On Mon, 2010-03-15 at 21:12 +0000, SMC wrote:> This is probably an insane question, but I'm going to ask it anyway...
>
> Does Samba4's embedded LDAP server also support being used as an
ordinary
> (*nix-style) LDAP authentication server, at least for simple, basic use
cases?
>
> Or is it necessary to have the OpenLDAP backend running to handle normal
LDAP
> authentication?
Actually, it's neither. The OpenLDAP backend of Samba4 is not generally
exposed, nor are the unix attributes currently set.
We do support the uidNumber attributes etc, but only in that we load a
schema that should allow them to be set. We don't currently set those
values when users are created, nor do we use them for Samba4's internal
idmap.
The best option at this time is to run Samba3's winbind against Samba4.
This ensures that all recursive groups are handled correctly, and that
Kerberos is used for authentication.
I do want Samba4 to be a good LDAP server for POSIX clients, and I hope
to make it better than AD is by supporting extensions such as the
'password set/change' extended operation. However, we must first be a
good AD domain controller, and we can't enable behaviours that are in
conflict with being an AD DC.
For example, we will soon enable ACL support that will block anonymous
access to our directory - while most POSIX clients prefer anonymous
searches.
I hope this clarifies things,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.samba.org/pipermail/samba/attachments/20100321/c89ac876/attachment.pgp>