Making more use of LDAP
abartlet at samba.org
Thu Jun 19 04:18:22 GMT 2003
I've been thinking about what we need to do to *really* be able to
deploy an LDAP/Samba PDC/BDC, and we come up lacking on a number of
fronts. Some are easy, some are hard - but all need to be dealt with:
- We need to stop using secrets.tdb for anything that is not
host-specific. In particular, these things need to be in LDAP, and
synced from PDC to BDC:
- Trusted domain records (password, Domain SID etc)
- Our Domain SID
- We need to use and store account policies in LDAP
- Currently we store the values in a tdb on each host
(account_policy.tdb), which can only be modified with a disgusting
pdbedit interface (yes, I added it, so I can call it that) or from NT
- To make it worse, the current default value for 'max password age'
is 21 DAYS, and pdb_ldap now enforces this, where smbpasswd and Samba
2.2 do not.
- We need to store *smb.conf* values in LDAP, where those values
must be consistant across all hosts. Things like the 'idmap uid/gid'
settings come to mind here.
- We need to decide what to do about 'shadowAccount' attributes - we
need a consistant policy regarding the use of these other attributes:
- I would argue that we should read, use and update all these
attributes, and the others used by pam_ldap, so that tools like
Directory Administrator 'just work'.
I realize this is all talk and no action, but I hope that we can
consider these items as we move to 3.0 release, and to future releases.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030619/1409c878/attachment.bin
More information about the samba-technical