Multiple domains in one ldap directory (patch)

Pierre Filippone pierre.filippone at
Mon Dec 15 15:31:23 GMT 2003


we are trying to establish our Openldap server as central directory for 
all kinds of services. 
A lot of services are already using it, but the biggest missing part is NT 

We already know, that Samba 3 is able to take over that part. The only 
problem is that we would like to achieve a "one account/one password" 
solution. Supporting more than one NT domain is also mandatory for us.

AFAIK the designed way to do that, is to create user entries for each 
domain in different branches in the directory 
(i.e. ou=people,ou=dom_a,dc=acme,dc=com / 
That, of course, means, that we have to multiply the account entries and 
to introduce synchronisation mechanisms to achieve
the "one password" for our users. Also that would increase the amount of 
data in our directory unneccessarily. 

So we looked into the sources and wrote a little (quick and dirty) patch, 
to be able to use our existing user entries simultaneously 
for more than one domain. (patch for 3.0.1rc2 is attached)
Of course the samba schema had to be changed also:
sambaSID, sambaPrimaryGroupSID and sambaDomainName have to be multi-valued 
instead of single-valued.
I also needed sambaSID to be not mandatory for sambaSamAccount (for our 
admin interface).

Our LDAP looks like that:
user entries:           ou=people,dc=acme,dc=com
root user entries:      uid=root,ou=dom_a,ou=itaccounts,dc=acme,dc=com / 
( we need different root users because there are different domain admins; 
root uidnumbers are != 0; we don't have an account "Administrator" )
group entries:          ou=dom_a,ou=posixgroups,dc=acme,dc=com / 
machine entries:        ou=dom_a,ou=devices,dc=acme,dc=com / 
domain entries:         sambadomainname=dom_a,dc=acme,dc=com / 

On each Samba pdc I configured the filters in /etc/ldap.conf: 
nss_base_passwd ou=people,dc=acme,dc=com?one?sambadomainname=dom_a[/b]
nss_base_group             ou=dom_a[/b],ou=posixgroups,dc=acme,dc=com?one

ldap suffix =  dc=acme,dc=com
ldap user suffix = ou=People
ldap machine suffix = ou=dom_a[/b],ou=Devices
ldap group suffix = ou=dom_a[/b],ou=posixgroups
ldap filter =  (&(uid=%u)(sambadomainname=dom_a[/b]))

To add a user, which has already all sambaSamAccount attributes in his 
entry for dom_a, 
to dom_b, we simply add three attributes: 
sambaSID=userSID in dom_b
sambaPrimaryGroupSID=prim. group SID in dom_b

We now can use the same entry in two different domains. 
Of course disabling the account in one domain, by using the account flags, 
disables it in all domains. 
But we can live with that, because if you want to disable it in only one 
domain, simply remove the 3 
attributes for that domain.

As already mentioned, our patch is quick and dirty and probably breaks 
smbpasswd and pdbedit (not really tested). 
For our needs this is not a real problem because I wrote a perl CGI-script 
as domain admin interface 
which works mainly directly in our directory.

But apart of that, the patch seems to work very well. :-) 
At least, I did not notice anything until now, which does not work 
properly, including interdomain trusts.

So our question is: Is there any chance, that this functionality can be 
included in one of  the next releases ?
Maybe by introducing a new config parameter like "ldap multidomain user 
entries = yes" and of course a
few (?) changes to the samba sources. 

We believe, that this could be another advantage of Samba compared to MS 
OSes, especially when we think of
larger environments with one central directory, like ours ;-)

Of course, we can send you our admin script, if you are interested.


Pierre Filippone

-------------- next part --------------
A non-text attachment was scrubbed...
Name: multidom.patch2
Type: application/octet-stream
Size: 2075 bytes
Desc: not available
Url :

More information about the samba-technical mailing list