Now I'll introduce LDAP, show how it integrates with Samba, and discuss security concerns.
LDAP is a popular mechanism for authentication and as a repository for storing personally identifiable information. It has several advantages over traditional flat-file-based authentication mechanisms, for example /etc/passwd. One of these advantages is that LDAP can be used to produce the Holy Grail of password management, a single sign-on. Single sign-on is available because software applications can authenticate remotely against a common LDAP-based user repository across a TCP/IP network. The LDAP method of authentication is in direct contrast to flat-file-based authentication schemes that are typically tied to a single machine and do not distribute well.
LDAP manages data in what is termed a directory information tree. This tree helps to organize data through categorization. Many LDAP servers use SQL databases to store their information because they are a natural fit. As with a traditional SQL database, LDAP uses schemas to define where data should be located and how data should be formatted. The use of schemas and the similarities with traditional SQL databases are key advantages of LDAP because they contribute greatly to its extensibility.
There are three main integration points between Samba and an LDAP server:
- The first is the inclusion of Samba's schema into the LDAP server.
- The second is configuring Samba to authenticate through the LDAP server.
Authentication takes place with the help of Linux's PAM utility (Pluggable Authentication Modules). The PAM utility abstracts the process of authentication away from software applications running on Linux so that they do not have to understand the complexities of a particular authentication mechanism. As such, PAM gives software applications an enormous degree of flexibility because a software application can call one API for authentication and PAM decides if it should use flat file, LDAP, or some other mechanism for authentication.
- The third integration point involves a set of tools that aid in the management of Samba's LDAP directory information tree. This toolkit is produced by a third-party; however, it is covered under the GNU Public License.
A key strength of LDAP is its ability to be used as an authentication mechanism for software applications that could be scattered across a network. A side effect of this strength is that passwords may flow across the network during the authentication phase and, as a result, could be intercepted. Fortunately, LDAP supports both SSL (Secure Sockets Layer) and TLS.
In this tutorial, the LDAP server is running on the same physical server as Samba; thus, there isn't much need for encryption. However, I will demonstrate how to encrypt the channel between LDAP and Samba because it is relatively simple and necessary for the reader who hosts Samba and LDAP on different machines.
This tutorial proceeds in two phases. The first phase details how to configure Samba and LDAP in an unsecured mode. Once the first phase is complete, encryption is enabled to secure the channel between Samba and the LDAP server. I am proceeding in a two-phase approach because in general, it is usually easier to install, configure, and diagnose problems in an unsecured mode.