Hi, we moved (or still are moving) our users manually from our Samba NT4 Domain with LDAP to a Samba AD (4.7.6). We had a few schema extensions in our openLDAP to feed some services (dovecot mail settings, nextcloud quota, ...). I would prefer to have only one place for our users, but I'm new to AD. I've read that I can extend the schema, which seems not too different from openLDAP, even though the documentation states it is a bit dangerous. So my questions are I guess: - Is it feasible to authenticate and feed some user settings to services like dovecot and nextcloud with a Samba AD? - How would I edit my attributes? I doubt there will be a tab in the windows dialog (dsa.msc) we use now... - Alternatively, is there a useful way to chain both services? As far as I've read, the AD cannot use openLDAP for passwords (which would have been great for me...), is it possible the other way around? Thanks, Jakob
On Mon, 2 Jul 2018 10:19:29 +0200 Jakob Lenfers via samba <samba at lists.samba.org> wrote:> Hi, > > we moved (or still are moving) our users manually from our Samba NT4 > Domain with LDAP to a Samba AD (4.7.6). We had a few schema extensions > in our openLDAP to feed some services (dovecot mail settings, > nextcloud quota, ...). I would prefer to have only one place for our > users, but I'm new to AD. I've read that I can extend the schema, > which seems not too different from openLDAP, even though the > documentation states it is a bit dangerous. >You can extend the schema, Samba even supplies a script to turn openldap schemas to Active directory ldifs and it has the imaginative name of 'oLschema2ldif'> So my questions are I guess: > > - Is it feasible to authenticate and feed some user settings to > services like dovecot and nextcloud with a Samba AD?We have a wikipage for dovecot: https://wiki.samba.org/index.php/Authenticating_Dovecot_against_Active_Directory Try an internet search for 'nextcloud active directory' or 'nextcloud kerberos'> > - How would I edit my attributes? I doubt there will be a tab in the > windows dialog (dsa.msc) we use now...No you cannot use windows tools, but you could write your own scripts, or use something like Linux Account Manager (LAM)> > - Alternatively, is there a useful way to chain both services? As far > as I've read, the AD cannot use openLDAP for passwords (which would > have been great for me...), is it possible the other way around?You can use openldap as an AD proxy, (yes, we also have a wiki page for this: https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD ) But you probably don't need to do this ;-) Rowland
Am 02.07.2018 um 11:01 schrieb Rowland Penny via samba:> On Mon, 2 Jul 2018 10:19:29 +0200 > Jakob Lenfers via samba <samba at lists.samba.org> wrote:> You can extend the schema, Samba even supplies a script to turn > openldap schemas to Active directory ldifs and it has the imaginative > name of 'oLschema2ldif'Thanks, will check it out.>> - Is it feasible to authenticate and feed some user settings to >> services like dovecot and nextcloud with a Samba AD? > We have a wikipage for dovecot: > > https://wiki.samba.org/index.php/Authenticating_Dovecot_against_Active_DirectoryThanks, I'll probably use the ldap interface instead, since I need more than only authentication. Postfix needs to know email addresses and dovecot quota as well.> Try an internet search for 'nextcloud active directory' or 'nextcloud > kerberos'Nextcloud works out of the box, but if I want to manage quotas there, I'll need to use extra attributes...>> - How would I edit my attributes? I doubt there will be a tab in the >> windows dialog (dsa.msc) we use now... > No you cannot use windows tools, but you could write your own scripts, > or use something like Linux Account Manager (LAM)... which I need to configure somehow. Does anybody have good advice in that regard? GOsa seems to be dead (that's what we are using now, I fear it'll die with our last server supporting PHP5), LAM has to be rented, which I cannot do. Maybe I'll just use a general purpose LDAP client, then I'll be independent from that kind of developments. But if anybody is in a similar situation and has a good tool I missed, I would be grateful. I guess I'm leaving the lists topic, sorry for the noise. Thanks, Jakob