SlideShare a Scribd company logo

ivanova-samba_backend.pdf

O
OrlandoJesusFigueroa

This document summarizes a presentation about developing an OpenLDAP backend for Samba 4. It discusses moving Samba's LDAP functionality to OpenLDAP to improve performance and scalability compared to Samba's TDB backend. Several Samba modules that implement AD-specific LDAP operations would be ported to OpenLDAP. This would allow LDAP traffic to be handled directly by OpenLDAP instead of going through Samba. It addresses challenges like interconnected Samba modules and reusing Samba libraries in OpenLDAP. Work is ongoing to implement security descriptors, authorization, attributes, classes and other AD functionality in OpenLDAP.

Education
1 of 33
Download to read offline
LDAPCon 2015, Edinburgh An OpenLDAP backend for Samba 4 Nadezhda Ivanova Software Engineer @ Symas Corp
LDAPCon 2015, Edinburgh About Samba4 ● Combines the file sharing service of Samba with a fully AD compatible Domain controller ● Can be a standalone Domain Controller ● Can join an existing Windows Active Directory domain as a member server, or an RODC ● Supports all FSMO roles ● Domain member machines work with Samba4 transparently ● Management can be done both with samba-tool and by installing Microsofts RSAT (Remote Server Administration Tools) on a Windows machine.
LDAPCon 2015, Edinburgh About Samba4 ● Released in 2013 after more than 10 years in development ● Successfully deployed by small to mid-sized companies ● Functionality is developed as separate modules ● Microsoft Open Specifications Program (as of 2007)
LDAPCon 2015, Edinburgh A little light reading... ● https://wiki.samba.org - detailed instructions on how to setup a Samba4 DC ● [MS-ADTS]: Active Directory Technical Specification ● [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol ● Windows Protocols Technical Specifications https://msdn.microsoft.com/en- us/library/jj712081.aspx
LDAPCon 2015, Edinburgh Samba 4 functionality ● LDAP – provides its own LDAP server, fully compatible with the AD flavor of LDAP and the AD schema. ● Kerberos KDC – integrated in Samba. – Heimdal Library – MIT Kerberos Library ● DNS – Internal Samba DNS – Bind ● RPC
LDAPCon 2015, Edinburgh RPC protocols ● Security Account Manager (SAMR) ● Local Security Authority (LSAR) ● DFSR – necessary to the AD compatibility because it is used to replicate Sysvol ● DRSR - Directory Replication Service – implements multi-master replication
LDAPCon 2015, Edinburgh Samba 4 with TDB
LDAPCon 2015, Edinburgh Problems of Samba 4 with TDB ● Scalability – Supported TDB version is 32 bit, which puts a 4GB limit on the database, equals around 300 000 objects depending on their size. – Work on the 64 bit is not progressing ● Performance – Initial Bulk load of 350.000 small User-Objects (LDIF, with unicodePwd) takes more than 6 hours on a real hardware machine. – The results are the same with direct LDB load, not dependent on network or protocol overhead. – A POC of MDB back-end for LDB was created by Jakub Hrozek, but oddly, it did not significantly improve performance.
LDAPCon 2015, Edinburgh
LDAPCon 2015, Edinburgh Samba provisioning with Legacy OpenLDAP ● Samba provisioning scripts creates slapd.conf – Only the basic partitions, no new partitions can be added ● Provisioning script creates a schema definition file for OpenLDAP ● Populates the created databases with the necessary initial data
LDAPCon 2015, Edinburgh Why not use the legacy OpenLDAP Back-end ● A “real” back-end – LDAP traffic goes through Samba, to make sure all the AD request processing specifics are implemented ● Incompatible with replication, as back then there was no transaction support ● Support was discontinued, since then Samba has made huge progress – Multi-master replication – DNS ● Conflicts with standard LDAPv3 – Same attribute name, different OID – Object classes with changed definitions, attributes that in AD are operational ● This was resolved by adding additional modules to strip extended DN components, or to map attribute names ● Essentially, obsolete ● Would not solve all performance problems. ● Officially declared dead around 2010/2011
LDAPCon 2015, Edinburgh top ( 2.5.6.0 NAME 'top' "DESC 'top of the superclass chain' " "ABSTRACT MUST objectClass )" "top", "( 2.5.6.0 NAME 'top' " "DESC 'top of the superclass chain' " "ABSTRACT MUST ( objectClass ) " MAY ( instanceType $ nTSecurityDescriptor $ objectCategory $ adminDescription $ adminDisplayName $ allowedAttributes $ allowedAttributesEffective $ allowedChildClasses $ allowedChildClassesEffective $ bridgeheadServerListBL $ canonicalName $ cn $ description $ directReports $ displayName $ displayNamePrintable $ dSASignature $ dSCorePropagationData $ extensionName $ flags $ fromEntry $ frsComputerReferenceBL $ fRSMemberReferenceBL $ fSMORoleOwner $ isCriticalSystemObject $ isDeleted $ isPrivilegeHolder $ lastKnownParent $ managedObjects $ masteredBy $ mS- DS-ConsistencyChildCount $ mS-DS-ConsistencyGuid $ msCOM-PartitinSetLink $ msCOM-UserLink $ msDS-Approx-Immed-Subordinates $ msDs-masteredBy $ msDS-MembersForAzRoleBL $ msDS-NCReplCursors $ msDS- NCReplInboundNeighbors $ msDS-NCReplOutboundNeighbors $ msDS-NcType $ msDS-NonMembersBL $ msDS-ObjectReferenceBL $ msDS- OperationsForAzRoleBL $ " "msDS-OperationsForAzTaskBL $ msDS- ReplAttributeMetaData $ msDS-ReplValueMetaData $ msDS-TasksForAzRoleBL $ msDS-TasksForAzTaskBL $ name $ netbootSCPBL $ nonSecurityMemberBL $ objectVersion $ otherWellKnownObjects $ ownerBL $ parentGUID $ partialAttributeDeletionList $ partialAttributeSet $ possibleInferiors $ proxiedObjectName $ proxyAddresses $ queryPolicyBL $ replPropertyMetaData $ replUpToDateVector $ repsFrom $ repsTo $ revision $ sDRightsEffective $ serverReferenceBL $ showInAdvancedViewOnly $ siteObjectBL $ subRefs $ systemFlags $ url $ uSNDSALastObjRemoved $ USNIntersite $ uSNLastObjRem $ uSNSource $ wbemPath $ wellKnownObjects $ wWWHomePage $ msSFU30PosixMemberOf $ msDFSR-ComputerReferenceBL $ msDFSR- MemberReferenceBL $ msDS-EnabledFeatureBL $ msDS-LastKnownRDN $ msDS-HostServiceAccountBL $ msDS-OIDToGroupLinkBl $ msDS- LocalEffectiveRecycleTime $ msDS-LocalEffectiveDeletionTime $ isRecycled $ msDS-PSOApplied $ msDS-PrincipalName $ msDS-RevealedListBL $ msDS- AuthenticatedToAccountlist $ msDS-IsPartialReplicaFor $ msDS-IsDomainFor $ msDS-IsFullReplicaFor $ msDS-RevealedDSAs $ msDS-KrbTgtLinkBl $ whenCreated $ whenChanged $ uSNCreated $ uSNChanged $ subschemaSubEntry $ structuralObjectClass $ objectGUID $ distinguishedName $ modifyTimeStamp $ memberOf $ createTimeStamp $ msDS-NC-RO-Replica- Locations-BL ) )"
