Making more use of LDAP
Andrew Bartlett
abartlet at samba.org
Thu Jun 19 08:35:05 GMT 2003
On Thu, 2003-06-19 at 14:17, Andrew Bartlett wrote:
> I've been thinking about what we need to do to *really* be able to
> deploy an LDAP/Samba PDC/BDC, and we come up lacking on a number of
> fronts. Some are easy, some are hard - but all need to be dealt with:
>
> - We need to stop using secrets.tdb for anything that is not
> host-specific. In particular, these things need to be in LDAP, and
> synced from PDC to BDC:
> - Trusted domain records (password, Domain SID etc)
> - Our Domain SID
>
> - We need to use and store account policies in LDAP
> - Currently we store the values in a tdb on each host
> (account_policy.tdb), which can only be modified with a disgusting
> pdbedit interface (yes, I added it, so I can call it that) or from NT
> User Manager
> - To make it worse, the current default value for 'max password age'
> is 21 DAYS, and pdb_ldap now enforces this, where smbpasswd and Samba
> 2.2 do not.
>
> - We need to store *smb.conf* values in LDAP, where those values
> must be consistant across all hosts. Things like the 'idmap uid/gid'
> settings come to mind here.
>
> - We need to decide what to do about 'shadowAccount' attributes - we
> need a consistant policy regarding the use of these other attributes:
> - I would argue that we should read, use and update all these
> attributes, and the others used by pam_ldap, so that tools like
> Directory Administrator 'just work'.
>
> I realize this is all talk and no action, but I hope that we can
> consider these items as we move to 3.0 release, and to future releases.
I would also propose further schema changes (after some off-list
discussion with Howard Chu <hyc at highlandsun.com>):
Seeing we are changing our schema compleatly anyway, why don't we change
our 'time' attributes to use generalizedTime?
>From viewers like gq, and other such tools this is much easier to work
with than a unix time, and seems more in line with the 'LDAP way of
doing things'.
Otherwise, I would propose full-precision NTTIME, but there seems little
need for that at the moment.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030619/a7fa893f/attachment.bin
More information about the samba-technical
mailing list