Fedora DS Support

Andrew Bartlett abartlet at samba.org
Wed Aug 26 22:31:30 MDT 2009 

On Wed, 2009-08-26 at 23:52 -0400, Endi Sukma Dewata wrote:
> Hi Andrew,
> 
> ----- "Andrew Bartlett" <abartlet at samba.org> wrote:
> 
> > Thanks for getting back to me quickly, as it means I can help redirect
> > your efforts.  It seems I must have been unclear about the future of
> > those particular changes.  We must remove them - not re-add them.  
> 
> Thanks for your response. I understood what you meant, it's just I think
> I need to do it in multiple steps:
> 
> 1. I need to make sure the master branch tests run with the "temporary"
>    patch I submitted. This is to ensure that the code is good and I'm
>    not wasting time troubleshooting the test script while the problem
>    could lie somewhere else. Currently I'm having a problem compiling
>    the code, it's complaining about missing a header file. I need to
>    investigate whether this is a code or environment issue.

What errors do you get?  Sometimes an extra 'make' or 'make idl_full'
helps. 

> 2. Once #1 is done, I'll remove the "temporary" patch and fix the code
>    to make sure it's still running like before, producing the same test
>    results. When this is done, I'll submit the "real" patch.
> 
> You don't need to merge the "temporary" patch into the repository, I just
> submitted it in case you want to try it. Sorry I wasn't very clear about
> my intention.

No worries. 

> > Setting that ACI makes Fedora DS completely insecure - because it
> > changes the ACL on each partition to be 'anonymous may do anything'. It
> > was a great hack when we first started this, but it must not be
> > revived.
> 
> > The patch I need from you, against master, is best summed up as:
> > 'whatever is needed to make Fedora DS work as a backend, as pass as
> > much
> > of make test as possible, using SASL authentication between Samba4
> > and
> > Fedora DS'. 
> 
> > The background to this is that I reworked the OpenLDAP backend to use
> > secure SASL authentication and strict access control between Samba4 and
> > OpenLDAP many months ago, but did not upgrade Fedora DS to that same
> > level of support.  The Fedora DS backend needs to be upgraded to this
> > same level of maturity. 
> 
> Understood. I might need to do this in multiple steps too so you don't
> have to wait too long to see any progress, also I might have to switch
> back & forth with some other tasks as well. Here is my plan:
> 
> 3. In #2 above I might just move the system:anonymous and aci parameters
>    inside the code, so at least it's no longer visible during provisioning.

That may be easier.  Uncomment the 'aci' in setup/schema_samba4.ldif and
add the ACI manually to provision_basedn_add.ldif,
provision_configuration_add.ldif and provision_schema_add.ldif

>    In #3 I will add the SASL authentication. I might send another
>    patch here.

Good.  One particular task will be to figure out how to add a SASL user
into Fedora DS. (We add them to OpenLDAP using it's LDIF backend and
manually constructed LDIF).

> 4. After that I will start fixing Fedora DS specific problems one-by-one
>    so it works as well as OpenLDAP. I might send one patch for each issue.
> 
> You don't need to merge each patch that I will submit right away. You could
> just wait until I complete step #3 or even #4 if you prefer. What do you
> think about this plan?

Sounds good to me.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090827/bf7e711f/attachment.pgp>

More information about the samba-technical mailing list