[Samba] Configuring Linux openldap ldapsearch client-side tool to authenticate against a Samba AD server

Rowland Penny rpenny at samba.org
Tue Apr 25 20:00:39 UTC 2023 


On 25/04/2023 20:22, John R. Graham via samba wrote:
> Is there a guide somewhere that explains the process of getting openldap 
> (the ldapsearch tool for starters) to authenticate against a Samba AD 
> server? On my Linux client, I can run
> 
>      ldapsearch -LLL -x -b '' -s base '(objectClass=*)'
> 
> and get a detailed response from the server. Somewhat obfuscated, that 
> response is:
> 
> dn:
> configurationNamingContext: CN=Configuration,DC=myrealm,DC=example,DC=com
> defaultNamingContext: DC=myrealm,DC=example,DC=com
> rootDomainNamingContext: DC=myrealm,DC=example,DC=com
> schemaNamingContext: 
> CN=Schema,CN=Configuration,DC=myrealm,DC=example,DC=org
> subschemaSubentry: 
> CN=Aggregate,CN=Schema,CN=Configuration,DC=myrealm,DC=example,
>   DC=com
> supportedCapabilities: 1.2.840.113556.1.4.800
> supportedCapabilities: 1.2.840.113556.1.4.1670
> supportedCapabilities: 1.2.840.113556.1.4.1791
> supportedCapabilities: 1.2.840.113556.1.4.1935
> supportedCapabilities: 1.2.840.113556.1.4.2080
> supportedLDAPVersion: 2
> supportedLDAPVersion: 3
> vendorName: Samba Team (https://www.samba.org)
> isSynchronized: TRUE
> dsServiceName: CN=NTDS 
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name
>   ,CN=Sites,CN=Configuration,DC=myrealm,DC=example,DC=com
> serverName: 
> CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu
>   ration,DC=myrealm,DC=example,DC=com
> dnsHostName: dc1.myrealm.example.com
> ldapServiceName: myrealm.example.com:dc1$@MYREALM.EXAMPLE.COM
> currentTime: 20230425172943.0Z
> supportedControl: 1.2.840.113556.1.4.1413
> supportedControl: 1.2.840.113556.1.4.1413
> supportedControl: 1.2.840.113556.1.4.1413
> supportedControl: 1.2.840.113556.1.4.1413
> supportedControl: 1.2.840.113556.1.4.1413
> supportedControl: 1.2.840.113556.1.4.528
> supportedControl: 1.2.840.113556.1.4.841
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 2.16.840.1.113730.3.4.9
> supportedControl: 1.2.840.113556.1.4.473
> supportedControl: 1.2.840.113556.1.4.1504
> supportedControl: 1.2.840.113556.1.4.801
> supportedControl: 1.2.840.113556.1.4.801
> supportedControl: 1.2.840.113556.1.4.805
> supportedControl: 1.2.840.113556.1.4.1338
> supportedControl: 1.2.840.113556.1.4.529
> supportedControl: 1.2.840.113556.1.4.417
> supportedControl: 1.2.840.113556.1.4.2064
> supportedControl: 1.2.840.113556.1.4.1339
> supportedControl: 1.2.840.113556.1.4.1340
> supportedControl: 1.2.840.113556.1.4.1413
> supportedControl: 1.2.840.113556.1.4.1341
> namingContexts: DC=myrealm,DC=example,DC=com
> namingContexts: CN=Configuration,DC=myrealm,DC=example,DC=com
> namingContexts: CN=Schema,CN=Configuration,DC=myrealm,DC=example,DC=com
> namingContexts: DC=DomainDnsZones,DC=myrealm,DC=example,DC=com
> namingContexts: DC=ForestDnsZones,DC=myrealm,DC=example,DC=com
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: NTLM
> highestCommittedUSN: 6034
> domainFunctionality: 4
> forestFunctionality: 4
> domainControllerFunctionality: 4
> isGlobalCatalogReady: TRUE
> 
> But almost any other query results in
> 
>      Operations error (1)
>      Additional information: 00002020: Operation unavailable without 
> authentication
> 
> Surely I'm missing a pre-existing guide somewhere.

Yes, you are missing that, unlike openldap, AD ldap requires 
authentication for most searches. Sorry but you are going to have to 
authenticate.

Can I ask just what the openldap server is used for ? You may just find 
it easier to extend the AD schema instead.

Rowland

More information about the samba mailing list