What about synchronizing OpenLDAP and Windows2000
schema? The differents of their schemes prevent to copy
ActiveDirectory tree in LDBM database and vice versa.
Very nice. But, for use a windows2000 server with ldap server and my linux stations for conect them?
How to make it?
Active Directory uses DNS and LDAP v2 and v3. Just run ldap clients on the Linux machines. Bam, you got yourself Linux workstations authenticating to a Windows 2000 domain controller. How's that for surreal?
The RH Server Development Project has a package that will do alot of the "hardwork" for you and set up a samba PDC with LDAP + the webmin frontend
its allmost too easy
Mandrake RPMs of 2.2.5 for Mandrake 8.x built with LDAP support are available on ftp.samba.org.
The RPMs in cooker have everything but the webmin frontend running (but by default are not compiled with ldap support, just do 'rpm --rebuild --with ldap' to get it).
RPMs for 8.x will be updated soon ...
Of course, for anything later than 8.1 that also means you get ACLs, nss_wins and winbind out the box ...
Still have some work to do tracking down the webmin module.
Anonymous, you deserve a kiss. ;-) Thank you so much.
As others have said samba supports LDAP quite well.
however, from my similar setup, It looks like TNG is needed to handle domain groups.
groups of users on the domain seems to have very limited support in the main samba (so far).
for example allowing a group of users to access a share on a server in the domain.
I think this is only possible in TNG with ACL's
If im wrong please email me
dmiller at judcom.nsw.gov.au
AFAIK, there aren't ACLs in TNG, and for what you want to accomplish (use domain groups on the server), you don't need domain groups, since LDAP does that for you.
The only place domain groups are useful, are on the windows boxen, and this can be accomplished (though I am not sure with LDAP) using some tools from samba-3alpha on a samba-2.2.x domain controller (it was smbgroupedit, it might have changed).
samba-2.2.x of course supports posix acls with xfs or ext2/3+betbits patch.
Is there anyone who has normal Samba 2.2.x working in simmilar scenario ?
Yes we have it working. At the Brigham Young University, both the CS Department and the Chemistry Department are using LDAP to drive Samba HEAD 2.2.2 Domain controllers to server windows domains. Works great. No probs at all, except for the caveat that machines joined to the domain have to exist in the local password file of the domain controller, and not in ldap because for some reason pam cannot find any unames like 'machine1$' in ldap. Other than that users are all there in LDAP. We use kerberos for authentication on our unix machines and LDAP integration with kerberos will soon be pretty tight. We're still working on some good password synchronization tools.
In the chem department, we actually have three different domains (3 samba 2.2.2 pdcs) serving from one LDAP database source. We use LDAP filters in the smb.conf file to limit domain access to particular gidNumbers. Very nice indeed.
You can contact me with questions at torriem at byu dot edu.
idealx.org has got a project like this going on...
btw. what i would really like if being able to combine one of these approaches with "that dreaded exchange server"
That would be interesting ....
How could we do that ..............
Samba 2.2.x has supported LDAP for quite some time, plus, you get a lot of features that are not available in samba-tng, such as ACLs, downloadable print drivers etc.
Plus, I don't think the schema for samba-tng is compatilbe with samba HEAD cvs (which will become 3.0).
Also, you might want to have samba use SSL or TLS for it's LDAP connections, otherwise you are sending windows password hashes across the network in clear text. These are easily cracked, and are password-equivalents. Of course, this mostly applies to the rest of the setup also if you don't use sasl.
But, my question now is, how would you handle linux laptops in this scenario. Windows laptops would work fine, having cached credentials from the DC, and probably having cached profiles also.
It's nice to see more people using the LDAP backend in Samba, however that only TNG and the 3.0 alpha branch support it is wholly incorrect. The "stable" branch of 2.2.x has supported it for quite a while (I don't remember when it first started appearing in the official tree, but I had patches working for it before 2.2.2). As it stands, the current stable version of Samba supports LDAP very well. There are some difference between what is described here and the 3.0 and 2.x versions, the most obvious (at least on my cursory glance) being how the ldap password is specified.
Suffice it to say, for those that don't want to use unstable, development, software but want the benefits of unified logins and passwords, can (and I recommend they) use the latest and greatest Samba 2.x for windows account management.
I've made an extensive LDAP presentation and posted it at -
Thanks alot, great work. Let me see how fast I get into ;-)
This URL is prompting for a user id and password. Is there an open access to this?
I suggest to everyone, who think deal with ldap, read this great document. Thank you.
Really impressive, good work.
Perfect !!!, great presentation !!!!, Thanks.
Thank you, great work!
How can i increase the openldap connections now it seems to be supporting 64 connections.