[PATCH] Provisioning external LDAP server

Andrew Bartlett abartlet at samba.org
Thu Feb 11 15:53:45 MST 2010

On Thu, 2010-02-11 at 16:14 -0500, Endi Sukma Dewata wrote:
> Hi Andrew,
> I understand your concerns and am trying to address them. Please
> let me know if this is better.

Thanks, and don't throw out any code yet.  Even if we end up very close
to where you started, I just want to check it's the best approach. 

> Instead of adding ldap-action, ldap-dir, and ldap-uri parameters,
> we will just add ldap-external-uri parameter that points to the
> external LDAP server.

That sounds good.  

> So basically the responsibility to create an LDAP server with the
> right configurations for Samba is left to the LDAP administrator.
> We can provide step-by-step instructions, but they will be manual
> steps. The provisioning tool will not do this.

The problem is, I don't like manual steps either :-).  Where I guess I'm
going is that the public interface 'provision' needs to be kept very
simple - I'm much less worried about what is then inside it.  

Perhaps a better option would be to have separate scripts that do
exactly what you want, but are kept away from where our admins would
normally look.  

> The ldap-external-uri parameter indicates that the LDAP server
> should not be created, and it should use the URI to setup Samba.

I think that's a good thing. 

> You'd still need to specify the ldap-backend-type because there
> are some differences between the two backends:
> 1. DIT cleanup. Before loading Samba entries, the existing data
>    in all partitions has to be removed. In OpenLDAP each partition
>    has different root user and only root user can remove the base
>    entry of that partition. 

I'm pretty sure OpenLDAP allows a single overall root user - I probably
just copied an odd template when I started this (years ago). 

> So the tool needs to do a separate
>    authentication for each partition. In FDS everything can be done
>    by the Directory Manager.

I think this can be resolved. 

> 2. ACL configuration. In OpenLDAP the ACL configuration is stored
>    in server configuration which will not be modified. In FDS the
>    ACL configuration is stored in the tree which will be removed
>    during DIT cleanup, so it has to be added again.
> 3. SID allocation. OpenLDAP relies on Samba to generate SID, but
>    FDS relies on DNA plugin. The DNA configuration contains the
>    domain SID, so it needs to be updated.

I agree, and even if we were to resolve these differences, others would
pop up to replace them. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100212/7518eaa1/attachment.pgp>

More information about the samba-technical mailing list