A question to Samba developers (or experienced users) about connections to a LDAP server using Unix sockets (LDAPI)
in [Samba]
|
Prev: Using the 'WatchSubDirectories' setting in a .NET FileSystemWatcher with a Samba Share
Next: Samba + Quickbooks Idle Crash
From: Adam Tauno Williams on 7 Feb 2010 22:00 On Sun, 2010-02-07 at 21:52 +0000, Miguel Medalha wrote: > After acquiring some experience with the use of Samba+OpenLDAP, I am now > in the process of creating my first PDC based on Samba+CentOS (Red Hat, > Fedora, 389) Directory Server. While reading the DS documentation, > something caught my attention. > The Administration Guide for Red Hat Directory Server 8.1 states the > following: > Inter-process communication (IPC) is a way for separate processes on a > Unix machine or a network > to communicate directly with each other. LDAPI is a way to run LDAP > Does Samba support this type of connection to the LDAP server? Yes. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Miguel Medalha on 8 Feb 2010 16:00 >> Does Samba support this type of connection to the LDAP server? >> > Yes. > I am more than willing to do my homework on this matter, but I need some kind of clue. Should I simply point samba to a "ldapi" URI? I couldn't find any significant answer by googling this. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Miguel Medalha on 8 Feb 2010 16:10 > I couldn't find any significant answer by googling this. > Oh well, I had just posted that when I found this : Samba connect ldap via socket http://lists.samba.org/archive/samba/2008-May/140869.html « The following setting works fine for me on a Debian testing system and with openLDAP: [globals] passdb backend = ldapsam:ldapi:// I do not have to specify the name of the socket file, since the LDAP server and the LDAP client library are both using the same default settings. This condition holds true if the server and the client library have been compiled from the same source and with the same configuration. Furthermore, you have to ensure that slapd opens a socket at all. This is not enabled by default. I had to add the following to /etc/defaults/slapd: SLAPD_SERVICES="ldap:/// ldapi:///" <ldapi:///%22> The value of SLAPD_SERVICES is passed to slapd as a command-line option by the demon startup script. -- Peter Slickers » -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Miguel Medalha on 10 Feb 2010 20:50 > You can also specify the LDAPI socket path if your OpenLDAP server is > listening in a 'non-standard' location, like: > > passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldap2.4%2fldapi > > You have to escape the "/" elements of the path. > Thank you for helping me search in the right direction. By default, CentOS Directory Server 8.10 (=Red Hat 389 Directory Server 8.10 or 389 Directory Server 1.1) creates a socket under /var/run/slapd-<your instance>.socket"". So I have: passdb backend = ldapsam:ldapi://%2fvar%2frun%2fslapd-<your instance>.socket This is now working. I even managed to combine this with "ldapsam:trusted" + "ldapsam:editposix" so that I don't have to use external scripts to manage accounts. Some obstacles remain: "getent shadow" does no return the LDAP-only users, although "getent passwd" and "getent group" work as expected. No shadow entries are present in the LDAP database, so it seems to me that either pdbedit or smbpasswd are not creating those entries or there is something missing in the database configuration, such as appropriate ACLs. Also, with "ldap passwd sync" enabled, pdbedit and smbpasswd are not able to create a users's password, giving the following message: ldapsam_modify_entry: LDAP Password could not be changed for user <x> : Confidentiality required Operation requires a secure connection. It only works with "ldap passwd sync = no". I will look into both these issues next. Thank you PS - For now, I don't know if I will adopt this connection over Unix sockets, since there appears to be a bug in the cuurent implementation: LDAPI: activation of LDAPI UNIX socket causes serious performance issues in TCP/IP searches https://bugzilla.redhat.com/show_bug.cgi?id=497556 The above page also contains a patch. I will look into it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Miguel Medalha on 10 Feb 2010 21:20
> PS - For now, I don't know if I will adopt this connection over Unix > sockets, since there appears to be a bug in the cuurent implementation: > > LDAPI: activation of LDAPI UNIX socket causes serious performance > issues in TCP/IP searches > https://bugzilla.redhat.com/show_bug.cgi?id=497556 > > The above page also contains a patch. I will look into it. > As a matter of fact, this bug has been corrected in the recent (Jan. 13, 2010) release 1.2.5 of 389 Directory Server. http://directory.fedoraproject.org/wiki/Release_Notes I am sorry for my misinformed statement. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |