[PATCH] Provisioning external LDAP server

Oliver Liebel oliver at itc.li
Fri Feb 12 01:26:16 MST 2010

Am 12.02.2010 02:29, schrieb Andrew Bartlett:
> On Thu, 2010-02-11 at 20:04 -0500, Endi Sukma Dewata wrote:
>> ----- "Andrew Bartlett"<abartlet at samba.org>  wrote:
>>>> So basically the responsibility to create an LDAP server with the
>>>> right configurations for Samba is left to the LDAP administrator.
>>>> We can provide step-by-step instructions, but they will be manual
>>>> steps. The provisioning tool will not do this.
>>> The problem is, I don't like manual steps either :-).  Where I guess I'm
>>> going is that the public interface 'provision' needs to be kept very
>>> simple - I'm much less worried about what is then inside it.
>>> Perhaps a better option would be to have separate scripts that do
>>> exactly what you want, but are kept away from where our admins would
>>> normally look.
>> Ok, how about creating a script called create-backend and it takes
>> parameters required to setup the LDAP server, for example:
>> * Install directory
>> * Admin DN
>> * Admin password
>> * Suffix
>> * Server account
>> * LDAP Port
> That's good, as long as we have a way to communicate these to
> 'provision'.  The reason I merged provision and provision-backend was
> that typos and mistakes between the two scripts caused hard to debug
> errors. (Even when I printed 'use this exact command: ...'.
i fully agree with andrew.
i have made the experience that even admins with long knowledge of both 
samba and ol had to fight with several
typo errors caused by too many steps during provisioning,  especially 
when setup mmr.
>> The list of parameters doesn't need to be extensive because the admin
>> can further customize it if needed. But the list should be much simpler
>> than the provisioning parameters. I hope we wouldn't need to specify the
>> domain SID here.
provision-scripts has been made "relative" easy through a long
developement process, and any admin with enough
skills to manage an ol 2.4 server could (theoretically) customize some 
inside the ol server,
but i thinks thats not the problem at all at this time. one enhancement 
could  be
(see below) to put all provision-settings in a conf or ini file, thats 
syntax-checked befor applying  the params

btw: identical sids has to be applied to 2nd, 3rd etc. server whe using mmr
> Hmm - wouldn't the SID generation code need it?
>> The provisioning tool itself will take the ldap-external-uri parameter
>> as I described previously. If you don't specify this parameter, it
>> will create the internal LDAP server like right now. What do you think?
note that in case of ol-mmr several external uris have to be specified.
but as andrew mentioned below, maybe a conf or ini file with the 
privison/backend settings
is better to handle than the -sometimes really long/complex- provision 


> Yeah, I like it, but perhaps rather than ldap-external-uri (or along
> side it), we would have ldap-config:  This would point to an INI format
> file, that create-backend writes, and provision reads.  That way, there
> are less mistakes between the scripts.

> What do you think?
> Andrew Bartlett

More information about the samba-technical mailing list