LDAPCon 2015, Edinburgh
LDAPCon 2015, Edinburgh More than a backend ● Combine OpenLDAP's excellence with Samba's know-how. ● LDAP traffic should be handled by the one best suited for the job – OpenLDAP itself. – Move the LDB modules that implement AD specific operations to OpenLDAP whenever needed. – RPC and other protocols will still be handled by Samba ● “Relieve” Samba of its LDAP server.
LDAPCon 2015, Edinburgh
LDAPCon 2015, Edinburgh Challenges ● Ldb modules ≈ 40 000 lines of C ● We start by replacing individual modules, but: – Samba modules are interconnected and often communicate with each other via internal controls – Sometimes RPC traffic is initiated from inside a module, e.g samldb and replmetadata ● Alleviate the load by code reuse
LDAPCon 2015, Edinburgh Samba libraries in OpenLDAP ● Libclisecurity – SD generation – SDDL parsing – Access checks ● libsamba_schema – Additional schema data – Loading of AD schema LDIF ● libldb, libtalloc – necessary for the above
LDAPCon 2015, Edinburgh Work in progress ● Security descriptor generation ● Authorization ● InstanceType value checking ● Extended DN Control (<GUID=...>;<SID=...>;cn=Administrator) ● “Show Deleted” Control ● SAM – research phase ● A module to gather and maintain data necessary for request processing ● A module to load and maintain a Samba-type schema information
LDAPCon 2015, Edinburgh Operational attributes ● canonicalName ● primaryGroupToken ● tokenGroups ● parentGUID ● modifyTimestamp ● msDs-isRODC ● MsDS-userPasswordExpiryTime
LDAPCon 2015, Edinburgh Samba/AD Attribute definitions attributetype ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) cn: User-Principal-Name ldapDisplayName: userPrincipalName attributeId: 1.2.840.113556.1.4.656 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: TRUE schemaIdGuid: 28630ebb-41d5-11d1-a9c1- 0000f80367c1 systemOnly: FALSE searchFlags: fATTINDEX rangeUpper: 1024 attributeSecurityGuid: e48d0154-bcf8-11d1-8702- 00c04fb96050 isMemberOfPartialAttributeSet: TRUE systemFlags: FLAG_SCHEMA_BASE_OBJECT | FLAG_ATTR_REQ_PARTIAL_SET_MEMBER schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
LDAPCon 2015, Edinburgh Samba/AD Class definitions objectclass ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST ( cn ) MAY ( bootFile $ bootParameter $ cn $ description $ ipHostNumber $ l $ macAddress $ manager $ msSFU30Aliases $ msSFU30Name $ msSFU30NisDomain $ nisMapName $ o $ ou $ owner $ seeAlso $ serialNumber $ uid ) ) cn: Device ldapDisplayName: device governsId: 2.5.6.14 objectClassCategory: 0 rdnAttId: cn subClassOf: top auxiliaryClass: ipHost, ieee802Device, bootableDevice systemMustContain: cn mayContain: msSFU30Name, msSFU30NisDomain, nisMapName, msSFU30Aliases systemMayContain: serialNumber, seeAlso, owner, ou, o, l systemPossSuperiors: domainDNS, organizationalUnit, organization,container schemaIdGuid:bf967a8e-0de6-11d0-a285-00aa003049e2 defaultSecurityDescriptor: D: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU) defaultHidingValue: TRUE systemOnly: FALSE defaultObjectCategory: CN=Device,CN=Schema,CN=Configuration,<RootDomainDN> systemFlags: FLAG_SCHEMA_BASE_OBJECT
LDAPCon 2015, Edinburgh Authorization ● Determines an account's rights over a specific object by comparing the security principal's security token with the object's security descriptor. ● Security token - a list of SIDs of every group the security principal is a member of, and the account SID
LDAPCon 2015, Edinburgh Access Control Entries ● Grants particular access rights over the entire object, an object class or an attribute
LDAPCon 2015, Edinburgh Security descriptors
LDAPCon 2015, Edinburgh Calculating SD for a new object ● Input – SD of the parent container – SD provided by the client – Default SD (from defaultSecurityDescriptor attribute) – Session's security Token ● Output – Owner, Group, Explicit ACEs, Inherited ACEs
LDAPCon 2015, Edinburgh Required access for LDAP operations ● Search – LIST_CHLIDREN on the parent, READ_PROPERTY ● Add – CREATE_CHILD ● Modify – WRITE_PROPERTY ● Delete – DELETE_CHILD on the parent or DELETE on the object ● Rename – DELETE_CHILD on the parent, CREATE_CHILD on the new parent, WRITE_PROPERTY on the rdn attribute
LDAPCon 2015, Edinburgh Extended rights and Validated Writes ● ValidatedWrites – checks whether a user is allowed to enter an attribute value (e.g validateSPN) ● ExtendedRights – the rights to perform specific operations – e.g update the schema, modify or replicate from a replica, etc.
LDAPCon 2015, Edinburgh Constructed attributes ● AllowedAttributes – all attributes this object may have ● AllowedAttributesEffective – attributes that are permitted to be assigned to a class ● AllowedChildClasses – the particular object is a possible superior ● AllowedChildClassesEffective – the particular object is a possible superior AND the principal has the right to create child object of these classes ● sDRightsEffective
LDAPCon 2015, Edinburgh SAM ● Handles creation of objects that represent security principals ● Creates a SID for the new object – If we are not the RID master, initiates a RID pool allocation request ● Initializes user and group object attributes ● Handles userAccountControl
LDAPCon 2015, Edinburgh Next Steps ● Implement proper partition creation – this will allow proper provisioning and creation of application partitions. ● Reduce reliability on Samba libraries for reasons of performance. ● Incorporate schema data in OpenLDAP as part of the existing mechanism, rather than in a module. ● Finish porting the LDB module stack. ● Develop OpenLDAP to Samba communication mechanism – necessary for DRSR and SAM.
LDAPCon 2015, Edinburgh Testing ● Samba make test suite – Extensive coverage of LDAP functionality with Python Scripts ● Microsoft Documentation test suite – Developed to test documentation consistency – Very helpful in ensuring implementation compatibility
LDAPCon 2015, Edinburgh FAQ ● Is this a new version of Samba3 with an OpenLDAP domain controller? ● Will I be able to integrate an existing non-AD directory in an OpenLDAP server running in AD compatibility mode? ● Will I be able to combine using LDAP access lists with the AD access lists?
LDAPCon 2015, Edinburgh

