[PATCH] Provisioning external LDAP server

Endi Sukma Dewata edewata at redhat.com
Thu Feb 11 14:14:18 MST 2010 

Hi Andrew,

I understand your concerns and am trying to address them. Please
let me know if this is better.

Instead of adding ldap-action, ldap-dir, and ldap-uri parameters,
we will just add ldap-external-uri parameter that points to the
external LDAP server.

So basically the responsibility to create an LDAP server with the
right configurations for Samba is left to the LDAP administrator.
We can provide step-by-step instructions, but they will be manual
steps. The provisioning tool will not do this.

The ldap-external-uri parameter indicates that the LDAP server
should not be created, and it should use the URI to setup Samba.

You'd still need to specify the ldap-backend-type because there
are some differences between the two backends:

1. DIT cleanup. Before loading Samba entries, the existing data
   in all partitions has to be removed. In OpenLDAP each partition
   has different root user and only root user can remove the base
   entry of that partition. So the tool needs to do a separate
   authentication for each partition. In FDS everything can be done
   by the Directory Manager.

2. ACL configuration. In OpenLDAP the ACL configuration is stored
   in server configuration which will not be modified. In FDS the
   ACL configuration is stored in the tree which will be removed
   during DIT cleanup, so it has to be added again.

3. SID allocation. OpenLDAP relies on Samba to generate SID, but
   FDS relies on DNA plugin. The DNA configuration contains the
   domain SID, so it needs to be updated.

Thanks.

--
Endi S. Dewata

----- "Andrew Bartlett" <abartlet at samba.org> wrote:

> On Wed, 2010-02-10 at 16:38 -0500, Endi Sukma Dewata wrote:
> > Hi,
> > 
> > Attached are some patches for supporting external LDAP server.
> > This topic was discussed briefly before, I have updated the
> documentation:
> >
> http://www.freeipa.org/page/Samba_4_Provisioning_External_LDAP_Server
> > 
> > Please let me know if you have any questions or feedbacks. Thanks.
> 
> I like some parts of this, but it worries me the idea of splitting
> the
> command in two again, even if optionally.  The more options we give
> our
> administrators, the more rope they will use to hang themselves. 
> (Samba
> administrators seem to assume they need to set every option at once,
> rather than use defaults). 
> 
> I like the first patch, but I'm more cautious after that.  However,
> Red
> Hat's goals here are also important to me (and the patches look
> really
> nicely written, so it's hard to say no). 
> 
> I had hoped the 'ldap backend type' parameter would have been enough
> (with the option of 'existing'), but clearly from the work you have
> put
> in here, the task is bigger than I thought.  
> 
> In short, can we do this, but give less flexibility, and present less
> options to the user? 
> 
> Thanks,
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                               
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.

More information about the samba-technical mailing list