[PATCH] Provisioning external LDAP server
Andrew Bartlett
abartlet at samba.org
Thu Feb 11 15:53:45 MST 2010
On Thu, 2010-02-11 at 16:14 -0500, Endi Sukma Dewata wrote:
> Hi Andrew,
>
> I understand your concerns and am trying to address them. Please
> let me know if this is better.
Thanks, and don't throw out any code yet. Even if we end up very close
to where you started, I just want to check it's the best approach.
> Instead of adding ldap-action, ldap-dir, and ldap-uri parameters,
> we will just add ldap-external-uri parameter that points to the
> external LDAP server.
That sounds good.
> So basically the responsibility to create an LDAP server with the
> right configurations for Samba is left to the LDAP administrator.
> We can provide step-by-step instructions, but they will be manual
> steps. The provisioning tool will not do this.
The problem is, I don't like manual steps either :-). Where I guess I'm
going is that the public interface 'provision' needs to be kept very
simple - I'm much less worried about what is then inside it.
Perhaps a better option would be to have separate scripts that do
exactly what you want, but are kept away from where our admins would
normally look.
> The ldap-external-uri parameter indicates that the LDAP server
> should not be created, and it should use the URI to setup Samba.
I think that's a good thing.
> You'd still need to specify the ldap-backend-type because there
> are some differences between the two backends:
>
> 1. DIT cleanup. Before loading Samba entries, the existing data
> in all partitions has to be removed. In OpenLDAP each partition
> has different root user and only root user can remove the base
> entry of that partition.
I'm pretty sure OpenLDAP allows a single overall root user - I probably
just copied an odd template when I started this (years ago).
> So the tool needs to do a separate
> authentication for each partition. In FDS everything can be done
> by the Directory Manager.
I think this can be resolved.
> 2. ACL configuration. In OpenLDAP the ACL configuration is stored
> in server configuration which will not be modified. In FDS the
> ACL configuration is stored in the tree which will be removed
> during DIT cleanup, so it has to be added again.
>
> 3. SID allocation. OpenLDAP relies on Samba to generate SID, but
> FDS relies on DNA plugin. The DNA configuration contains the
> domain SID, so it needs to be updated.
I agree, and even if we were to resolve these differences, others would
pop up to replace them.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100212/7518eaa1/attachment.pgp>
More information about the samba-technical
mailing list