Hi!> >The question is how can we continue to use a LDAP server for authentication > >while keeping accounts and passwords in sync? > >Is there still some development going on for the OpenLDAP backend of > >Samba4[1]? > >How did others solve such a situation? > Hi, just what are the services that need to authenticate via ldap ? > > There is a page on the samba wiki about authenticating to samba4 AD:Thanks for the pointer; this can indeed be done for some of the services. But what I am about to loose is local authentication and independence of services: A full-blown OpenLDAP server is able to do replication. The advantage of this is that servers/services may run without having access to the master OpenLDAP server and there is more: using decent crypto settings for the connection slows down lookups; another reason for using LDAP on localhost (or even better ldapi).> I believe that there is (or is that was?) some work going on to try > and make a samba4 AD DC use Openldap instead of the built ldap, but > it seems to have gone quiet on that front lately.Too bad. Do others then manually sync accounts between OpenLDAP and Samba/AD? Is there an interface that (kind of) streams out LDIF-Changesets? Is there a way to get plain LDIF out of Samba/AD? -- Adi
On 10/03/15 07:36, Adi Kriegisch wrote:> Hi! > >>> The question is how can we continue to use a LDAP server for authentication >>> while keeping accounts and passwords in sync? >>> Is there still some development going on for the OpenLDAP backend of >>> Samba4[1]? >>> How did others solve such a situation? >> Hi, just what are the services that need to authenticate via ldap ? >> >> There is a page on the samba wiki about authenticating to samba4 AD: > Thanks for the pointer; this can indeed be done for some of the services. > But what I am about to loose is local authentication and independence of > services:You can still have local Unix users and services, you just cannot have users, groups etc with the same name in AD.> A full-blown OpenLDAP server is able to do replication. > The advantage of this is that servers/services may run without having > access to the master OpenLDAP server and there is more: using decent crypto > settings for the connection slows down lookups; another reason for using > LDAP on localhost (or even better ldapi).AD does replication and if required, you can run openldap on the same machine as AD, but you cannot run it on ports 389 & 686.>> I believe that there is (or is that was?) some work going on to try >> and make a samba4 AD DC use Openldap instead of the built ldap, but >> it seems to have gone quiet on that front lately. > Too bad. Do others then manually sync accounts between OpenLDAP and > Samba/AD? Is there an interface that (kind of) streams out LDIF-Changesets? > Is there a way to get plain LDIF out of Samba/AD? >I cannot speak for other users, but I am sure that somebody is doing what you want to do, but I also think most people will be using AD just for authentication. You can extract LDIFs from AD, but they are not exactly like Openldap ones. Rowland
Hey! Thank you for your answers!> >A full-blown OpenLDAP server is able to do replication. > >The advantage of this is that servers/services may run without having > >access to the master OpenLDAP server and there is more: using decent crypto > >settings for the connection slows down lookups; another reason for using > >LDAP on localhost (or even better ldapi). > > AD does replication and if required, you can run openldap on the > same machine as AD, but you cannot run it on ports 389 & 686.I doubt AD replication will scale to 50+ machines easily and I am not sure I want the full AD stack on all of those machines. The OpenLDAP is "just" acting as a proxy which means it cannot do replication on its own.> >>I believe that there is (or is that was?) some work going on to try > >>and make a samba4 AD DC use Openldap instead of the built ldap, but > >>it seems to have gone quiet on that front lately. > >Too bad. Do others then manually sync accounts between OpenLDAP and > >Samba/AD? Is there an interface that (kind of) streams out LDIF-Changesets? > >Is there a way to get plain LDIF out of Samba/AD? > I cannot speak for other users, but I am sure that somebody is doing > what you want to do, but I also think most people will be using AD > just for authentication. You can extract LDIFs from AD, but they are > not exactly like Openldap ones.Would be great to hear of one of those! :) Are those LDIFs rather full tree dumps or incrementals? Or in other words: would I be required to parse the full AD tree and implement some kind of syncing or is it possible to get just the changes? Thanks for your help! -- Adi