Samba integration about lldap HOT 14 OPEN

That said, a cursory search mostly brings up sambda acting as a ldap server for linux, rather than the opposite. How are you trying to set it up?

I'm trying to set simple auth via LDAP. Like this (example from 'Samba with OpenLDAP' tutorials):

passdb backend = ldapsam:ldap://ldap_server:3890
ldap suffix = dc=domain,dc=tld
ldap admin dn = uid=bind_ro,ou=people,dc=domain,dc=tld
ldap ssl = no
ldap user suffix = ou=people
ldap group suffix = ou=groups

https://7thzero.com/blog/configure-centos-7-samba-server-use-secure-ldap-authentication

from lldap.

I think that topic is more complex (and completely unrelated to Samba). Briefly, though, I believe Synology uses SSSD to communicate with the LDAP server. SSSD can optionally cache passwords, and can also be used to change the password. If you don't do either, it shouldn't matter if it doesn't return the userPassword attribute.

Once it's possible to get Samba attributes in, I might have a poke and see if I'm right about that.

from lldap.

I haven't looked into it, but I'd wager that sambda requires some non-lldap-default fields, which would be blocked by #67
But it's being (slowly) worked on!

That said, a cursory search mostly brings up sambda acting as a ldap server for linux, rather than the opposite. How are you trying to set it up?

from lldap.

For future reference, this seems to be the list of fields required by samba: https://serverfault.com/a/1051389

from lldap.

+1 for samba integration
same issue on qnap nas:

[2023/07/02 21:32:57.590384, 0] ../../source3/passdb/pdb_ldap_util.c:314(smbldap_search_domain_info)
smbldap_search_domain_info: Adding domain info for DOMAIN.NAME failed with NT_STATUS_UNSUCCESSFUL
[2023/07/02 21:32:57.590479, 0] ../../source3/passdb/pdb_ldap.c:6756(pdb_ldapsam_init_common)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2023/07/02 21:32:57.590512, 0] ../../source3/passdb/pdb_interface.c:186(make_pdb_method_name)
pdb backend ldapsam:ldaps://LDAP.SERVER did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)

from lldap.

I'd also like to see this. I'd like to use something simpler than OpenLDAP but my Synology NAS needs some amount of Samba stuff - I think just the password control portions of it, but not 100% sure.

from lldap.

@ipsi FWIW, I'm not sure that LLDAP will ever be compatible with Synology, even with Samba. Last time I looked, Synology was requesting the hashed password to be able to check the login locally. That's something we just can't do in LLDAP, by design (we don't store the hashed password, but instead we use a zero-knowledge protocol to verify the password)

from lldap.

Alright. Feel free to follow the progress at #67
If you're feeling exceptionally motivated, you can already create the fields and set the values directly in the database, and they'll be returned over LDAP, so you can directly check your assumptions. But I totally understand if you want to wait until I actually implement field creation/setting in the web UI :)

from lldap.

I think that topic is more complex (and completely unrelated to Samba). Briefly, though, I believe Synology uses SSSD to communicate with the LDAP server. SSSD can optionally cache passwords, and can also be used to change the password. If you don't do either, it shouldn't matter if it doesn't return the userPassword attribute.

Once it's possible to get Samba attributes in, I might have a poke and see if I'm right about that.

Have you already tried something or have you had success with this? I am interested in this very thing.

from lldap.

By the way, #67 should be ready now, you can create custom attributes with https://github.com/Zepmann/lldap-cli

Who wants to give samba a try?

from lldap.

I would love to see this integration working.

from lldap.

@johnmmcgee we just need a volunteer to figure out the configuration. Want to give it a try?

from lldap.

sure. how would one create these fields? My ldap experience is not that great, so any direction would be welcome.

from lldap.

Usually that requires looking at the docs of the service to see what fields they expect (they sometimes provide an ldif file that outlines the schema they expect), and/or reverse engineering their expectations from the services' debug logs and LLDAP verbose mode.

Then using lldap-cli, you can create the user/group attributes required.

Feel free to head over to LLDAP's discord server if you have any questions.

from lldap.