[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2986
  • Last Modified:

Redhat Linux SAMBA (Adding Remote LDAP Authentication to a Shared Folder)

I have a linux redhat box with SAMBA running on it to authenticate a file share folder on the box to Windows users.  Now, I don't have much access to this machine, nor do I have any "worth a crap" linux knowledge however I need to somehow achieve the following;

-Query a remote LDAP server to authenticate
-Still keep the current share authentication settings.

Basically SAMBA is querying another domain's list of users and allowing them access to a shared folder, I have a group of people who need access to the same folder to cooperatively work with each other but the catch is their authentication server is LDAP;

hostname      authn.directory.vt.edu
password      <Password>
filter      (uupid=<username>)
base      ou=People,dc=vt,dc=edu
port      389

There could be 50 people in that directory and I need to keep the domain users and the new LDAP users authenticated to the same folder so they can all happily Map Network Drives on Windows.

Is there a way to add remote LDAP authentication to a shared folder on SAMBA?
0
vtois
Asked:
vtois
  • 2
  • 2
1 Solution
 
natokaCommented:
in samba there is no possibility to do that.

what you can do is, you can make samba use pam for authentication and then make pam authenticate against the ldap server and set the appropriate rights in the file system, which should prevent users that are not in the remote ldap dir from entering the directory.

So in addition to samba, you'll need the pam_ldap, pam_nss modules, a valid /etc/pam.d/samba config file authenticating against local users/groups and the remote ldap server and a working nss configuration (perhaps with nscd so that authentication info is cached which speeds up file access)
See:
http://ldots.org/ldap/ (for some introduction)
http://www.faqs.org/docs/Linux-HOWTO/LDAP-Implementation-HOWTO.html (to get nss working)

If you get all those things working you'll only need one more thing: a filesystem capable of ACLs. Since Samba is ACL aware the rest can then be configured using a windows machine. Or if you like to do it on *nix then you just have to give the appropriate users the rights to access the directory(ies) in question
0
 
vtoisAuthor Commented:
Thank you for your response natoka, in addition to the detail;

The Linux box appearently is configured with samba to authenticate against a Windows domain so there are no local linux users, it just gets mapped appearently.

And the LDAP would need "Filtering" for authentication.  In otherwords only accepting directory sharing if say, the user has the blah=Admin in the LDAP query.

Is your suggested way still possible?
0
 
natokaCommented:
hmm, I think in the case of an windows ldap server you will have to drop the mapping and create real users on the unix box on the fly when authentication against the ldap server is successful. Of course you'll still need ACLs so to speak an ACL capable filesystem and samba (and probably some acl tools).
The filtering per directory for some extended ldap attributes is definitely not possible with pam yet. But you can work around that in the on the fly creation of the user - just write your own script that queries the ldap server for that specific ldap attribute - and when it's set then you set the appropriate ACLs in the file system so that the unix user has access to the directories/files as desired.
Of course the draw back in this schema is that when you want to update the ACLs to adhere to changes in the ldap directory and to changes in the rights on the share you'll have to create a cron job that does that - perhaps every five minutes or so ...

So again there is no way to do that in samba out of the box and in pam there is also no way. All you can do is to script your own solution (or find someone that does that for you)
0
 
vtoisAuthor Commented:
Thank you for your time, I decided to go with WebDav feature of Apache
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now