Recommended

Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-Linux
Balaji Ravi
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
Anatoliy Okhotnikov
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01
SANE Ibrahima
 
LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)
Fran Fabrizio
 
Bring the Spark To Your Eyes
Bring the Spark To Your EyesBring the Spark To Your Eyes
Bring the Spark To Your Eyes
Demi Ben-Ari
 
Intro to Apache Spark
Intro to Apache SparkIntro to Apache Spark
Intro to Apache Spark
Robert Sanders
 
Intro to Apache Spark
Intro to Apache SparkIntro to Apache Spark
Intro to Apache Spark
clairvoyantllc
 
OpenStack Dragonflow shenzhen and Hangzhou meetups
OpenStack Dragonflow shenzhen and Hangzhou meetupsOpenStack Dragonflow shenzhen and Hangzhou meetups
OpenStack Dragonflow shenzhen and Hangzhou meetups
Eran Gampel
 

Recommended

Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-Linux
Balaji Ravi
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
Anatoliy Okhotnikov
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01
SANE Ibrahima
 
LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)
Fran Fabrizio
 
Bring the Spark To Your Eyes
Bring the Spark To Your EyesBring the Spark To Your Eyes
Bring the Spark To Your Eyes
Demi Ben-Ari
 
Intro to Apache Spark
Intro to Apache SparkIntro to Apache Spark
Intro to Apache Spark
Robert Sanders
 
Intro to Apache Spark
Intro to Apache SparkIntro to Apache Spark
Intro to Apache Spark
clairvoyantllc
 
OpenStack Dragonflow shenzhen and Hangzhou meetups
OpenStack Dragonflow shenzhen and Hangzhou meetupsOpenStack Dragonflow shenzhen and Hangzhou meetups
OpenStack Dragonflow shenzhen and Hangzhou meetups
Eran Gampel
 
Apache Spark on HDinsight Training
Apache Spark on HDinsight TrainingApache Spark on HDinsight Training
Apache Spark on HDinsight Training
Synergetics Learning and Cloud Consulting
 
Paris Data Geek - Spark Streaming
Paris Data Geek - Spark Streaming Paris Data Geek - Spark Streaming
Paris Data Geek - Spark Streaming
Djamel Zouaoui
 
Real time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache SparkReal time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache Spark
Rahul Jain
 
Introduction to Apache Spark
Introduction to Apache Spark Introduction to Apache Spark
Introduction to Apache Spark
Hubert Fan Chiang
 
Postgres Vienna DB Meetup 2014
Postgres Vienna DB Meetup 2014Postgres Vienna DB Meetup 2014
Postgres Vienna DB Meetup 2014
Michael Renner
 
Jump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksJump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with Databricks
Anyscale
 
