Making more use of LDAP

Andrew Bartlett abartlet at samba.org
Thu Jun 19 08:35:05 GMT 2003


On Thu, 2003-06-19 at 14:17, Andrew Bartlett wrote:
> I've been thinking about what we need to do to *really* be able to
> deploy an LDAP/Samba PDC/BDC, and we come up lacking on a number of
> fronts.  Some are easy, some are hard - but all need to be dealt with:
> 
>  - We need to stop using secrets.tdb for anything that is not
> host-specific.  In particular, these things need to be in LDAP, and
> synced from PDC to BDC:
>    - Trusted domain records (password, Domain SID etc)
>    - Our Domain SID
> 
>  - We need to use and store account policies in LDAP
>    - Currently we store the values in a tdb on each host
> (account_policy.tdb), which can only be modified with a disgusting
> pdbedit interface (yes, I added it, so I can call it that) or from NT
> User Manager
>    - To make it worse, the current default value for 'max password age'
> is 21 DAYS, and pdb_ldap now enforces this, where smbpasswd and Samba
> 2.2 do not.
> 
>  - We need to store *smb.conf* values in LDAP, where those values
>    must be consistant across all hosts.  Things like the 'idmap uid/gid'
> settings come to mind here.
> 
>  - We need to decide what to do about 'shadowAccount' attributes - we
> need a consistant policy regarding the use of these other attributes:  
>    - I would argue that we should read, use and update all these
> attributes, and the others used by pam_ldap, so that tools like
> Directory Administrator 'just work'.
> 
> I realize this is all talk and no action, but I hope that we can
> consider these items as we move to 3.0 release, and to future releases.

I would also propose further schema changes (after some off-list
discussion with Howard Chu <hyc at highlandsun.com>):

Seeing we are changing our schema compleatly anyway, why don't we change
our 'time' attributes to use generalizedTime?

>From viewers like gq, and other such tools this is much easier to work
with than a unix time, and seems more in line with the 'LDAP way of
doing things'.

Otherwise, I would propose full-precision NTTIME, but there seems little
need for that at the moment.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030619/a7fa893f/attachment.bin


More information about the samba-technical mailing list