OpenDJ integration with Samba
Although the integration of OpenDJ with Samba is not explicitly documented, it does exist for OpenDS – which, as we already know, is the same product as OpenDJ. However, what is not covered is the synchronisation for the Samba password attributes with the LDAP password. This is the aspect we would try to cover in this article.
In order to have Windows PCs authenticated against Samba, it has to use encoding algorithms specified by Microsoft standards to store the password hashes. For that purpose, it uses two attributes: “sambaLMPassword” and “sambaNTPassword”. On the other hand, an LDAP directory server would normally use “userPassword” attribute to store it’s own password hash (which, by the way, is usually not according to the Microsoft world).
This situation brings about the issue of password synchronisation between the “userPassword” and Samba password attributes. Although Samba provides a feature to synchronise the Samba password with the LDAP password, it does not work in the opposite direction – when the password is changed though the LDAP, the Samba password attributes remain unchanged.
Solution to this problem can be achieved with a plug-in which intercepts the password changes and synchronises the attributes with appropriate values.
OpenDJ has been designed to be highly extensible, so that virtually every aspect of the way it works could be customised. It also comes with an example plug-in which can serve as a good starting basis for development.
Our plug-in covers the following use cases:
- the user password is changed using LDAP modify operation (replace change type on “userPassword” or delete and add change on “userPassword”), and
- the user password is changed using Password Modify Extended Operation.
- the password change has to be performed in clear text format, because, if the password is pre-encoded then there is no way for the plug-in to create a new hash for the Samba attributes;
- if Samba is using the directory root user (traditionally “cn=Directory Manager”) and it is configured to synchronise with LDAP (“ldap passwd sync” configuration parameter in smb.conf), then double synchronisation would occur, for example: a user changes the password through Samba, Samba modifies it’s LDAP attributes and issues a modify operation for “userPassword” attribute, the directory intercepts the password change and synchronises it (again) with the Samba attributes through the plug-in;
- MD4 hashing algorithm is not available as part of Sun JDK, so the plug-in uses BouncyCastle security provider for this functionality – it is available separately;
- when using ldappasswordmodify tool with the paramter ‘-a’ which requires AuthZID format as described in RFC 4513, the plugin would handle only the ‘dn:’ syntax but not the ‘u:’ syntax.
Installation and configuration
The basic set-up for OpenDJ integration with Samba is available on the OpenDS wiki page –” Samba as Primary Domain Controler”. Please note that those are basic instructions for a quick set-up and it might not be appropriate for the production use. For the production, make sure you completely understand both products and how to configure them properly to fir your environment. Among other things, consider using a dedicated user instead of “cn=Directory Manager” as noted above.
The installation of the plug-in requires the following steps:
- copy the JAR file to the OpenDJ directory tree;
- install the plug-in schema;
- restart the directory, and
- configure the plug-in.
[21/Apr/2011:19:29:18 +0200] category=EXTENSIONS severity=INFORMATION msgID=1049147 msg=Loaded extension from file '/opt/ds-1/lib/extensions/samba-password-plugin.jar' (build 1.0, revision 20110420125558)
dsconfig -X create-plugin -D "cn=directory manager" \ -w <password> -h localhost \ --plugin-name "Samba Password Synchronisation" \ --type samba-password --set enabled:true \ --set samba-oc:sambaSAMAccount
- Samba object class (“samba-oc” property) – it is the object class which identifies the entries with Samba attributes, typically it is “sambaSAMAccount”;
- the attribute for the LanMan password hash if used, typically it is “sambaLMPassword” but it can be undefined if not used;
- the attribute for the NT password hash, typically “sambaNTPassword” – this value is provided by default, and
- Samba administrative user, that is, the user which has privileges to perform the account maintenance on behalf of Samba.
That’s it! Now you are ready to go.
In case you experience issues, the best way to troubleshoot is via debug log. The debug log is not enabled by default and it would need some setup:
- create the debug target:
dsconfig -X -n create-debug-target -D "cn=directory manager" \ -w <password> -h localhost --publisher-name "File-Based Debug Logger" \ --target-name cz.profiq.opendj.plugins.SambaPasswordPlugin \ --set debug-level:all
- enable the debug log:
dsconfig -X -n set-log-publisher-prop -D "cn=directory manager" \ -w <password> -h localhost --publisher-name "File-Based Debug Logger" \ --set enabled:true
- Extending Open DS Functionality With A Plugin
- OpenDS API
- The Legion of the Bouncy Castle
- LAN Manager hash
- NT LAN Manager
Note that the plugin has been contributed to the OpenDJ Community and it forms part of OpenDJ 2.5.0.