Making more use of LDAP

Andrew Bartlett abartlet at
Thu Jun 19 08:35:05 GMT 2003

On Thu, 2003-06-19 at 14:17, Andrew Bartlett wrote:
> I've been thinking about what we need to do to *really* be able to
> deploy an LDAP/Samba PDC/BDC, and we come up lacking on a number of
> fronts.  Some are easy, some are hard - but all need to be dealt with:
>  - We need to stop using secrets.tdb for anything that is not
> host-specific.  In particular, these things need to be in LDAP, and
> synced from PDC to BDC:
>    - Trusted domain records (password, Domain SID etc)
>    - Our Domain SID
>  - We need to use and store account policies in LDAP
>    - Currently we store the values in a tdb on each host
> (account_policy.tdb), which can only be modified with a disgusting
> pdbedit interface (yes, I added it, so I can call it that) or from NT
> User Manager
>    - To make it worse, the current default value for 'max password age'
> is 21 DAYS, and pdb_ldap now enforces this, where smbpasswd and Samba
> 2.2 do not.
>  - We need to store *smb.conf* values in LDAP, where those values
>    must be consistant across all hosts.  Things like the 'idmap uid/gid'
> settings come to mind here.
>  - We need to decide what to do about 'shadowAccount' attributes - we
> need a consistant policy regarding the use of these other attributes:  
>    - I would argue that we should read, use and update all these
> attributes, and the others used by pam_ldap, so that tools like
> Directory Administrator 'just work'.
> I realize this is all talk and no action, but I hope that we can
> consider these items as we move to 3.0 release, and to future releases.

I would also propose further schema changes (after some off-list
discussion with Howard Chu <hyc at>):

Seeing we are changing our schema compleatly anyway, why don't we change
our 'time' attributes to use generalizedTime?

>From viewers like gq, and other such tools this is much easier to work
with than a unix time, and seems more in line with the 'LDAP way of
doing things'.

Otherwise, I would propose full-precision NTTIME, but there seems little
need for that at the moment.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list