samba - Nov 2020 - Sync'ing Samba LDAP with MySQL?

Hey all. I started asking about this about a week ago, then got so sick I could
hardly get out of bed. Now that I' m basically recovered(and no, it
wasn't Covid, thank goodness), I want to pick up where left off. I'm
about to provision the samba domain for my test setup. As long as that works,
the next step is to ensure that information in Samba's LDAP database is
properly replicated to a MySQL database that the MDA & MTA read and vice
versa. I can't simply configure both to read the openLDAP files because of
3rd party sfw that would integrate with MySQL making the MySQL a requirement.
However, I don't want to risk things getting out of sync, where a user I
created in samba doesn't have a valid email account, or a user I deleted
DOES have a vailid email account. And if a user changes their password on their
own on one side, I need to make sure the change is copied to the other side.

I'm perfectly content to write my own solution if needed, but I have no clue
how to go about accessing Samba's LDAP information to read/write. If someone
could either point me to a solution that would fix this for me, or at least
point me to where I can read up on what the expected schema and authenitcation
rules are, I'd appreciate it a great deal.

Thanks all!


-- 
Dan Egli
>From my Test server

On 18/11/2020 21:51, Dan Egli via samba wrote:
> Hey all. I started asking about this about a week ago, then got so sick I
could hardly get out of bed. Now that I' m basically recovered(and no, it
wasn't Covid, thank goodness), I want to pick up where left off. I'm
about to provision the samba domain for my test setup. As long as that works,
the next step is to ensure that information in Samba's LDAP database is
properly replicated to a MySQL database that the MDA & MTA read and vice
versa. I can't simply configure both to read the openLDAP files because of
3rd party sfw that would integrate with MySQL making the MySQL a requirement.
However, I don't want to risk things getting out of sync, where a user I
created in samba doesn't have a valid email account, or a user I deleted
DOES have a vailid email account. And if a user changes their password on their
own on one side, I need to make sure the change is copied to the other side.
>
> I'm perfectly content to write my own solution if needed, but I have no
clue how to go about accessing Samba's LDAP information to read/write. If
someone could either point me to a solution that would fix this for me, or at
least point me to where I can read up on what the expected schema and
authenitcation rules are, I'd appreciate it a great deal.
>
> Thanks all!
>
>
I think you are heading for a world of pain, can you not find another 
mailserver that will work with AD, or failing that find another 3rd 
party that doesn't need SQL.

Having said that, yes you can extend the AD schema, but it is a one way 
street (a bit like the hotel California), you can add to the schema, but 
you cannot remove? anything from the schema. see here: 
https://wiki.samba.org/index.php/Samba_AD_schema_extensions

You will have to write your own scripts to sync the AD contents to an 
external database, this will not be trivial especially when you cannot 
read the users passwords over the wire and will have to use something 
like this:

https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP

I hope you can read French, if not, try Google translate.

Keeping everything in sync will be a nightmare, it will probably be 
easier to use a different mail server.

Rowland