Fedora DS Support
Andrew Bartlett
abartlet at samba.org
Mon Sep 7 05:45:53 MDT 2009
On Fri, 2009-09-04 at 17:26 -0400, Endi Sukma Dewata wrote:
> Andrew,
>
> ----- "Andrew Bartlett" <abartlet at samba.org> wrote:
>
> > The best way might be to provision as directory manager, and bound over
> > LDAPI directly remove the SASL mappings before we start, also fix ACI
> > once we are done. We should still have pretty good control over the DS
> > (and not be exposed on TCP) at this point - I hope!
>
> Please have a look at the attached patch. It does the following:
>
> 1. During instance creation it will import the SASL mapping for
> samba-admin. It's done here because of the schema problem I mentioned
> previously preventing adding the mapping via ldapi.
Is there work being done to fix that? Even if ldif2db is the right
approach long term, we should have the schema right.
> 2. After that it will use ldif2db to import the cn=samba-admin.
>
> 3. Then it will start FDS and continue to do provisioning using DM with
> simple bind to as before.
>
> 4. The SASL credentials will be stored in secrets.ldb, so when Samba
> server runs later it will use the SASL credentials.
Great.
> 5. The aci attribute has been removed from Samba schema. It no longer
> uses *_fds.ldif files. The ACL is hardcoded in provision.py.
Can you avoid using LDIF to add that? If you create a LdbMessageElement
(and then an LdbMessage to feed to ldb.modify()), and the """text
string""" syntax, then you should be able to avoid all the escape
madness in current patch.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090907/aa40ac59/attachment.pgp>
More information about the samba-technical
mailing list