errors with s4-git and ol-2.4.21 (mmr)

Oliver Liebel oliver at itc.li
Mon Mar 8 13:03:29 MST 2010


Am 08.03.2010 17:39, schrieb Endi Sukma Dewata:

> ----- "Andrew Bartlett"<abartlet at samba.org>  wrote:
>    
>> On Sun, 2010-03-07 at 12:56 +0100, Oliver Liebel wrote:
>>> i'll try to fix the following ol-mmr issues:
>>> - new rid range/start for mmr with ol-backend (any proposals?)
>>>        
>> Given the new limitations, I would go with 'anything that works'.
>>      
>>> - wrong built startup-string for slapd (slapd.d) when ol-mmr is
>>> chosen
>>> - split error in parsing --ol-mmr-urls (zero string when 2 or more
>>> urls splitted by space " ")
>> Make sure you work with Endi on this.  He is reworking the LDAP
>> backend parameters, to move from command line to a small config file.  (The
>> command line was unwieldy).
>>> - help message for starting up slapd with external urls for mmr
>>>        
>> Otherwise, this sounds good!
>>
>> Andrew Bartlett
>>
>> -- 
>> Andrew Bartlett
>> http://samba.org/~abartlet/
>> Authentication Developer, Samba Teamhttp://samba.org
>> Samba Developer, Cisco Inc.
>>      
> Hi Andrew&  Oliver,
>
> Just FYI, I'm currently still investigating an FDS-specific bug in Samba
> and fixing FDS to work better with Samba. Sorry I'm not that familiar
> with the MMR on OL, the code was put into OpenLDAPBackend class but it
> wasn't modified from the original.
>
> --
> Endi S. Dewata
>
>    

no problem, and it really doesnt matter at the moment how this bug could 
get in,
the focus should be to get it off asap and  have a working setup again.

so for now i will try to fix the above mentioned parts (new rid-range, 
error in slapd.d/ startup-string),
as these must be fixed anyway,   and mmr-url-split error / new 
ol-mmr-helpline
to have it working asap for more testing purposes.
i will keep you up to date.



to pick up our talk, we three had a feew weeks ago, about external 
conf/ini-files for use
with provision:

i think the main goal for future s4-releases should be to minimize the 
necessary interaction
during provision  - means: no need to create a (complex) provision 
string, especially
with backend-params like ol-mmr.

from my point of view a good approach for an enhancement/simplification
could be to put _all_ provision-settings (not only backend) in a 
linux-conf-style file, thats
basically syntax/value-checked when starting provision (e.g.: provision 
-f provision.conf) ,
before the params are applied to the procedures inside 
provision.py/provisionbackend.py.

the admin has no need to handle a (complex) provision-string, instead he 
uses typical
linux-conf-file templates for the case he needs, e.g. like that:

## provision.conf - for use with built-in ldap-DB #
##  this file will be removed for security reasons after provisioning#
#
# enter your kerberos-realm here:
realm=
# enter your domain here:
domain=
....

------
##  provisionbackend.conf - for use with external ldap-backend #
##  this file will be removed for security reasons after provisioning#
#
# enter your krb-realm here:
realm=
# enter your domain here:
domain=
# enter your backend-type here (only openldap|fedora valid):
ldap-backend=
# enter all your openldap-server and ports here (hostname:port)
backend-server1=
backend-server2=
....

and so on.

the empty templates (one "normal" template for internal ldap-db, one  
for use with external ldap-backend
with the needed extra-params) could be copied during "make install" into 
../private/[ldap].
as they would keep password values, the "used" templates (with values in 
it) had to be automatically removed
after succesfull setup (raise a message to admin to inform him about 
this), to risk no security breaches.


thats all just an idea, the pros and cons must be surely discussed.

thanks
oliver











More information about the samba-technical mailing list