Making more use of LDAP
abartlet at samba.org
Thu Jun 19 08:35:05 GMT 2003
On Thu, 2003-06-19 at 14:17, Andrew Bartlett wrote:
> I've been thinking about what we need to do to *really* be able to
> deploy an LDAP/Samba PDC/BDC, and we come up lacking on a number of
> fronts. Some are easy, some are hard - but all need to be dealt with:
> - We need to stop using secrets.tdb for anything that is not
> host-specific. In particular, these things need to be in LDAP, and
> synced from PDC to BDC:
> - Trusted domain records (password, Domain SID etc)
> - Our Domain SID
> - We need to use and store account policies in LDAP
> - Currently we store the values in a tdb on each host
> (account_policy.tdb), which can only be modified with a disgusting
> pdbedit interface (yes, I added it, so I can call it that) or from NT
> User Manager
> - To make it worse, the current default value for 'max password age'
> is 21 DAYS, and pdb_ldap now enforces this, where smbpasswd and Samba
> 2.2 do not.
> - We need to store *smb.conf* values in LDAP, where those values
> must be consistant across all hosts. Things like the 'idmap uid/gid'
> settings come to mind here.
> - We need to decide what to do about 'shadowAccount' attributes - we
> need a consistant policy regarding the use of these other attributes:
> - I would argue that we should read, use and update all these
> attributes, and the others used by pam_ldap, so that tools like
> Directory Administrator 'just work'.
> I realize this is all talk and no action, but I hope that we can
> consider these items as we move to 3.0 release, and to future releases.
I would also propose further schema changes (after some off-list
discussion with Howard Chu <hyc at highlandsun.com>):
Seeing we are changing our schema compleatly anyway, why don't we change
our 'time' attributes to use generalizedTime?
>From viewers like gq, and other such tools this is much easier to work
with than a unix time, and seems more in line with the 'LDAP way of
Otherwise, I would propose full-precision NTTIME, but there seems little
need for that at the moment.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030619/a7fa893f/attachment.bin
More information about the samba-technical