OpenDJ integration with Samba

Posted 13 years ago by Nemanja Lukic

Although the integration of OpenDJ with Samba is not explicitly documented, it does exist for OpenDS – which, as we already know, is the same product as OpenDJ. However, what is not covered is the synchronisation for the Samba password attributes with the LDAP password. This is the aspect we would try to cover in this article.

The problem

In order to have Windows PCs authenticated against Samba, it has to use encoding algorithms specified by Microsoft standards to store the password hashes. For that purpose, it uses two attributes: “sambaLMPassword” and “sambaNTPassword”. On the other hand, an LDAP directory server would normally use “userPassword” attribute to store it’s own password hash (which, by the way, is usually not according to the Microsoft world).

This situation brings about the issue of password synchronisation between the “userPassword” and Samba password attributes. Although Samba provides a feature to synchronise the Samba password with the LDAP password, it does not work in the opposite direction – when the password is changed though the LDAP, the Samba password attributes remain unchanged.

Solution to this problem can be achieved with a plug-in which intercepts the password changes and synchronises the attributes with appropriate values.

The plug-in

OpenDJ has been designed to be highly extensible, so that virtually every aspect of the way it works could be customised. It also comes with an example plug-in which can serve as a good starting basis for development.

Our plug-in covers the following use cases:

  • the user password is changed using LDAP modify operation (replace change type on “userPassword” or delete and add change on “userPassword”), and
  • the user password is changed using Password Modify Extended Operation.
Limitations:
  • the password change has to be performed in clear text format, because, if the password is pre-encoded then there is no way for the plug-in to create a new hash for the Samba attributes;
  • if Samba is using the directory root user (traditionally “cn=Directory Manager”) and it is configured to synchronise with LDAP (“ldap passwd sync” configuration parameter in smb.conf), then double synchronisation would occur, for example: a user changes the password through Samba, Samba modifies it’s LDAP attributes and issues a modify operation for “userPassword” attribute, the directory intercepts the password change and synchronises it (again) with the Samba attributes through the plug-in;
  • MD4 hashing algorithm is not available as part of Sun JDK, so the plug-in uses BouncyCastle security provider for this functionality – it is available separately;
  • when using ldappasswordmodify tool with the paramter ‘-a’ which requires AuthZID format as described in RFC 4513, the plugin would handle only the ‘dn:’ syntax but not the ‘u:’ syntax.
For internal processing, the plug-in differentiates between the operations performed by an authorised user (the user himself or the directory administrator) and a user which can perform changes in the directory on behalf of Samba – the Samba administrative user. If you have created a special user for this purpose (and given it appropriate privileges, of course) then the plug-in would skip the attribute synchronisation for changes initiated by him – this way, the double synchronisation is avoided. For that reason, you should not reset the password of a user using this special user outside of Samba, since the synchronisation would not occur. This user, however, must not be the directory administrator (“cn=Directory Manager”) because even the valid password resets would be skipped.

Installation and configuration

The basic set-up for OpenDJ integration with Samba is available on the OpenDS wiki page –” Samba as Primary Domain Controler”. Please note that those are basic instructions for a quick set-up and it might not be appropriate for the production use. For the production, make sure you completely understand both products and how to configure them properly to fir your environment. Among other things, consider using a dedicated user instead of “cn=Directory Manager” as noted above.

The installation of the plug-in requires the following steps:

  1. copy the JAR file to the OpenDJ directory tree;
  2. install the plug-in schema;
  3. restart the directory, and
  4. configure the plug-in.
The actual plug-in comes as samba-password-plugin.jar archive and needs to be copied to: <OpenDJ>/lib/extensions.
For the plug-in to be configured successfully, the directory schema has to be extended. The schema file 99-samba-password-plugin.ldif needs to be copied to: <OpenDJ>/config/schema. The plugin depends on the BouncyCastle MD4 implementation, and so the BC provider JAR has to be downloaded and installed in the <OpenDJ>/lib directory along with the plugin JAR.

To have the directory load the plug-in, it has to be restarted. On the start-up, observe the following message (or something alike):
[21/Apr/2011:19:29:18 +0200] category=EXTENSIONS severity=INFORMATION
msgID=1049147 msg=Loaded extension from file
'/opt/ds-1/lib/extensions/samba-password-plugin.jar' (build 1.0,
revision 20110420125558)
Of course, look out for any error messages. After you confirm the plug-in has been successfully loaded and the directory up and running, you can proceed to the configuration:
dsconfig -X create-plugin -D "cn=directory manager" 
-w <password> -h localhost 
--plugin-name "Samba Password Synchronisation" 
--type samba-password --set enabled:true 
--set samba-oc:sambaSAMAccount
If you want to configure it interactively, you would need to be ready to provide the information about your Samba setup. It includes:
  • Samba object class (“samba-oc” property) – it is the object class which identifies the entries with Samba attributes, typically it is “sambaSAMAccount”;
  • the attribute for the LanMan password hash if used, typically it is “sambaLMPassword” but it can be undefined if not used;
  • the attribute for the NT password hash, typically “sambaNTPassword” – this value is provided by default, and
  • Samba administrative user, that is, the user which has privileges to perform the account maintenance on behalf of Samba.
The configuration values are verified against the current directory configuration and contents, so you have to make sure the schema for Samba is already loaded, the attributes correspond to the object class you have provided and the user exists with the “password-reset” privilege. Note that you would have to modify ACI rules for the administrative user, but that depends on your security policy so it is not checked by the plug-in.

That’s it! Now you are ready to go.

Debugging

In case you experience issues, the best way to troubleshoot is via debug log. The debug log is not enabled by default and it would need some setup:

  • create the debug target:
dsconfig -X -n create-debug-target -D "cn=directory manager" 
-w <password> -h localhost --publisher-name "File-Based Debug Logger" 
--target-name cz.profiq.opendj.plugins.SambaPasswordPlugin 
--set debug-level:all
  • enable the debug log:
dsconfig -X -n set-log-publisher-prop -D "cn=directory manager" 
-w <password> -h localhost --publisher-name "File-Based Debug Logger" 
--set enabled:true

Useful resources

Note that the plugin has been contributed to the OpenDJ Community and it forms part of OpenDJ 2.5.0.

Nemanja Lukic

Leave a Reply

Related articles