[Samba] stand-alone server with ldap-auth without AD

Andrew Bartlett abartlet at samba.org
Tue Mar 29 01:56:51 UTC 2022

On Mon, 2022-03-28 at 13:29 +0200, Angel Bosch Mora via samba wrote:
> > I should make very clear, we will gladly consider all patches, that
> > come with the appropriate tests and documentation, but we don't
> > really
> > have a 'roadmap' that others can add things too like this.
> > 
> > Samba is driven by its developers and those who fund its developers
> > (our incredibly supportive employers and their customers).
> > 
> > So please don't feel that these things 'fell off' our roadmap -
> > that
> > isn't really how we work.
> > 
> Sorry if I sounded rude, that wasn't my intention at all.
> I can code a little bit but I'm by no means a developer and I have a
> lot of respect for all the work you do.
> My comment about roadmap was refering to this info on Samba Wiki:
> "The Samba team decided not to peruse this as a development avenue,
> and no viable approach to re-opening this functionality has been
> proposed."
> https://wiki.samba.org/index.php/FAQ#Do_Samba_AD_DCs_Support_OpenLDAP_or_Other_LDAP_Servers_as_the_Back_End.3F

So to be clear, this isn't at all related to the use of OpenLDAP to
back NT4-like domains or to host a pdb_ldap compatible password store
for single file servers.   This was about a technology to use OpenLDAP
to provide the port 389 listener, to leverage the expertise and
existing development in that codebase.  It would not have looked like
'traditional LDAP', it was just a way of re-using codebases to make
something that looked like AD.

The still-working pdb_ldap does just add on to 'traditional LDAP'
schema and services. 

> I understand that AD break standard schemas so LDAPv3 can't be used
> as backend. I'm just surprised that with so many people asking for
> some kind of LDAP attribute synchronization there's no work being
> done internally.

We provided an upgrade tool 'samba-tool domain classicupgrade', and we
do provide some tooling for password sync actually.

AD -> other sync is done with the 'samba-tool user syncpasswords' tool,
and if you have the NT hash, you can inject that into Samba without
great pain, by modifying the unicodePwd attribute (with some special
controls), and deleting any supplementalCredentials. 

> But you're totally right, I don't know how do you work of prioritize
> issues.
> I just hope some company/institution decides to patron and fund this
> feature (Uninvention?).
> With all that said, I'm totally ok sharing my solutions, so anyone
> that wants to maintain a standard LDAP in parallel to samba can
> contact me and I will happily give a hand.

We should better document this space in the wiki - contributions are
most welcome there.

Sorry for not being clearer about the syncpasswords tool.  

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list