You can also specify the LDAPI socket path if your OpenLDAP server is
listening in a 'non-standard' location, like:
passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldap2.4%2fldapi
You have to escape the "/" elements of the path.
Thank you for helping me search in the right direction.
By default, CentOS Directory Server 8.10 (=Red Hat 389 Directory Server
8.10 or 389 Directory Server 1.1) creates a socket under
/var/run/slapd-<your instance>.socket"". So I have:
passdb backend = ldapsam:ldapi://%2fvar%2frun%2fslapd-<your
instance>.socket
This is now working. I even managed to combine this with
"ldapsam:trusted" + "ldapsam:editposix" so that I don't have to use
external scripts to manage accounts.
Some obstacles remain: "getent shadow" does no return the LDAP-only
users, although "getent passwd" and "getent group" work as expected. No
shadow entries are present in the LDAP database, so it seems to me that
either pdbedit or smbpasswd are not creating those entries or there is
something missing in the database configuration, such as appropriate ACLs.
Also, with "ldap passwd sync" enabled, pdbedit and smbpasswd are not
able to create a users's password, giving the following message:
ldapsam_modify_entry: LDAP Password could not be changed for user <x> :
Confidentiality required
Operation requires a secure connection.
It only works with "ldap passwd sync = no".
I will look into both these issues next.
Thank you
PS - For now, I don't know if I will adopt this connection over Unix
sockets, since there appears to be a bug in the cuurent implementation:
LDAPI: activation of LDAPI UNIX socket causes serious performance issues
in TCP/IP searches
https://bugzilla.redhat.com/show_bug.cgi?id=497556
The above page also contains a patch. I will look into it.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
