[PATCH] Provisioning external LDAP server

Andrew Bartlett abartlet at samba.org
Tue Feb 16 03:52:42 MST 2010

On Mon, 2010-02-15 at 21:31 -0500, Endi Sukma Dewata wrote:
> Hi, sorry for the delay, I was out of the office last Friday.
> ----- "Oliver Liebel" <oliver at itc.li> wrote:
> > Am 12.02.2010 02:29, schrieb Andrew Bartlett:
> > btw: identical sids has to be applied to 2nd, 3rd etc. server whe using mmr
> > > Hmm - wouldn't the SID generation code need it?
> I'm hoping that the SID would not be required when preparing the LDAP servers,
> then when we provision Samba the script will put identical SID into all LDAP
> servers. Right now the SID is needed by to create schema descriptor in the
> Schema constructor (see scripting/python/samba/schema.py), but we probably
> could put a dummy value then update it later with the correct one.
> > note that in case of ol-mmr several external uris have to be specified.
> > but as andrew mentioned below, maybe a conf or ini file with the 
> > privison/backend settings
> > is better to handle than the -sometimes really long/complex- provision strings
> > > Yeah, I like it, but perhaps rather than ldap-external-uri (or along
> > > side it), we would have ldap-config:  This would point to an INI format
> > > file, that create-backend writes, and provision reads.  That way, there
> > > are less mistakes between the scripts.
> OK. Can we use the same smb.conf to put the backend parameters?
> So for internal LDAP server you could create an smb.conf and optionally
> include the backend parameters:
> [backend]
>     type           = fedora-ds
>     home           = /usr/local/samba/private/ldap
>     admin dn       = cn=Manager,dc=samba,dc=example,dc=com
>     admin password = secret
>     suffix         = dc=samba,dc=example,dc=com
>     user           = root
>     ldap url       = ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi

> What do you think? Thanks.

No, I don't like it being in smb.conf.  Firstly, it puts passwords in
the config file, and it includes options that should strictly be
determined by the realm (suffix).  

Even for your external LDAP server case, is there actually a need for
the LDAPi socket to be in a different location?

Once you move the password out of the smb.conf, then the username should
move too.  We could leave the others in the smb.conf, but then it just
encourages users to set them (and that's dangerous - we don't want
variation here). 

I think we may need to bit longer to come to a solution. 


Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100216/3d93f90f/attachment.pgp>

More information about the samba-technical mailing list