directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Apache DS to Authenticate Samba
Date Sun, 01 May 2011 17:25:09 GMT
thanks Brian for sharing this with us, will take a look at this and
hopefully include them into the trunk soon.

On Sun, May 1, 2011 at 7:34 PM, Brian Burch <brian@pingtoo.com> wrote:
> On 04/02/11 22:16, Stefan Seelmann wrote:
>>
>> Hi Jeffrey,
>> On Thu, Feb 3, 2011 at 4:31 AM, Jeffre Reynolds wrote:
>> <snip>
>>>
>>>  Any information on the subject would be very helpful, or even a good
>>> place to go to try to find out more about how to integrate ApacheDS with
>>> Samba.
>>
>> I'm no Samba expert (and I think most readers of this list are
>> neither). But I doubt your problem is ApacheDS specific. As far as I
>> know Samba can just use any LDAP server as backend. So I think you
>> could try to adapt other documentation on how to integrate Samba+LDAP
>> to ApacheDS ([1][2] are just two examples). In any case the Samba
>> mailing lists [3] should be a good resource.
>>
>> Kind Regards,
>> Stefan
>
> I've been meaning to convert my samba authentication to ldap for quite a
> while. The recent activity on this topic encouraged me to get on with it.
>
> It was a long and painful task, made worse by the fact that a lot of
> information is out of date, confusing or doesn't apply to apacheds. I do not
> propose to go over everything here!
>
> However, after enabling the samba schema, converting my users, defining a
> samba domain entry and a server authenticator, I hit problems when trying to
> do anything as a samba user. The apacheds/bin/wrapper.log was quite
> informative.
>
> To cut a long story short, there are LOTS of schema changes required for
> samba 3, which are missing from apacheds. Sample openldap schema changes
> were committed to the samba source repository in February 2006. I have
> converted them to match the apacheds schema and applied them to my
> directory.
>
> Here are my new attribute and objectclass definitions:
>
> # samba 3 attributes Schema
> #
> # see: http://lists.samba.org/archive/samba-cvs/2006-February/064786.html
> #
> # svn commit: samba r13290 - branches/SAMBA_3_0/examples/LDAP
> trunk/examples/LDAP
> #
> dn: m-oid=1.3.6.1.4.1.7165.2.1.58,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.58
> m-collective: FALSE
> m-description: Minimal password length (default: 5)
> m-equality: integerMatch
> m-name: sambaMinPwdLength
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.59,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.59
> m-collective: FALSE
> m-description: Length of Password History Entries (default: 0 =>  off)
> m-equality: integerMatch
> m-name: sambaPwdHistoryLength
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.60,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.60
> m-collective: FALSE
> m-description: Force Users to logon for password change (default: 0 => off,
> 2 => on)
> m-equality: integerMatch
> m-name: sambaLogonToChgPwd
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.61,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.61
> m-collective: FALSE
> m-description: Maximum password age, in seconds (default: -1 => never expire
> passwords)
> m-equality: integerMatch
> m-name: sambaMaxPwdAge
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.62,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.62
> m-collective: FALSE
> m-description: Minimum password age, in seconds (default: 0 => allow
> immediate password change)
> m-equality: integerMatch
> m-name: sambaMinPwdAge
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.63,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.63
> m-collective: FALSE
> m-description: Lockout duration in minutes (default: 30, -1 => forever)
> m-equality: integerMatch
> m-name: sambaLockoutDuration
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.64,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.64
> m-collective: FALSE
> m-description: Reset time after lockout in minutes (default: 30)
> m-equality: integerMatch
> m-name: sambaLockoutObservationWindow
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.65,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.65
> m-collective: FALSE
> m-description: Lockout users after bad logon attempts (default: 0 => off)
> m-equality: integerMatch
> m-name: sambaLockoutThreshold
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.66,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.66
> m-collective: FALSE
> m-description: Disconnect Users outside logon hours (default: -1 => off, 0
> => on)
> m-equality: integerMatch
> m-name: sambaForceLogoff
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.67,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.67
> m-collective: FALSE
> m-description: Allow Machine Password changes (default: 0 => off)
> m-equality: integerMatch
> m-name: sambaRefuseMachinePwdChange
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
>
> # samba domain Object Schema
> # allow all samba 3 attributes
> #
> dn: m-oid=1.3.6.1.4.1.7165.2.2.5,ou=objectClasses,cn=samba,ou=schema
> changetype: modify
> add: m-may
> m-may: sambaMinPwdLength
> -
> add: m-may
> m-may: sambaPwdHistoryLength
> -
> add: m-may
> m-may: sambaLogonToChgPwd
> -
> add: m-may
> m-may: sambaMaxPwdAge
> -
> add: m-may
> m-may: sambaMinPwdAge
> -
> add: m-may
> m-may: sambaLockoutDuration
> -
> add: m-may
> m-may: sambaLockoutObservationWindow
> -
> add: m-may
> m-may: sambaLockoutThreshold
> -
> add: m-may
> m-may: sambaForceLogoff
> -
> add: m-may
> m-may: sambaRefuseMachinePwdChange
>
>
> My ubuntu samba 3 (version 2:3.4.7) server is now working perfectly with
> apacheds 1.5.4. Perhaps someone would like to update the source to include
> these schema changes?
>
> Regards,
>
> Brian
>
>
>
>



-- 
Kiran Ayyagari

Mime
View raw message