Making more use of LDAP

Andrew Bartlett abartlet at samba.org
Thu Jun 19 04:18:22 GMT 2003 

I've been thinking about what we need to do to *really* be able to
deploy an LDAP/Samba PDC/BDC, and we come up lacking on a number of
fronts.  Some are easy, some are hard - but all need to be dealt with:

 - We need to stop using secrets.tdb for anything that is not
host-specific.  In particular, these things need to be in LDAP, and
synced from PDC to BDC:
   - Trusted domain records (password, Domain SID etc)
   - Our Domain SID

 - We need to use and store account policies in LDAP
   - Currently we store the values in a tdb on each host
(account_policy.tdb), which can only be modified with a disgusting
pdbedit interface (yes, I added it, so I can call it that) or from NT
User Manager
   - To make it worse, the current default value for 'max password age'
is 21 DAYS, and pdb_ldap now enforces this, where smbpasswd and Samba
2.2 do not.

 - We need to store *smb.conf* values in LDAP, where those values
   must be consistant across all hosts.  Things like the 'idmap uid/gid'
settings come to mind here.

 - We need to decide what to do about 'shadowAccount' attributes - we
need a consistant policy regarding the use of these other attributes:  
   - I would argue that we should read, use and update all these
attributes, and the others used by pam_ldap, so that tools like
Directory Administrator 'just work'.

I realize this is all talk and no action, but I hope that we can
consider these items as we move to 3.0 release, and to future releases.

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030619/1409c878/attachment.bin

More information about the samba-technical mailing list