Samba and the Lightweight Directory Access Protocol (LDAP)
"Can Samba use LDAP, and if so, how do I configure it?" Samba expert Jerry Carter sheds light on this question in his latest article on the latest version of Samba.
LDAP has been getting a lot of curious looks lately as more and more vendors and administrators begin to explore its potential as a replacement for existing directory services. The question often comes up on the various Samba mailing lists, "Can Samba use LDAP, and if so, how do I configure it?" Current LDAP support in Samba is experimental and is nonexistent in the latest release version of Samba. However, development is proceeding to provide support that will allow Samba to store user profiles information needed by Windows NT domain clients in an LDAP tree.
Currently under development is the schema design needed by Samba and how it should be designed to provide as much interoperability with Windows 2000 Active Directory as possible. The underlying thought here is that the proposed LDAP support will act as a stepping stone for future work enabling Samba to obtain user information from an AD server itself.
One thing that will be different from the previously implemented experimental versions is that Samba's LDAP backend will only store Samba-related information and will not attempt to duplicate user information that should be obtained via certain OS-provided library calls. For example, previous implementations stored the user's Unix uid and primary gid in addition to the user's Windows NT RID. Because the uid and gid stored in the LDAP entry were not authoritative, keeping this copy was redundant because the host operating system on which Samba was running would be asked to validate the uid and gid. In future versions, Samba's LDAP backend will not maintain Unix user information at all, but will obtain it on demand via function calls such as getpwnam().
If this is the case, then the next question becomes, "How can I consolidate my Samba account information and Unix account information into LDAP if Samba will query the Unix host for it?" Figure 1 gives an example of how this could be done using PAM and Name Service Switch (NSS) modules. If you are interested in replacing NIS or /etc/passwd with an LDAP directory service, you should do two things. First, you should read RFC 2307 and understand the schema needed to migrate standard Unix (and POSIX) account information into an LDAP directory. Second, you should read the documentation provided with Luke Howard's LDAP client tools, found at www.padl.com/software.html.
Using Samba's LDAP support, pam_ldap, and nss_ldap together
About the Author
Gerald Carter has been a member of the SAMBA Team since 1998, and he is employed by VA Linux Systems. He is currently working with O'Reilly Publishing on a guide to LDAP for system administrators. He holds a master's degree in computer science from Auburn University, where he was also previously employed as a network and systems administrator. Gerald has published articles with various Web based magazines, such as Linuxworld, and has authored instructional course for companies such as Linuxcare. In addition, he acted as the lead author of Teach Yourself Samba in 24 Hours (Sams Publishing, 2000), and he actively gives tutorials at systems administration conferences.
During his spare time, Gerald enjoys running, hiking, playing music, and bible study. He resides with his beautiful wife of seven years in Dadeville, Alabama.