OpenLDAP - Installation and Configuration
OpenLDAP - Installation and ConfigurationOpenLDAP - Installation and Configuration
OpenLDAP - Installation and Configuration
Wildan Maulana
 
Kerberizing Spark: Spark Summit East talk by Abel Rincon and Jorge Lopez-Malla
Kerberizing Spark: Spark Summit East talk by Abel Rincon and Jorge Lopez-MallaKerberizing Spark: Spark Summit East talk by Abel Rincon and Jorge Lopez-Malla
Kerberizing Spark: Spark Summit East talk by Abel Rincon and Jorge Lopez-Malla
Spark Summit
 
Introduction to Apache Spark
Introduction to Apache SparkIntroduction to Apache Spark
Introduction to Apache Spark
Rahul Jain
 
Grails 101
Grails 101Grails 101
Grails 101
David Jacobs
 
Spark Saturday: Spark SQL & DataFrame Workshop with Apache Spark 2.3
Spark Saturday: Spark SQL & DataFrame Workshop with Apache Spark 2.3Spark Saturday: Spark SQL & DataFrame Workshop with Apache Spark 2.3
Spark Saturday: Spark SQL & DataFrame Workshop with Apache Spark 2.3
Databricks
 
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Andrejs Prokopjevs
 
Introduction to Sqoop Aaron Kimball Cloudera Hadoop User Group UK
Introduction to Sqoop Aaron Kimball Cloudera Hadoop User Group UKIntroduction to Sqoop Aaron Kimball Cloudera Hadoop User Group UK
Introduction to Sqoop Aaron Kimball Cloudera Hadoop User Group UK
Skills Matter
 
Solutions for bi-directional integration between Oracle RDBMS & Apache Kafka
Solutions for bi-directional integration between Oracle RDBMS & Apache KafkaSolutions for bi-directional integration between Oracle RDBMS & Apache Kafka
Solutions for bi-directional integration between Oracle RDBMS & Apache Kafka
Guido Schmutz
 
Spark Summit East 2015 Advanced Devops Student Slides
Spark Summit East 2015 Advanced Devops Student SlidesSpark Summit East 2015 Advanced Devops Student Slides
Spark Summit East 2015 Advanced Devops Student Slides
Databricks
 
MariaDB: Connect Storage Engine
MariaDB: Connect Storage EngineMariaDB: Connect Storage Engine
MariaDB: Connect Storage Engine
Kangaroot
 
Dragonflow Austin Summit Talk
Dragonflow Austin Summit Talk Dragonflow Austin Summit Talk
Dragonflow Austin Summit Talk
Eran Gampel
 
Retour d'expérience d'un environnement base de données multitenant
Retour d'expérience d'un environnement base de données multitenantRetour d'expérience d'un environnement base de données multitenant
Retour d'expérience d'un environnement base de données multitenant
Swiss Data Forum Swiss Data Forum
 
Apache spark sneha challa- google pittsburgh-aug 25th
Apache spark sneha challa- google pittsburgh-aug 25thApache spark sneha challa- google pittsburgh-aug 25th
Apache spark sneha challa- google pittsburgh-aug 25th
Sneha Challa
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit east
Jorge Lopez-Malla
 
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumPhilippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
MJDuyan
 
HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.
deepaannamalai16
 

More Related Content

Similar to ivanova-samba_backend.pdf

Apache Spark on HDinsight Training
Apache Spark on HDinsight TrainingApache Spark on HDinsight Training
Apache Spark on HDinsight Training
Synergetics Learning and Cloud Consulting
 
Paris Data Geek - Spark Streaming
Paris Data Geek - Spark Streaming Paris Data Geek - Spark Streaming
Paris Data Geek - Spark Streaming
Djamel Zouaoui
 
Real time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache SparkReal time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache Spark
Rahul Jain
 
Introduction to Apache Spark
Introduction to Apache Spark Introduction to Apache Spark
Introduction to Apache Spark
Hubert Fan Chiang
 
Postgres Vienna DB Meetup 2014
Postgres Vienna DB Meetup 2014Postgres Vienna DB Meetup 2014
Postgres Vienna DB Meetup 2014
Michael Renner
 
Jump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksJump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with Databricks
Anyscale
 
OpenLDAP - Installation and Configuration
OpenLDAP - Installation and ConfigurationOpenLDAP - Installation and Configuration
OpenLDAP - Installation and Configuration
Wildan Maulana
 
Kerberizing Spark: Spark Summit East talk by Abel Rincon and Jorge Lopez-Malla
Kerberizing Spark: Spark Summit East talk by Abel Rincon and Jorge Lopez-MallaKerberizing Spark: Spark Summit East talk by Abel Rincon and Jorge Lopez-Malla
Kerberizing Spark: Spark Summit East talk by Abel Rincon and Jorge Lopez-Malla
Spark Summit
 
Introduction to Apache Spark
Introduction to Apache SparkIntroduction to Apache Spark
Introduction to Apache Spark
Rahul Jain
 
Grails 101
Grails 101Grails 101
Grails 101
David Jacobs
 
Spark Saturday: Spark SQL & DataFrame Workshop with Apache Spark 2.3
Spark Saturday: Spark SQL & DataFrame Workshop with Apache Spark 2.3Spark Saturday: Spark SQL & DataFrame Workshop with Apache Spark 2.3
Spark Saturday: Spark SQL & DataFrame Workshop with Apache Spark 2.3
Databricks
 
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Andrejs Prokopjevs
 
Introduction to Sqoop Aaron Kimball Cloudera Hadoop User Group UK
Introduction to Sqoop Aaron Kimball Cloudera Hadoop User Group UKIntroduction to Sqoop Aaron Kimball Cloudera Hadoop User Group UK
Introduction to Sqoop Aaron Kimball Cloudera Hadoop User Group UK
Skills Matter
 
