OpenLDAP with Linux and Windows

Using LDAP to manage user authentication in computer labs at the University of Verona.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: OpenLDAP with Linux and Windows

Anonymous's picture

What about synchronizing OpenLDAP and Windows2000

schema? The differents of their schemes prevent to copy

ActiveDirectory tree in LDBM database and vice versa.

Re: OpenLDAP with Linux and Windows

Anonymous's picture

Very nice. But, for use a windows2000 server with ldap server and my linux stations for conect them?

How to make it?


Re: OpenLDAP with Linux and Windows

Anonymous's picture

VERY easy.

Active Directory uses DNS and LDAP v2 and v3. Just run ldap clients on the Linux machines. Bam, you got yourself Linux workstations authenticating to a Windows 2000 domain controller. How's that for surreal?

Easier installation

Anonymous's picture

The RH Server Development Project has a package that will do alot of the "hardwork" for you and set up a samba PDC with LDAP + the webmin frontend

its allmost too easy

Or just use Mandrake ...

Anonymous's picture

Mandrake RPMs of 2.2.5 for Mandrake 8.x built with LDAP support are available on

The RPMs in cooker have everything but the webmin frontend running (but by default are not compiled with ldap support, just do 'rpm --rebuild --with ldap' to get it).

RPMs for 8.x will be updated soon ...

Of course, for anything later than 8.1 that also means you get ACLs, nss_wins and winbind out the box ...

Still have some work to do tracking down the webmin module.

Re: Easier installation

Anonymous's picture

Anonymous, you deserve a kiss. ;-) Thank you so much.


the need for TNG ?

Anonymous's picture

As others have said samba supports LDAP quite well.

however, from my similar setup, It looks like TNG is needed to handle domain groups.

groups of users on the domain seems to have very limited support in the main samba (so far).

for example allowing a group of users to access a share on a server in the domain.

I think this is only possible in TNG with ACL's

If im wrong please email me

dmiller at

No ACLs in TNG

Anonymous's picture

AFAIK, there aren't ACLs in TNG, and for what you want to accomplish (use domain groups on the server), you don't need domain groups, since LDAP does that for you.

The only place domain groups are useful, are on the windows boxen, and this can be accomplished (though I am not sure with LDAP) using some tools from samba-3alpha on a samba-2.2.x domain controller (it was smbgroupedit, it might have changed).

samba-2.2.x of course supports posix acls with xfs or ext2/3+betbits patch.

Re: OpenLDAP with Linux and Windows

Anonymous's picture

Is there anyone who has normal Samba 2.2.x working in simmilar scenario ?

Re: OpenLDAP with Linux and Windows

Anonymous's picture

Yes we have it working. At the Brigham Young University, both the CS Department and the Chemistry Department are using LDAP to drive Samba HEAD 2.2.2 Domain controllers to server windows domains. Works great. No probs at all, except for the caveat that machines joined to the domain have to exist in the local password file of the domain controller, and not in ldap because for some reason pam cannot find any unames like 'machine1$' in ldap. Other than that users are all there in LDAP. We use kerberos for authentication on our unix machines and LDAP integration with kerberos will soon be pretty tight. We're still working on some good password synchronization tools.

In the chem department, we actually have three different domains (3 samba 2.2.2 pdcs) serving from one LDAP database source. We use LDAP filters in the smb.conf file to limit domain access to particular gidNumbers. Very nice indeed.

You can contact me with questions at torriem at byu dot edu.


Michael Torrie

Re: OpenLDAP with Linux and Windows

Anonymous's picture has got a project like this going on...

btw. what i would really like if being able to combine one of these approaches with "that dreaded exchange server"

Re: OpenLDAP with Linux and Windows

Anonymous's picture

That would be interesting ....

How could we do that ..............

samba 2.2.x works fine

Anonymous's picture

Samba 2.2.x has supported LDAP for quite some time, plus, you get a lot of features that are not available in samba-tng, such as ACLs, downloadable print drivers etc.

Plus, I don't think the schema for samba-tng is compatilbe with samba HEAD cvs (which will become 3.0).

Also, you might want to have samba use SSL or TLS for it's LDAP connections, otherwise you are sending windows password hashes across the network in clear text. These are easily cracked, and are password-equivalents. Of course, this mostly applies to the rest of the setup also if you don't use sasl.

But, my question now is, how would you handle linux laptops in this scenario. Windows laptops would work fine, having cached credentials from the DC, and probably having cached profiles also.

Re: OpenLDAP with Linux and Windows

Anonymous's picture

It's nice to see more people using the LDAP backend in Samba, however that only TNG and the 3.0 alpha branch support it is wholly incorrect. The "stable" branch of 2.2.x has supported it for quite a while (I don't remember when it first started appearing in the official tree, but I had patches working for it before 2.2.2). As it stands, the current stable version of Samba supports LDAP very well. There are some difference between what is described here and the 3.0 and 2.x versions, the most obvious (at least on my cursory glance) being how the ldap password is specified.

Suffice it to say, for those that don't want to use unstable, development, software but want the benefits of unified logins and passwords, can (and I recommend they) use the latest and greatest Samba 2.x for windows account management.


OpenLDAP and LDAP integration documentation

Anonymous's picture

I've made an extensive LDAP presentation and posted it at -

Greate Work, thx

Mk's picture

Thanks alot, great work. Let me see how fast I get into ;-)

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture

This URL is prompting for a user id and password. Is there an open access to this?

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture

I suggest to everyone, who think deal with ldap, read this great document. Thank you.

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture

Really impressive, good work.

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture

Perfect !!!, great presentation !!!!, Thanks.

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture

Thank you, great work!

Doubt regarding connections

Anonymous's picture


How can i increase the openldap connections now it seems to be supporting 64 connections.


Geek Guide
The DevOps Toolbox

Tools and Technologies for Scale and Reliability
by Linux Journal Editor Bill Childers

Get your free copy today

Sponsored by IBM

Upcoming Webinar
8 Signs You're Beyond Cron

Scheduling Crontabs With an Enterprise Scheduler
11am CDT, April 29th
Moderated by Linux Journal Contributor Mike Diehl

Sign up now

Sponsored by Skybot