Samba4 with OpenLDAP backend

Nadezhda Ivanova

Abstract

Samba4 with an OpenLDAP backend was attempted many years ago, for the obvious reason: to combine the powerful, scalable and reliable OpenLDAP server with the AD compatibility of Samba4 and provide a viable, AD compatible LDAP server. The initial project was gradually abandoned, for several reasons, among which the difficulty of trying to map the AD LDAP semantics to the standard LDAPv3 semantics without loss of functionality, but mostly because of lack of resources for testing and development, as the Samba4 ldb/tdb implementation caught caught up with AD functionality and grew in complexity. As the corresponding Samba test suite grew as well, it became clear that a simple ldap proxy backend for Samba4 is untenable, and support for the project was discontinued.

More than a year ago, the project was revived thanks to Symas Corporation, with a new goal: to implement a proper OpenLDAP backend for Samba4, by actually relieving Samba4 of the need to maintain it’s own LDAP server, and using OpenLDAP to both handle all LDAP traffic, and serve as a backend for the RPC protocols still supported by Samba. This essentially meant reimplementation of the AD-specific LDAP Samba modules as OpenLDAP overlays, and relying entirely on OpenLDAP to handle authentication and authorization of LDAP traffic.

The talk will include: Presentation of the project architecture and design Explanation of the new overlays and their function, as well as the corresponding functionality they replace in Samba. additional changes to OpenLDAP functionality and configuration, such as the ability to parse and load Microsoft type schema, understand Microsoft-specific syntaxes, etc.

Among the implemented overlays are: creation and generation and NT style security descriptors and access checks generation of the AD specific operational attributes maintaining the consistency of the SAM database creation and maintenance of new partitions maintaining the consistency of attributes required for replication many others.

It will also include suggestions for configuration, installation and testing.

Biography

A Software Engineer with more than 10 years experience, with particular interest in the implementation of network protocols and applications in Linux and Linux-based operating systems. She began her career as a developer of network protocols for the embedded operating system of network devices.

Later joined in the development of a Linux-based MS Exchange compatible mail server, which led to her interest and involvement in the Samba4 DS project in 2008. A Samba Team member since 2009, she has been part of the development of LDAP functionality for Samba4, most prominently in the area of authorization.

Currently a Software Engineer at Symas Corporation, working on the OpenLDAP and Samba4 projects.

Presentation

Samba4 with OpenLDAP backend – slides