do is, for me, the right thing: built the new
domain in parallel to to old, build some tools to migrate/syn data and
password (for password, a hint: use 'check password script' for NT
domain and 'samba-tool syncpasswd', eg:
	https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP
for AD).

With both domain in place, migrate from LDAP to AD one app at a time.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list