Fedora DS Support

Endi Sukma Dewata edewata at redhat.com
Mon Aug 31 23:02:20 MDT 2009 

Andrew,

----- "Andrew Bartlett" <abartlet at samba.org> wrote:

> > I've been looking at the code and thinking to do this:
> > 
> > 1. Create cn=samba partition in FDS.
> > 2. As FDS directory manager, add user cn=samba-admin,cn=samba to the
> >    directory and set the password in clear text.
> > 3. Setup SASL mapping for samba-admin to the above user.
> > 4. Change the auth for Samba-to-FDS from anonymous to SASL as
> >    samba-admin as in Samba-to-OpenLDAP.
> > 
> > Is this the correct approach? I've figured out how to do #1 and #3.
> 
> Yes, I think this is exactly the right approach.  The only other thing
> you might consider is if you can create the cn=samba-admin,cn=samba user
> via an 'initial LDIF' fragment into FDS. 

> > I was trying to do #2 by adding another partition in samdb, but
> > it seems that an LDB can only have one rootDomainNamingContext,
> > so I can't add cn=samba because the root context is dc=samba,dc=example,
> > dc=com. Another alternative is to do this by invoking ldapi
> directly,
> 
> Yes, you should do this against ldapi directly. 

Ok, I got it working now. I've verified in FDS access log that Samba is
authenticated using SASL. Thanks for the instructions. Attached is the
result.

There's an issue about SASL mapping, by default the FDS includes this
mapping:

dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: uid mapping
nssaslmapregexstring: ^[^:@]+$
nssaslmapbasedntemplate: DC=samba,DC=example,DC=com
nssaslmapfiltertemplate: (uid=&)

But for samba-admin I need the following mapping:

dn: cn=samba-admin,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: uid mapping
nssaslmapregexstring: ^samba-admin$
nssaslmapbasedntemplate: CN=samba-admin,CN=samba
nsSaslMapFilterTemplate: (objectclass=*)

To avoid conflict I have to change the regex of the first mapping
to: ^(?!samba-admin)$. I'm not sure if this is actually working.

Also, Samba only includes the 00core.ldif and 99_ad.ldif schema files
which is causing the FDS to complain about undefined schema for some
of its configuration objects (cn=config). For now I have to partially
include some additional FDS schema files.

Do you have any suggestions about these issues? I will check with
FDS people too. I'll post the patch after these issues get resolved.
Thanks!

--
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: summary
Type: application/octet-stream
Size: 48398 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090901/df927075/attachment.obj>

More information about the samba-technical mailing list