directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Burch <br...@PingToo.com>
Subject Re: Apache DS to Authenticate Samba
Date Sun, 01 May 2011 14:04:39 GMT
On 04/02/11 22:16, Stefan Seelmann wrote:
> Hi Jeffrey,
> On Thu, Feb 3, 2011 at 4:31 AM, Jeffre Reynolds wrote:
> <snip>
>>   Any information on the subject would be very helpful, or even a good place to go
to try to find out more about how to integrate ApacheDS with Samba.
>
> I'm no Samba expert (and I think most readers of this list are
> neither). But I doubt your problem is ApacheDS specific. As far as I
> know Samba can just use any LDAP server as backend. So I think you
> could try to adapt other documentation on how to integrate Samba+LDAP
> to ApacheDS ([1][2] are just two examples). In any case the Samba
> mailing lists [3] should be a good resource.
>
> Kind Regards,
> Stefan

I've been meaning to convert my samba authentication to ldap for quite a 
while. The recent activity on this topic encouraged me to get on with it.

It was a long and painful task, made worse by the fact that a lot of 
information is out of date, confusing or doesn't apply to apacheds. I do 
not propose to go over everything here!

However, after enabling the samba schema, converting my users, defining 
a samba domain entry and a server authenticator, I hit problems when 
trying to do anything as a samba user. The apacheds/bin/wrapper.log was 
quite informative.

To cut a long story short, there are LOTS of schema changes required for 
samba 3, which are missing from apacheds. Sample openldap schema changes 
were committed to the samba source repository in February 2006. I have 
converted them to match the apacheds schema and applied them to my 
directory.

Here are my new attribute and objectclass definitions:

# samba 3 attributes Schema
#
# see: http://lists.samba.org/archive/samba-cvs/2006-February/064786.html
#
# svn commit: samba r13290 - branches/SAMBA_3_0/examples/LDAP 
trunk/examples/LDAP
#
dn: m-oid=1.3.6.1.4.1.7165.2.1.58,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.58
m-collective: FALSE
m-description: Minimal password length (default: 5)
m-equality: integerMatch
m-name: sambaMinPwdLength
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS

dn: m-oid=1.3.6.1.4.1.7165.2.1.59,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.59
m-collective: FALSE
m-description: Length of Password History Entries (default: 0 =>  off)
m-equality: integerMatch
m-name: sambaPwdHistoryLength
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS

dn: m-oid=1.3.6.1.4.1.7165.2.1.60,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.60
m-collective: FALSE
m-description: Force Users to logon for password change (default: 0 => 
off, 2 => on)
m-equality: integerMatch
m-name: sambaLogonToChgPwd
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS

dn: m-oid=1.3.6.1.4.1.7165.2.1.61,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.61
m-collective: FALSE
m-description: Maximum password age, in seconds (default: -1 => never 
expire passwords)
m-equality: integerMatch
m-name: sambaMaxPwdAge
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS

dn: m-oid=1.3.6.1.4.1.7165.2.1.62,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.62
m-collective: FALSE
m-description: Minimum password age, in seconds (default: 0 => allow 
immediate password change)
m-equality: integerMatch
m-name: sambaMinPwdAge
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS

dn: m-oid=1.3.6.1.4.1.7165.2.1.63,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.63
m-collective: FALSE
m-description: Lockout duration in minutes (default: 30, -1 => forever)
m-equality: integerMatch
m-name: sambaLockoutDuration
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS

dn: m-oid=1.3.6.1.4.1.7165.2.1.64,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.64
m-collective: FALSE
m-description: Reset time after lockout in minutes (default: 30)
m-equality: integerMatch
m-name: sambaLockoutObservationWindow
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS

dn: m-oid=1.3.6.1.4.1.7165.2.1.65,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.65
m-collective: FALSE
m-description: Lockout users after bad logon attempts (default: 0 => off)
m-equality: integerMatch
m-name: sambaLockoutThreshold
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS

dn: m-oid=1.3.6.1.4.1.7165.2.1.66,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.66
m-collective: FALSE
m-description: Disconnect Users outside logon hours (default: -1 => off, 
0 => on)
m-equality: integerMatch
m-name: sambaForceLogoff
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS

dn: m-oid=1.3.6.1.4.1.7165.2.1.67,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.67
m-collective: FALSE
m-description: Allow Machine Password changes (default: 0 => off)
m-equality: integerMatch
m-name: sambaRefuseMachinePwdChange
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS


# samba domain Object Schema
# allow all samba 3 attributes
#
dn: m-oid=1.3.6.1.4.1.7165.2.2.5,ou=objectClasses,cn=samba,ou=schema
changetype: modify
add: m-may
m-may: sambaMinPwdLength
-
add: m-may
m-may: sambaPwdHistoryLength
-
add: m-may
m-may: sambaLogonToChgPwd
-
add: m-may
m-may: sambaMaxPwdAge
-
add: m-may
m-may: sambaMinPwdAge
-
add: m-may
m-may: sambaLockoutDuration
-
add: m-may
m-may: sambaLockoutObservationWindow
-
add: m-may
m-may: sambaLockoutThreshold
-
add: m-may
m-may: sambaForceLogoff
-
add: m-may
m-may: sambaRefuseMachinePwdChange


My ubuntu samba 3 (version 2:3.4.7) server is now working perfectly with 
apacheds 1.5.4. Perhaps someone would like to update the source to 
include these schema changes?

Regards,

Brian




Mime
View raw message