Solutions for bi-directional integration between Oracle RDBMS & Apache Kafka
Solutions for bi-directional integration between Oracle RDBMS & Apache KafkaSolutions for bi-directional integration between Oracle RDBMS & Apache Kafka
Solutions for bi-directional integration between Oracle RDBMS & Apache Kafka
Guido Schmutz
 
Spark Summit East 2015 Advanced Devops Student Slides
Spark Summit East 2015 Advanced Devops Student SlidesSpark Summit East 2015 Advanced Devops Student Slides
Spark Summit East 2015 Advanced Devops Student Slides
Databricks
 
MariaDB: Connect Storage Engine
MariaDB: Connect Storage EngineMariaDB: Connect Storage Engine
MariaDB: Connect Storage Engine
Kangaroot
 
Dragonflow Austin Summit Talk
Dragonflow Austin Summit Talk Dragonflow Austin Summit Talk
Dragonflow Austin Summit Talk
Eran Gampel
 
Retour d'expérience d'un environnement base de données multitenant
Retour d'expérience d'un environnement base de données multitenantRetour d'expérience d'un environnement base de données multitenant
Retour d'expérience d'un environnement base de données multitenant
Swiss Data Forum Swiss Data Forum
 
Apache spark sneha challa- google pittsburgh-aug 25th
Apache spark sneha challa- google pittsburgh-aug 25thApache spark sneha challa- google pittsburgh-aug 25th
Apache spark sneha challa- google pittsburgh-aug 25th
Sneha Challa
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit east
Jorge Lopez-Malla
 

Similar to ivanova-samba_backend.pdf (20)

Apache Spark on HDinsight Training
Apache Spark on HDinsight TrainingApache Spark on HDinsight Training
Apache Spark on HDinsight Training
 
Paris Data Geek - Spark Streaming
Paris Data Geek - Spark Streaming Paris Data Geek - Spark Streaming
Paris Data Geek - Spark Streaming
 
Real time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache SparkReal time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache Spark
 
Introduction to Apache Spark
Introduction to Apache Spark Introduction to Apache Spark
Introduction to Apache Spark
 
Postgres Vienna DB Meetup 2014
Postgres Vienna DB Meetup 2014Postgres Vienna DB Meetup 2014
Postgres Vienna DB Meetup 2014
 
Jump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksJump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with Databricks
 
OpenLDAP - Installation and Configuration
OpenLDAP - Installation and ConfigurationOpenLDAP - Installation and Configuration
OpenLDAP - Installation and Configuration
 
Kerberizing Spark: Spark Summit East talk by Abel Rincon and Jorge Lopez-Malla
Kerberizing Spark: Spark Summit East talk by Abel Rincon and Jorge Lopez-MallaKerberizing Spark: Spark Summit East talk by Abel Rincon and Jorge Lopez-Malla
Kerberizing Spark: Spark Summit East talk by Abel Rincon and Jorge Lopez-Malla
 
Introduction to Apache Spark
Introduction to Apache SparkIntroduction to Apache Spark
Introduction to Apache Spark
 
Grails 101
Grails 101Grails 101
Grails 101
 
Spark Saturday: Spark SQL & DataFrame Workshop with Apache Spark 2.3
Spark Saturday: Spark SQL & DataFrame Workshop with Apache Spark 2.3Spark Saturday: Spark SQL & DataFrame Workshop with Apache Spark 2.3
Spark Saturday: Spark SQL & DataFrame Workshop with Apache Spark 2.3
 
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
 
Introduction to Sqoop Aaron Kimball Cloudera Hadoop User Group UK
Introduction to Sqoop Aaron Kimball Cloudera Hadoop User Group UKIntroduction to Sqoop Aaron Kimball Cloudera Hadoop User Group UK
Introduction to Sqoop Aaron Kimball Cloudera Hadoop User Group UK
 
Solutions for bi-directional integration between Oracle RDBMS & Apache Kafka
Solutions for bi-directional integration between Oracle RDBMS & Apache KafkaSolutions for bi-directional integration between Oracle RDBMS & Apache Kafka
Solutions for bi-directional integration between Oracle RDBMS & Apache Kafka
 
Spark Summit East 2015 Advanced Devops Student Slides
Spark Summit East 2015 Advanced Devops Student SlidesSpark Summit East 2015 Advanced Devops Student Slides
Spark Summit East 2015 Advanced Devops Student Slides
 
MariaDB: Connect Storage Engine
MariaDB: Connect Storage EngineMariaDB: Connect Storage Engine
MariaDB: Connect Storage Engine
 
Dragonflow Austin Summit Talk
Dragonflow Austin Summit Talk Dragonflow Austin Summit Talk
Dragonflow Austin Summit Talk
 
Retour d'expérience d'un environnement base de données multitenant
Retour d'expérience d'un environnement base de données multitenantRetour d'expérience d'un environnement base de données multitenant
Retour d'expérience d'un environnement base de données multitenant
 
Apache spark sneha challa- google pittsburgh-aug 25th
Apache spark sneha challa- google pittsburgh-aug 25thApache spark sneha challa- google pittsburgh-aug 25th
Apache spark sneha challa- google pittsburgh-aug 25th
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit east
 

Recently uploaded

Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumPhilippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
MJDuyan
 
HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.
deepaannamalai16
 
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...
TechSoup
 
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.pptLevel 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Henry Hollis
 
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdfمصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
سمير بسيوني
 
