Making more use of LDAP

Andrew Bartlett abartlet at
Thu Jun 19 04:18:22 GMT 2003

I've been thinking about what we need to do to *really* be able to
deploy an LDAP/Samba PDC/BDC, and we come up lacking on a number of
fronts.  Some are easy, some are hard - but all need to be dealt with:

 - We need to stop using secrets.tdb for anything that is not
host-specific.  In particular, these things need to be in LDAP, and
synced from PDC to BDC:
   - Trusted domain records (password, Domain SID etc)
   - Our Domain SID

 - We need to use and store account policies in LDAP
   - Currently we store the values in a tdb on each host
(account_policy.tdb), which can only be modified with a disgusting
pdbedit interface (yes, I added it, so I can call it that) or from NT
User Manager
   - To make it worse, the current default value for 'max password age'
is 21 DAYS, and pdb_ldap now enforces this, where smbpasswd and Samba
2.2 do not.

 - We need to store *smb.conf* values in LDAP, where those values
   must be consistant across all hosts.  Things like the 'idmap uid/gid'
settings come to mind here.

 - We need to decide what to do about 'shadowAccount' attributes - we
need a consistant policy regarding the use of these other attributes:  
   - I would argue that we should read, use and update all these
attributes, and the others used by pam_ldap, so that tools like
Directory Administrator 'just work'.

I realize this is all talk and no action, but I hope that we can
consider these items as we move to 3.0 release, and to future releases.

Andrew Bartlett
Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list