Fedora DS Support
Andrew Bartlett
abartlet at samba.org
Wed Aug 26 22:31:30 MDT 2009
On Wed, 2009-08-26 at 23:52 -0400, Endi Sukma Dewata wrote:
> Hi Andrew,
>
> ----- "Andrew Bartlett" <abartlet at samba.org> wrote:
>
> > Thanks for getting back to me quickly, as it means I can help redirect
> > your efforts. It seems I must have been unclear about the future of
> > those particular changes. We must remove them - not re-add them.
>
> Thanks for your response. I understood what you meant, it's just I think
> I need to do it in multiple steps:
>
> 1. I need to make sure the master branch tests run with the "temporary"
> patch I submitted. This is to ensure that the code is good and I'm
> not wasting time troubleshooting the test script while the problem
> could lie somewhere else. Currently I'm having a problem compiling
> the code, it's complaining about missing a header file. I need to
> investigate whether this is a code or environment issue.
What errors do you get? Sometimes an extra 'make' or 'make idl_full'
helps.
> 2. Once #1 is done, I'll remove the "temporary" patch and fix the code
> to make sure it's still running like before, producing the same test
> results. When this is done, I'll submit the "real" patch.
>
> You don't need to merge the "temporary" patch into the repository, I just
> submitted it in case you want to try it. Sorry I wasn't very clear about
> my intention.
No worries.
> > Setting that ACI makes Fedora DS completely insecure - because it
> > changes the ACL on each partition to be 'anonymous may do anything'. It
> > was a great hack when we first started this, but it must not be
> > revived.
>
> > The patch I need from you, against master, is best summed up as:
> > 'whatever is needed to make Fedora DS work as a backend, as pass as
> > much
> > of make test as possible, using SASL authentication between Samba4
> > and
> > Fedora DS'.
>
> > The background to this is that I reworked the OpenLDAP backend to use
> > secure SASL authentication and strict access control between Samba4 and
> > OpenLDAP many months ago, but did not upgrade Fedora DS to that same
> > level of support. The Fedora DS backend needs to be upgraded to this
> > same level of maturity.
>
> Understood. I might need to do this in multiple steps too so you don't
> have to wait too long to see any progress, also I might have to switch
> back & forth with some other tasks as well. Here is my plan:
>
> 3. In #2 above I might just move the system:anonymous and aci parameters
> inside the code, so at least it's no longer visible during provisioning.
That may be easier. Uncomment the 'aci' in setup/schema_samba4.ldif and
add the ACI manually to provision_basedn_add.ldif,
provision_configuration_add.ldif and provision_schema_add.ldif
> In #3 I will add the SASL authentication. I might send another
> patch here.
Good. One particular task will be to figure out how to add a SASL user
into Fedora DS. (We add them to OpenLDAP using it's LDIF backend and
manually constructed LDIF).
> 4. After that I will start fixing Fedora DS specific problems one-by-one
> so it works as well as OpenLDAP. I might send one patch for each issue.
>
> You don't need to merge each patch that I will submit right away. You could
> just wait until I complete step #3 or even #4 if you prefer. What do you
> think about this plan?
Sounds good to me.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090827/bf7e711f/attachment.pgp>
More information about the samba-technical
mailing list