Hello!
I’m running an active directory domain controller using samba, is it possible to either replace it with yunohost or to incorporate yunohost into it?
Im running an ad dc server for managing windows updates and central authentication for my little eco system.
Is external authentication possible with yunohost?
If not, could i maybe setup the Samba AD DC on the same server as yunohost and let it access the same openldap database (Basically not external authentication, but rather let the Domain controller authenticate against the yunohost ldap server and make changes - like password changes - from the domain controller)?
Thank you for rephrasing your question between the chatroom and here, it made me think of a solution.
I am no expert, but you can try to edit /etc/ldap/ldap.conf to add an URI that your domain controller / samba can reach. It can be a public URI, but maybe it is preferable to use a private IP address (from the local network or a VPN, depending on your little ecosystem).
The line URI ldap://localhost:389 would become:
URI ldap://localhost:389 ldaps://10.0.0.1:636
Note that I suggest to use LDAPS for a secure connection, and I assume your YunoHost server has 10.0.0.1 as an IP reachable by your controller.
Do not forget to open port 636 within YunoHost and reload LDAP:
First of all, thank you for your fast response!
Editing the LDAP configuration would - as you described - allow authentication to not just the internal LDAP server but also my samba server (running in ad dc mode, of course )
I also had to add “TLS_REQCERT never” to the config as my certificates are currently a mess that im not yet ready to jump into
For anyone trying this, DONT EDIT THE SEARCHBASE. I forgot that yunohost authenticates everything at its LDAP server, this includes your precious ssh sudo-user, if the searchbase has been altered, it won’t find your current user in the sudo group and you can get a cup of coffee as you have just shut yourself out. Thankfully i make backups like crazy and could just jump back to one instead of having to live boot and fix the issue or reinstall everything.
Note that you will not be able to see any users as the searchbase is still yunohost.org, your domain controller will have to incorporate this searchbase. If you decide to play around with the searchbase, make sure you have a local user with sudo privileges and/or a backup to fall back to!
The only question i have, is if this configuration change will persist yunohost updates, or more specifically, LDAP updates. But other than that, this has just worked perfectly!
You should get warnings about this file being manually modified during updates (it will not attempt to patch the file). Migrations would be trickier, but the system should ask you what to do about it.
)