Andrew Bartlett
2022-Mar-28 00:15 UTC
[Samba] stand-alone server with ldap-auth without AD
On Fri, 2022-03-25 at 10:45 +0100, Angel Bosch Mora via samba wrote:> > we use some custom scripts and a SSO to keep everything in sync, but > if you manually change it on samba there's no way for LDAP to know > it, and the same for the other way around. > > UNLESS you centralize password change and propagate it to all > systems. that's the job of a SSO/Identity Manager and is not trivial. > > > > I'd really love to see some work done on the Samba side, as it's a > pretty common request, but it seems that feature falls off the > roadmap as Samba 4 is not trying to emulate AD but efectively become > AD.I should make very clear, we will gladly consider all patches, that come with the appropriate tests and documentation, but we don't really have a 'roadmap' that others can add things too like this. Samba is driven by its developers and those who fund its developers (our incredibly supportive employers and their customers). So please don't feel that these things 'fell off' our roadmap - that isn't really how we work. We do sometimes talk about the directions we want to take the project, and we should do that more, but the actual work takes engineer effort. Contributions remain welcome: https://wiki.samba.org/index.php/Contribute Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Angel Bosch Mora
2022-Mar-28 11:29 UTC
[Samba] stand-alone server with ldap-auth without AD
> I should make very clear, we will gladly consider all patches, that > come with the appropriate tests and documentation, but we don't > really > have a 'roadmap' that others can add things too like this. > > Samba is driven by its developers and those who fund its developers > (our incredibly supportive employers and their customers). > > So please don't feel that these things 'fell off' our roadmap - that > isn't really how we work. >Sorry if I sounded rude, that wasn't my intention at all. I can code a little bit but I'm by no means a developer and I have a lot of respect for all the work you do. My comment about roadmap was refering to this info on Samba Wiki: "The Samba team decided not to peruse this as a development avenue, and no viable approach to re-opening this functionality has been proposed." https://wiki.samba.org/index.php/FAQ#Do_Samba_AD_DCs_Support_OpenLDAP_or_Other_LDAP_Servers_as_the_Back_End.3F I understand that AD break standard schemas so LDAPv3 can't be used as backend. I'm just surprised that with so many people asking for some kind of LDAP attribute synchronization there's no work being done internally. But you're totally right, I don't know how do you work of prioritize issues. I just hope some company/institution decides to patron and fund this feature (Uninvention?). With all that said, I'm totally ok sharing my solutions, so anyone that wants to maintain a standard LDAP in parallel to samba can contact me and I will happily give a hand. Best regards, abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.