Nutrition Inc FY 2024, 4 - Hour Training
Nutrition Inc FY 2024, 4 - Hour TrainingNutrition Inc FY 2024, 4 - Hour Training
Nutrition Inc FY 2024, 4 - Hour Training
melliereed
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
EduSkills OECD
 
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptxBIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
RidwanHassanYusuf
 
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
National Information Standards Organization (NISO)
 
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxBeyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
EduSkills OECD
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
Krassimira Luka
 
Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
Jyoti Chand
 
Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)
nitinpv4ai
 
A Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two HeartsA Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two Hearts
Steve Thomason
 
skeleton System.pdf (skeleton system wow)
skeleton System.pdf (skeleton system wow)skeleton System.pdf (skeleton system wow)
skeleton System.pdf (skeleton system wow)
Mohammad Al-Dhahabi
 
Data Structure using C by Dr. K Adisesha .ppsx
Data Structure using C by Dr. K Adisesha .ppsxData Structure using C by Dr. K Adisesha .ppsx
Data Structure using C by Dr. K Adisesha .ppsx
Prof. Dr. K. Adisesha
 
BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...
BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...
BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...
Nguyen Thanh Tu Collection
 
Haunted Houses by H W Longfellow for class 10
Haunted Houses by H W Longfellow for class 10Haunted Houses by H W Longfellow for class 10
Haunted Houses by H W Longfellow for class 10
nitinpv4ai
 
Stack Memory Organization of 8086 Microprocessor
Stack Memory Organization of 8086 MicroprocessorStack Memory Organization of 8086 Microprocessor
Stack Memory Organization of 8086 Microprocessor
JomonJoseph58
 
Electric Fetus - Record Store Scavenger Hunt
Electric Fetus - Record Store Scavenger HuntElectric Fetus - Record Store Scavenger Hunt
Electric Fetus - Record Store Scavenger Hunt
RamseyBerglund
 

Recently uploaded (20)

Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumPhilippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
 
HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.
 
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...
 
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.pptLevel 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
 
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdfمصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
 
Nutrition Inc FY 2024, 4 - Hour Training
Nutrition Inc FY 2024, 4 - Hour TrainingNutrition Inc FY 2024, 4 - Hour Training
Nutrition Inc FY 2024, 4 - Hour Training
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
 
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptxBIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
 
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
 
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxBeyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
 
Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
 
Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)
 
A Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two HeartsA Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two Hearts
 
skeleton System.pdf (skeleton system wow)
skeleton System.pdf (skeleton system wow)skeleton System.pdf (skeleton system wow)
skeleton System.pdf (skeleton system wow)
 
Data Structure using C by Dr. K Adisesha .ppsx
Data Structure using C by Dr. K Adisesha .ppsxData Structure using C by Dr. K Adisesha .ppsx
Data Structure using C by Dr. K Adisesha .ppsx
 
BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...
BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...
BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...
 
Haunted Houses by H W Longfellow for class 10
Haunted Houses by H W Longfellow for class 10Haunted Houses by H W Longfellow for class 10
Haunted Houses by H W Longfellow for class 10
 
Stack Memory Organization of 8086 Microprocessor
Stack Memory Organization of 8086 MicroprocessorStack Memory Organization of 8086 Microprocessor
Stack Memory Organization of 8086 Microprocessor
 
Electric Fetus - Record Store Scavenger Hunt
Electric Fetus - Record Store Scavenger HuntElectric Fetus - Record Store Scavenger Hunt
Electric Fetus - Record Store Scavenger Hunt
 

