On Mon, 2010-03-15 at 21:12 +0000, SMC wrote: > This is probably an insane question, but I'm going to ask it anyway... > > Does Samba4's embedded LDAP server also support being used as an ordinary > (*nix-style) LDAP authentication server, at least for simple, basic use cases? > > Or is it necessary to have the OpenLDAP backend running to handle normal LDAP > authentication?
Actually, it's neither. The OpenLDAP backend of Samba4 is not generally exposed, nor are the unix attributes currently set. We do support the uidNumber attributes etc, but only in that we load a schema that should allow them to be set. We don't currently set those values when users are created, nor do we use them for Samba4's internal idmap. The best option at this time is to run Samba3's winbind against Samba4. This ensures that all recursive groups are handled correctly, and that Kerberos is used for authentication. I do want Samba4 to be a good LDAP server for POSIX clients, and I hope to make it better than AD is by supporting extensions such as the 'password set/change' extended operation. However, we must first be a good AD domain controller, and we can't enable behaviours that are in conflict with being an AD DC. For example, we will soon enable ACL support that will block anonymous access to our directory - while most POSIX clients prefer anonymous searches. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
