[PATCH] Provisioning external LDAP server

Andrew Bartlett abartlet at samba.org
Thu Feb 11 18:29:26 MST 2010

On Thu, 2010-02-11 at 20:04 -0500, Endi Sukma Dewata wrote:
> ----- "Andrew Bartlett" <abartlet at samba.org> wrote:
> > > So basically the responsibility to create an LDAP server with the
> > > right configurations for Samba is left to the LDAP administrator.
> > > We can provide step-by-step instructions, but they will be manual
> > > steps. The provisioning tool will not do this.
> > The problem is, I don't like manual steps either :-).  Where I guess I'm
> > going is that the public interface 'provision' needs to be kept very
> > simple - I'm much less worried about what is then inside it.  
> > Perhaps a better option would be to have separate scripts that do
> > exactly what you want, but are kept away from where our admins would
> > normally look.  
> Ok, how about creating a script called create-backend and it takes
> parameters required to setup the LDAP server, for example:
> * Install directory
> * Admin DN
> * Admin password
> * Suffix
> * Server account
> * LDAP Port

That's good, as long as we have a way to communicate these to
'provision'.  The reason I merged provision and provision-backend was
that typos and mistakes between the two scripts caused hard to debug
errors. (Even when I printed 'use this exact command: ...'.  

> The list of parameters doesn't need to be extensive because the admin
> can further customize it if needed. But the list should be much simpler
> than the provisioning parameters. I hope we wouldn't need to specify the
> domain SID here.

Hmm - wouldn't the SID generation code need it?

> The provisioning tool itself will take the ldap-external-uri parameter
> as I described previously. If you don't specify this parameter, it
> will create the internal LDAP server like right now. What do you think?

Yeah, I like it, but perhaps rather than ldap-external-uri (or along
side it), we would have ldap-config:  This would point to an INI format
file, that create-backend writes, and provision reads.  That way, there
are less mistakes between the scripts. 

What do you think?

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100212/0cb49f8b/attachment.pgp>

More information about the samba-technical mailing list