ivanova-samba_backend.pdf

  • 1. LDAPCon 2015, Edinburgh An OpenLDAP backend for Samba 4 Nadezhda Ivanova Software Engineer @ Symas Corp
  • 2. LDAPCon 2015, Edinburgh About Samba4 ● Combines the file sharing service of Samba with a fully AD compatible Domain controller ● Can be a standalone Domain Controller ● Can join an existing Windows Active Directory domain as a member server, or an RODC ● Supports all FSMO roles ● Domain member machines work with Samba4 transparently ● Management can be done both with samba-tool and by installing Microsofts RSAT (Remote Server Administration Tools) on a Windows machine.
  • 3. LDAPCon 2015, Edinburgh About Samba4 ● Released in 2013 after more than 10 years in development ● Successfully deployed by small to mid-sized companies ● Functionality is developed as separate modules ● Microsoft Open Specifications Program (as of 2007)
  • 4. LDAPCon 2015, Edinburgh A little light reading... ● https://wiki.samba.org - detailed instructions on how to setup a Samba4 DC ● [MS-ADTS]: Active Directory Technical Specification ● [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol ● Windows Protocols Technical Specifications https://msdn.microsoft.com/en- us/library/jj712081.aspx
  • 5. LDAPCon 2015, Edinburgh Samba 4 functionality ● LDAP – provides its own LDAP server, fully compatible with the AD flavor of LDAP and the AD schema. ● Kerberos KDC – integrated in Samba. – Heimdal Library – MIT Kerberos Library ● DNS – Internal Samba DNS – Bind ● RPC
  • 6. LDAPCon 2015, Edinburgh RPC protocols ● Security Account Manager (SAMR) ● Local Security Authority (LSAR) ● DFSR – necessary to the AD compatibility because it is used to replicate Sysvol ● DRSR - Directory Replication Service – implements multi-master replication
  • 8. LDAPCon 2015, Edinburgh Problems of Samba 4 with TDB ● Scalability – Supported TDB version is 32 bit, which puts a 4GB limit on the database, equals around 300 000 objects depending on their size. – Work on the 64 bit is not progressing ● Performance – Initial Bulk load of 350.000 small User-Objects (LDIF, with unicodePwd) takes more than 6 hours on a real hardware machine. – The results are the same with direct LDB load, not dependent on network or protocol overhead. – A POC of MDB back-end for LDB was created by Jakub Hrozek, but oddly, it did not significantly improve performance.
  • 10. LDAPCon 2015, Edinburgh Samba provisioning with Legacy OpenLDAP ● Samba provisioning scripts creates slapd.conf – Only the basic partitions, no new partitions can be added ● Provisioning script creates a schema definition file for OpenLDAP ● Populates the created databases with the necessary initial data
  • 11. LDAPCon 2015, Edinburgh Why not use the legacy OpenLDAP Back-end ● A “real” back-end – LDAP traffic goes through Samba, to make sure all the AD request processing specifics are implemented ● Incompatible with replication, as back then there was no transaction support ● Support was discontinued, since then Samba has made huge progress – Multi-master replication – DNS ● Conflicts with standard LDAPv3 – Same attribute name, different OID – Object classes with changed definitions, attributes that in AD are operational ● This was resolved by adding additional modules to strip extended DN components, or to map attribute names ● Essentially, obsolete ● Would not solve all performance problems. ● Officially declared dead around 2010/2011
  • 12. LDAPCon 2015, Edinburgh top ( 2.5.6.0 NAME 'top' "DESC 'top of the superclass chain' " "ABSTRACT MUST objectClass )" "top", "( 2.5.6.0 NAME 'top' " "DESC 'top of the superclass chain' " "ABSTRACT MUST ( objectClass ) " MAY ( instanceType $ nTSecurityDescriptor $ objectCategory $ adminDescription $ adminDisplayName $ allowedAttributes $ allowedAttributesEffective $ allowedChildClasses $ allowedChildClassesEffective $ bridgeheadServerListBL $ canonicalName $ cn $ description $ directReports $ displayName $ displayNamePrintable $ dSASignature $ dSCorePropagationData $ extensionName $ flags $ fromEntry $ frsComputerReferenceBL $ fRSMemberReferenceBL $ fSMORoleOwner $ isCriticalSystemObject $ isDeleted $ isPrivilegeHolder $ lastKnownParent $ managedObjects $ masteredBy $ mS- DS-ConsistencyChildCount $ mS-DS-ConsistencyGuid $ msCOM-PartitinSetLink $ msCOM-UserLink $ msDS-Approx-Immed-Subordinates $ msDs-masteredBy $ msDS-MembersForAzRoleBL $ msDS-NCReplCursors $ msDS- NCReplInboundNeighbors $ msDS-NCReplOutboundNeighbors $ msDS-NcType $ msDS-NonMembersBL $ msDS-ObjectReferenceBL $ msDS- OperationsForAzRoleBL $ " "msDS-OperationsForAzTaskBL $ msDS- ReplAttributeMetaData $ msDS-ReplValueMetaData $ msDS-TasksForAzRoleBL $ msDS-TasksForAzTaskBL $ name $ netbootSCPBL $ nonSecurityMemberBL $ objectVersion $ otherWellKnownObjects $ ownerBL $ parentGUID $ partialAttributeDeletionList $ partialAttributeSet $ possibleInferiors $ proxiedObjectName $ proxyAddresses $ queryPolicyBL $ replPropertyMetaData $ replUpToDateVector $ repsFrom $ repsTo $ revision $ sDRightsEffective $ serverReferenceBL $ showInAdvancedViewOnly $ siteObjectBL $ subRefs $ systemFlags $ url $ uSNDSALastObjRemoved $ USNIntersite $ uSNLastObjRem $ uSNSource $ wbemPath $ wellKnownObjects $ wWWHomePage $ msSFU30PosixMemberOf $ msDFSR-ComputerReferenceBL $ msDFSR- MemberReferenceBL $ msDS-EnabledFeatureBL $ msDS-LastKnownRDN $ msDS-HostServiceAccountBL $ msDS-OIDToGroupLinkBl $ msDS- LocalEffectiveRecycleTime $ msDS-LocalEffectiveDeletionTime $ isRecycled $ msDS-PSOApplied $ msDS-PrincipalName $ msDS-RevealedListBL $ msDS- AuthenticatedToAccountlist $ msDS-IsPartialReplicaFor $ msDS-IsDomainFor $ msDS-IsFullReplicaFor $ msDS-RevealedDSAs $ msDS-KrbTgtLinkBl $ whenCreated $ whenChanged $ uSNCreated $ uSNChanged $ subschemaSubEntry $ structuralObjectClass $ objectGUID $ distinguishedName $ modifyTimeStamp $ memberOf $ createTimeStamp $ msDS-NC-RO-Replica- Locations-BL ) )"
