samba - May 2012 - Samba / LDAP : map uid to another field ?

Hi !

I have an OpenLDAP where users DN are in the form ?
uid=P1234,ou=people,dc=example,dc=com ? and where the login is in the ?
eduPersonPrincipalName ? attribute (ex : jdoe).
I have configured my system (Debian Squeeze) to authenticate against LDAP
(libpam-ldapd + libnss-ldapd with a mapping uid<->eduPersonPrincipalName),
if I do ? ssh jdoe at server ?, it's works great.
Now I want to give Samba share to theses users so I configured Samba
(3.5.6) to connect to LDAP but I cannot authenticate with
eduPersonPrincipalName, if I use the ? uid ?, it's works.
I have searched for a mapping option in samba but I didn't found...
Is it possible to map ? uid ? attribute to another attribute ? If yes, how ?

Here the smb.conf :

[global]
        server string = %h server
        obey pam restrictions = Yes
        passdb backend = ldapsam:"ldap://192.168.102.153"
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        domain logons = Yes
        domain master = Yes
        dns proxy = No
        ldap admin dn = cn=admin,dc=example,dc=fr
        ldap group suffix = ou=groups
        ldap passwd sync = yes
        ldap suffix = dc=example,dc=fr
        ldap ssl = no
        ldap user suffix = ou=people
        ldap debug level = 1
        ldap debug threshold = 1
        panic action = /usr/share/samba/panic-action %d

[netlogon]
        path = /srv/samba/netlogon
        write list = P1234
        browseable = No

[profiles]
        path = /srv/samba/export/profiles
        valid users = %U
        read only = No
        create mask = 0600
        directory mask = 0700
        profile acls = Yes
        browseable = No

[homes]
        comment = Home Directories
        valid users = %S
        create mask = 0700
        directory mask = 0700
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

Here the slapd log which show the use of uid:

May 24 15:34:08 docs-test slapd[623]: conn=1149 fd=19 ACCEPT from
IP192.168.102.153:55825 (IP=0.0.0.0:389)
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=0 BIND
dn="cn=admin,dc=example,dc=fr" method=128
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=0 BIND
dn="cn=admin,dc=example,dc=fr" mech=SIMPLE ssf=0
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=0 RESULT tag=97 err=0
textMay 24 15:34:08 docs-test slapd[623]: conn=1149 op=1 SRCH base=""
scope=0
deref=0 filter="(objectClass=*)"
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=1 SRCH
attr=supportedControl
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=2 SRCH
base="dc=example,dc=fr" scope=2 deref=0
filter="(&(uid=sderosiaux)(objectClass=sambaSamAccount))"

May 24 15:34:08 docs-test slapd[623]: conn=1149 op=2 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn
displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath
description sambaUserWorkstations sambaSID sambaPrimaryGroupSID
sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags
sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp
uidNumber gidNumber homeDirectory loginShell gecos
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=2 SEARCH RESULT tag=101
err=0 nentries=0 textMay 24 15:34:08 docs-test slapd[623]: conn=1149 fd=19
closed (connection
lost)

Thanks for advice,
Sylvain

I am not sure if you can act on the samba side. Maybe you should think  
the other way around. You can map one attribute to another inside the  
LDAP server.

You would use the "map attribute" directive to map  
"eduPersonPrincipalName" to "uid". Both logins would then
authenticate
against "uid".

Unfortunaly, I cannot do this since the two attributes are different
meaning and are used in another applications so maybe with a local LDAP
replica and use of your tricks will works. I will try if there are no
"Samba" solutions.

Thanks :)

2012/5/24 <miguelmedalha at sapo.pt>
>
> I am not sure if you can act on the samba side. Maybe you should think the
> other way around. You can map one attribute to another inside the LDAP
> server.
>
> You would use the "map attribute" directive to map
> "eduPersonPrincipalName" to "uid". Both logins would
then authenticate
> against "uid".
>
>