Making more use of LDAP
Andrew Bartlett
abartlet at samba.org
Thu Jun 19 04:18:22 GMT 2003
I've been thinking about what we need to do to *really* be able to
deploy an LDAP/Samba PDC/BDC, and we come up lacking on a number of
fronts. Some are easy, some are hard - but all need to be dealt with:
- We need to stop using secrets.tdb for anything that is not
host-specific. In particular, these things need to be in LDAP, and
synced from PDC to BDC:
- Trusted domain records (password, Domain SID etc)
- Our Domain SID
- We need to use and store account policies in LDAP
- Currently we store the values in a tdb on each host
(account_policy.tdb), which can only be modified with a disgusting
pdbedit interface (yes, I added it, so I can call it that) or from NT
User Manager
- To make it worse, the current default value for 'max password age'
is 21 DAYS, and pdb_ldap now enforces this, where smbpasswd and Samba
2.2 do not.
- We need to store *smb.conf* values in LDAP, where those values
must be consistant across all hosts. Things like the 'idmap uid/gid'
settings come to mind here.
- We need to decide what to do about 'shadowAccount' attributes - we
need a consistant policy regarding the use of these other attributes:
- I would argue that we should read, use and update all these
attributes, and the others used by pam_ldap, so that tools like
Directory Administrator 'just work'.
I realize this is all talk and no action, but I hope that we can
consider these items as we move to 3.0 release, and to future releases.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030619/1409c878/attachment.bin
More information about the samba-technical
mailing list