  • 14. LDAPCon 2015, Edinburgh More than a backend ● Combine OpenLDAP's excellence with Samba's know-how. ● LDAP traffic should be handled by the one best suited for the job – OpenLDAP itself. – Move the LDB modules that implement AD specific operations to OpenLDAP whenever needed. – RPC and other protocols will still be handled by Samba ● “Relieve” Samba of its LDAP server.
  • 16. LDAPCon 2015, Edinburgh Challenges ● Ldb modules ≈ 40 000 lines of C ● We start by replacing individual modules, but: – Samba modules are interconnected and often communicate with each other via internal controls – Sometimes RPC traffic is initiated from inside a module, e.g samldb and replmetadata ● Alleviate the load by code reuse
  • 17. LDAPCon 2015, Edinburgh Samba libraries in OpenLDAP ● Libclisecurity – SD generation – SDDL parsing – Access checks ● libsamba_schema – Additional schema data – Loading of AD schema LDIF ● libldb, libtalloc – necessary for the above
  • 18. LDAPCon 2015, Edinburgh Work in progress ● Security descriptor generation ● Authorization ● InstanceType value checking ● Extended DN Control (<GUID=...>;<SID=...>;cn=Administrator) ● “Show Deleted” Control ● SAM – research phase ● A module to gather and maintain data necessary for request processing ● A module to load and maintain a Samba-type schema information
  • 19. LDAPCon 2015, Edinburgh Operational attributes ● canonicalName ● primaryGroupToken ● tokenGroups ● parentGUID ● modifyTimestamp ● msDs-isRODC ● MsDS-userPasswordExpiryTime
  • 20. LDAPCon 2015, Edinburgh Samba/AD Attribute definitions attributetype ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) cn: User-Principal-Name ldapDisplayName: userPrincipalName attributeId: 1.2.840.113556.1.4.656 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: TRUE schemaIdGuid: 28630ebb-41d5-11d1-a9c1- 0000f80367c1 systemOnly: FALSE searchFlags: fATTINDEX rangeUpper: 1024 attributeSecurityGuid: e48d0154-bcf8-11d1-8702- 00c04fb96050 isMemberOfPartialAttributeSet: TRUE systemFlags: FLAG_SCHEMA_BASE_OBJECT | FLAG_ATTR_REQ_PARTIAL_SET_MEMBER schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
  • 21. LDAPCon 2015, Edinburgh Samba/AD Class definitions objectclass ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST ( cn ) MAY ( bootFile $ bootParameter $ cn $ description $ ipHostNumber $ l $ macAddress $ manager $ msSFU30Aliases $ msSFU30Name $ msSFU30NisDomain $ nisMapName $ o $ ou $ owner $ seeAlso $ serialNumber $ uid ) ) cn: Device ldapDisplayName: device governsId: 2.5.6.14 objectClassCategory: 0 rdnAttId: cn subClassOf: top auxiliaryClass: ipHost, ieee802Device, bootableDevice systemMustContain: cn mayContain: msSFU30Name, msSFU30NisDomain, nisMapName, msSFU30Aliases systemMayContain: serialNumber, seeAlso, owner, ou, o, l systemPossSuperiors: domainDNS, organizationalUnit, organization,container schemaIdGuid:bf967a8e-0de6-11d0-a285-00aa003049e2 defaultSecurityDescriptor: D: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU) defaultHidingValue: TRUE systemOnly: FALSE defaultObjectCategory: CN=Device,CN=Schema,CN=Configuration,<RootDomainDN> systemFlags: FLAG_SCHEMA_BASE_OBJECT
  • 22. LDAPCon 2015, Edinburgh Authorization ● Determines an account's rights over a specific object by comparing the security principal's security token with the object's security descriptor. ● Security token - a list of SIDs of every group the security principal is a member of, and the account SID
  • 23. LDAPCon 2015, Edinburgh Access Control Entries ● Grants particular access rights over the entire object, an object class or an attribute
  • 25. LDAPCon 2015, Edinburgh Calculating SD for a new object ● Input – SD of the parent container – SD provided by the client – Default SD (from defaultSecurityDescriptor attribute) – Session's security Token ● Output – Owner, Group, Explicit ACEs, Inherited ACEs
  • 26. LDAPCon 2015, Edinburgh Required access for LDAP operations ● Search – LIST_CHLIDREN on the parent, READ_PROPERTY ● Add – CREATE_CHILD ● Modify – WRITE_PROPERTY ● Delete – DELETE_CHILD on the parent or DELETE on the object ● Rename – DELETE_CHILD on the parent, CREATE_CHILD on the new parent, WRITE_PROPERTY on the rdn attribute
  • 27. LDAPCon 2015, Edinburgh Extended rights and Validated Writes ● ValidatedWrites – checks whether a user is allowed to enter an attribute value (e.g validateSPN) ● ExtendedRights – the rights to perform specific operations – e.g update the schema, modify or replicate from a replica, etc.
  • 28. LDAPCon 2015, Edinburgh Constructed attributes ● AllowedAttributes – all attributes this object may have ● AllowedAttributesEffective – attributes that are permitted to be assigned to a class ● AllowedChildClasses – the particular object is a possible superior ● AllowedChildClassesEffective – the particular object is a possible superior AND the principal has the right to create child object of these classes ● sDRightsEffective
  • 29. LDAPCon 2015, Edinburgh SAM ● Handles creation of objects that represent security principals ● Creates a SID for the new object – If we are not the RID master, initiates a RID pool allocation request ● Initializes user and group object attributes ● Handles userAccountControl
  • 30. LDAPCon 2015, Edinburgh Next Steps ● Implement proper partition creation – this will allow proper provisioning and creation of application partitions. ● Reduce reliability on Samba libraries for reasons of performance. ● Incorporate schema data in OpenLDAP as part of the existing mechanism, rather than in a module. ● Finish porting the LDB module stack. ● Develop OpenLDAP to Samba communication mechanism – necessary for DRSR and SAM.
  • 31. LDAPCon 2015, Edinburgh Testing ● Samba make test suite – Extensive coverage of LDAP functionality with Python Scripts ● Microsoft Documentation test suite – Developed to test documentation consistency – Very helpful in ensuring implementation compatibility
  • 32. LDAPCon 2015, Edinburgh FAQ ● Is this a new version of Samba3 with an OpenLDAP domain controller? ● Will I be able to integrate an existing non-AD directory in an OpenLDAP server running in AD compatibility mode? ● Will I be able to combine using LDAP access lists with the AD access lists?