Multiple domains in one ldap directory (patch)
bsmoke at bryantschools.org
Tue Feb 3 15:52:56 GMT 2004
We are very interested in this!
We are going to try your patch on a test server.
can you include your schema file?
and I would like to get your admin perl scripts as well...
we would also like to see this native in samba.
District Network Administrator
Bryant Public Schools
>we are trying to establish our Openldap server as central directory for
>all kinds of services.
>A lot of services are already using it, but the biggest missing part is NT
>We already know, that Samba 3 is able to take over that part. The only
>problem is that we would like to achieve a "one account/one password"
>solution. Supporting more than one NT domain is also mandatory for us.
>AFAIK the designed way to do that, is to create user entries for each
>domain in different branches in the directory
>(i.e. ou=people,ou=dom_a,dc=acme,dc=com /
>That, of course, means, that we have to multiply the account entries and
>to introduce synchronisation mechanisms to achieve
>the "one password" for our users. Also that would increase the amount of
>data in our directory unneccessarily.
>So we looked into the sources and wrote a little (quick and dirty) patch,
>to be able to use our existing user entries simultaneously
>for more than one domain. (patch for 3.0.1rc2 is attached)
>Of course the samba schema had to be changed also:
>sambaSID, sambaPrimaryGroupSID and sambaDomainName have to be multi-valued
>instead of single-valued.
>I also needed sambaSID to be not mandatory for sambaSamAccount (for our
>Our LDAP looks like that:
>user entries: ou=people,dc=acme,dc=com
>root user entries: uid=root,ou=dom_a,ou=itaccounts,dc=acme,dc=com /
>( we need different root users because there are different domain admins;
>root uidnumbers are != 0; we don't have an account "Administrator" )
>group entries: ou=dom_a,ou=posixgroups,dc=acme,dc=com /
>machine entries: ou=dom_a,ou=devices,dc=acme,dc=com /
>domain entries: sambadomainname=dom_a,dc=acme,dc=com /
>On each Samba pdc I configured the filters in /etc/ldap.conf:
>ldap suffix = dc=acme,dc=com
>ldap user suffix = ou=People
>ldap machine suffix = ou=dom_a[/b],ou=Devices
>ldap group suffix = ou=dom_a[/b],ou=posixgroups
>ldap filter = (&(uid=%u)(sambadomainname=dom_a[/b]))
>To add a user, which has already all sambaSamAccount attributes in his
>entry for dom_a,
>to dom_b, we simply add three attributes:
>sambaSID=userSID in dom_b
>sambaPrimaryGroupSID=prim. group SID in dom_b
>We now can use the same entry in two different domains.
>Of course disabling the account in one domain, by using the account flags,
>disables it in all domains.
>But we can live with that, because if you want to disable it in only one
>domain, simply remove the 3
>attributes for that domain.
>As already mentioned, our patch is quick and dirty and probably breaks
>smbpasswd and pdbedit (not really tested).
>For our needs this is not a real problem because I wrote a perl CGI-script
>as domain admin interface
>which works mainly directly in our directory.
>But apart of that, the patch seems to work very well. :-)
>At least, I did not notice anything until now, which does not work
>properly, including interdomain trusts.
>So our question is: Is there any chance, that this functionality can be
>included in one of the next releases ?
>Maybe by introducing a new config parameter like "ldap multidomain user
>entries = yes" and of course a
>few (?) changes to the samba sources.
>We believe, that this could be another advantage of Samba compared to MS
>OSes, especially when we think of
>larger environments with one central directory, like ours ;-)
>Of course, we can send you our admin script, if you are interested.
More information about the samba-technical