LDAP Support in Samba

Matthew Chapman

29th November 1998

WARNING: This is experimental code. Use at your own risk, and please report any bugs (after reading BUGS.txt).

Table of Contents

1: What is LDAP?

2: Why LDAP and Samba?

3: Using LDAP with Samba

4: Using LDAP for Unix authentication

5: Compatibility with Active Directory

1: What is LDAP?

A directory is a type of hierarchical database optimised for simple query operations, often used for storing user information. LDAP is the Lightweight Directory Access Protocol, a protocol which is rapidly becoming the Internet standard for accessing directories.

Many client applications now support LDAP (including Microsoft's Active Directory), and there are a number of servers available. The most popular implementation for Unix is from the University of Michigan; its homepage is at http://www.umich.edu/~dirsvcs/ldap/.

Information in an LDAP tree always comes in attribute=value pairs. The following is an example of a Samba user entry:

uid=jbloggs, dc=samba, dc=org
cn=Joe Bloggs
description=Samba User

Note that the top line is a special set of attributes called a distinguished name which identifies the location of this entry beneath the directory's root node. Recent Internet standards suggest the use of domain-based naming using dc attributes (for instance, a microsoft.com directory should have a root node of dc=microsoft, dc=com), although this is not strictly necessary for isolated servers.

There are a number of LDAP-related FAQ's on the internet, although generally the best source of information is the documentation for the individual servers.

2: Why LDAP and Samba?

Using an LDAP directory allows Samba to store user and group information more reliably and flexibly than the current combination of smbpasswd, smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges for extra user information to be stored, this can easily be added without loss of backwards compatibility.

In addition, the Samba LDAP schema is compatible with RFC2307, allowing Unix password database information to be stored in the same entries. This provides a single, consistent repository for both Unix and Windows user information.

3: Using LDAP with Samba

  1. Install and configure an LDAP server if you do not already have one. You should read your LDAP server's documentation and set up the configuration file and access control as desired.

  2. Build Samba (latest CVS is required) with:

    	./configure --with-ldap
    	make clean; make install

  3. Add the following options to the global section of smb.conf as required.

    ldap suffix

    This parameter specifies the node of the LDAP tree beneath which Samba should store its information. This parameter MUST be provided when using LDAP with Samba.

    Default: none

    Example: ldap suffix = "dc=mydomain, dc=org"

    ldap bind as

    This parameter specifies the entity to bind to an LDAP directory as. Usually it should be safe to use the LDAP root account; for larger installations it may be preferable to restrict Samba's access.

    Default: none (bind anonymously)

    Example: ldap bind as = "uid=root, dc=mydomain, dc=org"

    ldap passwd file

    This parameter specifies a file containing the password with which Samba should bind to an LDAP server. For obvious security reasons this file must be set to mode 700 or less.

    Default: none (bind anonymously)

    Example: ldap passwd file = /usr/local/samba/private/ldappasswd

    ldap server

    This parameter specifies the DNS name of the LDAP server to use when storing and retrieving information about Samba users and groups.

    Default: ldap server = localhost

    ldap port

    This parameter specifies the TCP port number of the LDAP server.

    Default: ldap port = 389

  4. You should then be able to use the normal smbpasswd(8) command for account administration (or User Manager in the near future).

4: Using LDAP for Unix authentication

The Samba LDAP code was designed to utilise RFC2307-compliant directory entries if available. RFC2307 is a proposed standard for LDAP user information which has been adopted by a number of vendors. Further information is available at http://www.xedoc.com.au/~lukeh/ldap/.

Of particular interest is Luke Howard's nameservice switch module (nss_ldap) and PAM module (pam_ldap) implementing this standard, providing LDAP-based password databases for Unix. If you are setting up a server to provide integrated Unix/NT services than these are worth investigating.

5: Compatibility with Active Directory

The current implementation is not designed to be used with Microsoft Active Directory, although compatibility may be added in the future.