[PATCH] Provisioning external LDAP server

Endi Sukma Dewata edewata at redhat.com
Mon Feb 15 19:31:31 MST 2010

Hi, sorry for the delay, I was out of the office last Friday.

----- "Oliver Liebel" <oliver at itc.li> wrote:
> Am 12.02.2010 02:29, schrieb Andrew Bartlett:

> btw: identical sids has to be applied to 2nd, 3rd etc. server whe using mmr
> > Hmm - wouldn't the SID generation code need it?

I'm hoping that the SID would not be required when preparing the LDAP servers,
then when we provision Samba the script will put identical SID into all LDAP
servers. Right now the SID is needed by to create schema descriptor in the
Schema constructor (see scripting/python/samba/schema.py), but we probably
could put a dummy value then update it later with the correct one.

> note that in case of ol-mmr several external uris have to be specified.
> but as andrew mentioned below, maybe a conf or ini file with the 
> privison/backend settings
> is better to handle than the -sometimes really long/complex- provision strings

> > Yeah, I like it, but perhaps rather than ldap-external-uri (or along
> > side it), we would have ldap-config:  This would point to an INI format
> > file, that create-backend writes, and provision reads.  That way, there
> > are less mistakes between the scripts.

OK. Can we use the same smb.conf to put the backend parameters?
So for internal LDAP server you could create an smb.conf and optionally
include the backend parameters:

    type           = fedora-ds
    home           = /usr/local/samba/private/ldap
    admin dn       = cn=Manager,dc=samba,dc=example,dc=com
    admin password = secret
    suffix         = dc=samba,dc=example,dc=com
    user           = root
    ldap url       = ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi

If the backend parameters aren't specified it will use the default values,
so it will work like the current script.

For external LDAP server you can include the following backend parameters
in smb.conf:

    type           = external fedora-ds
    admin dn       = cn=Manager,dc=samba,dc=example,dc=com
    admin password = secret
    ldap url       = ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi

When you provision Samba with these parameters, it will assume the LDAP servers
have been setup separately.

To setup the LDAP server itself, you could create a file that contains the
[backend] section just like the one for internal LDAP server above, then pass
this file to the create-backend script.

What do you think? Thanks.

Endi S. Dewata

More information about the samba-technical mailing list