Multiple domains in one ldap directory (patch)
pierre.filippone at Retail-sc.com
Mon Dec 15 15:31:23 GMT 2003
we are trying to establish our Openldap server as central directory for
all kinds of services.
A lot of services are already using it, but the biggest missing part is NT
We already know, that Samba 3 is able to take over that part. The only
problem is that we would like to achieve a "one account/one password"
solution. Supporting more than one NT domain is also mandatory for us.
AFAIK the designed way to do that, is to create user entries for each
domain in different branches in the directory
(i.e. ou=people,ou=dom_a,dc=acme,dc=com /
That, of course, means, that we have to multiply the account entries and
to introduce synchronisation mechanisms to achieve
the "one password" for our users. Also that would increase the amount of
data in our directory unneccessarily.
So we looked into the sources and wrote a little (quick and dirty) patch,
to be able to use our existing user entries simultaneously
for more than one domain. (patch for 3.0.1rc2 is attached)
Of course the samba schema had to be changed also:
sambaSID, sambaPrimaryGroupSID and sambaDomainName have to be multi-valued
instead of single-valued.
I also needed sambaSID to be not mandatory for sambaSamAccount (for our
Our LDAP looks like that:
user entries: ou=people,dc=acme,dc=com
root user entries: uid=root,ou=dom_a,ou=itaccounts,dc=acme,dc=com /
( we need different root users because there are different domain admins;
root uidnumbers are != 0; we don't have an account "Administrator" )
group entries: ou=dom_a,ou=posixgroups,dc=acme,dc=com /
machine entries: ou=dom_a,ou=devices,dc=acme,dc=com /
domain entries: sambadomainname=dom_a,dc=acme,dc=com /
On each Samba pdc I configured the filters in /etc/ldap.conf:
ldap suffix = dc=acme,dc=com
ldap user suffix = ou=People
ldap machine suffix = ou=dom_a[/b],ou=Devices
ldap group suffix = ou=dom_a[/b],ou=posixgroups
ldap filter = (&(uid=%u)(sambadomainname=dom_a[/b]))
To add a user, which has already all sambaSamAccount attributes in his
entry for dom_a,
to dom_b, we simply add three attributes:
sambaSID=userSID in dom_b
sambaPrimaryGroupSID=prim. group SID in dom_b
We now can use the same entry in two different domains.
Of course disabling the account in one domain, by using the account flags,
disables it in all domains.
But we can live with that, because if you want to disable it in only one
domain, simply remove the 3
attributes for that domain.
As already mentioned, our patch is quick and dirty and probably breaks
smbpasswd and pdbedit (not really tested).
For our needs this is not a real problem because I wrote a perl CGI-script
as domain admin interface
which works mainly directly in our directory.
But apart of that, the patch seems to work very well. :-)
At least, I did not notice anything until now, which does not work
properly, including interdomain trusts.
So our question is: Is there any chance, that this functionality can be
included in one of the next releases ?
Maybe by introducing a new config parameter like "ldap multidomain user
entries = yes" and of course a
few (?) changes to the samba sources.
We believe, that this could be another advantage of Samba compared to MS
OSes, especially when we think of
larger environments with one central directory, like ours ;-)
Of course, we can send you our admin script, if you are interested.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2075 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20031215/a92e863b/multidom.obj
More information about the samba-technical