[Date Prev][Date Next]
Re: RFC [Samba/NIS + LDAP]
On Mon, 12 Nov 2001, Will Sarka wrote:
> I am an OpenLDAP newbie, and have been doing some cursory examination of
> what might be possible with unifying authentication for my Linux and
> Windows boxes. I understand Samba can use NIS as a basis of
> authentication, and than the nss_ldap modules allows NIS lookups to be
> done against a LDAP directory. I currently have no windows servers
> (only a workgroup that I inherented), and am considering using the Samba
> 2.2.x codebase to implement a PDC/Domain with a LDAP backend that
> understands NIS (via the nis schema, from what I gather). Has anyone
> done anything like this? Any pitfalls? Howtos? URLs? :-)
I am working pretty much the same thing and I am making good progress.
Recent versions af Samba 2.2 can authenticate directly against an LDAP
server. What you need is:
* Some knowledge on the basics of LDAP principles and how to set up a
server and namespace. There are pretty good books and some howtos on the
* For basic management of users and groups for Unix/NIS and Samba in LDAP
you will at least need the posixAccount posixGroup object classes
defined in nis.schema and the sambaAccont object class in samba.conf
(comes with the Samba distribution).
* Tools to manage the entrys for your accounts. As you will need to
generate both Unix and Windows password hashes you will also probably
want to keep them synchronized. I am cooking my own tools to do this
just for the fun of it.
* Pitfalls... Access control is fundamental, especially for the Windows
password hashes. You don't want these hashes to get sniffed from the
network either so use LDAPS (LDAP with SSL/TLS) whenever possible. By
the way: Can you set an ACL that allows a user to fetch an attribute
when using an SSL connection but not otherwise? Also, if you use Samba
and have any kind of debugging enabled the same hashes wind up in Sambas
I have not yet set up a full PDC, but my test Samba server does the
authentication stuff very well.
If anyone is interested I can probably publish the stuff I have coded so
far. I probably should clean it up a bit first. Beware though - it is all
written in Pike, a C-like interpreter language that is _perfect_ for
making little LDAP gizmos among other things. (Sorry, I couldn't resist).
Erik Persson, System Manager <firstname.lastname@example.org>
Roxen Internet Software Voice: +46 13 376817