Angel Bosch Mora
2022-Mar-25 09:45 UTC
[Samba] stand-alone server with ldap-auth without AD
> @All > Thank you very much for your comments! :) > > > Maybe I have to set-up a samba AD DC ... > Is it possible to "import" data from an openldap-proxy? >let me jump here. LDAP-SAMBA sincronization has always been a big topic since forever. there's no "clean" way to do it, even when on NT4 mode (some internal work is done for nt hashes). I've been struggling with this for a long time and best advice is use a tool that replicates passwords between these two worlds, just as it was another (read unintegrated) system. we use some custom scripts and a SSO to keep everything in sync, but if you manually change it on samba there's no way for LDAP to know it, and the same for the other way around. UNLESS you centralize password change and propagate it to all systems. that's the job of a SSO/Identity Manager and is not trivial. I'd really love to see some work done on the Samba side, as it's a pretty common request, but it seems that feature falls off the roadmap as Samba 4 is not trying to emulate AD but efectively become AD. Oh, and now I see you're german, maybe you can ask people from Uninvention to make their s4 connector a generic tool, instead of tied to their product: https://www.univention.com/contact/ regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
Andrew Bartlett
2022-Mar-28 00:15 UTC
[Samba] stand-alone server with ldap-auth without AD
On Fri, 2022-03-25 at 10:45 +0100, Angel Bosch Mora via samba wrote:> > we use some custom scripts and a SSO to keep everything in sync, but > if you manually change it on samba there's no way for LDAP to know > it, and the same for the other way around. > > UNLESS you centralize password change and propagate it to all > systems. that's the job of a SSO/Identity Manager and is not trivial. > > > > I'd really love to see some work done on the Samba side, as it's a > pretty common request, but it seems that feature falls off the > roadmap as Samba 4 is not trying to emulate AD but efectively become > AD.I should make very clear, we will gladly consider all patches, that come with the appropriate tests and documentation, but we don't really have a 'roadmap' that others can add things too like this. Samba is driven by its developers and those who fund its developers (our incredibly supportive employers and their customers). So please don't feel that these things 'fell off' our roadmap - that isn't really how we work. We do sometimes talk about the directions we want to take the project, and we should do that more, but the actual work takes engineer effort. Contributions remain welcome: https://wiki.samba.org/index.php/Contribute Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions