Re-engaging the Samba4 LDAP backend

Oliver Liebel oliver at itc.li
Tue Mar 30 11:47:50 MDT 2010 

Am 30.03.2010 03:53, schrieb Andrew Bartlett:
>   - Transaction support.  While most of the transaction-aware tasks in
> Samba have now been either pushed off as 'too hard on LDAP' or into
> modules that are now in the LDAP backend, we still do need transactions
> over LDAP.
>
>    
AFAIK protocol-based transaction support is on the roadmap for OL 2.5.

>   - A way to easily detect that we have OpenLDAP or Fedora DS installed
> on the system, and what it's version is.  Once we have that, we could
> start trying to run at least some of Samba4's tests against such a
> backend regularly (and stop breaking it so often).
>    
just to focus OL, the binary path will differ from
distro to distro, e.g. debian: /usr/sbin/slapd,   suse: 
/usr/lib/openldap/slapd
and "regular" standalone will be /usr/local/libexec/slapd.

to guess a setup-type (and the according path), a provision.conf-File 
could be
a start (see "ldap-distro=" below).

> To address a broader range of use cases, I'm looking forward to the work
> Endi has promised for a 'ldap backend config file' as input to
> provision.  Hopefully this will reduce the options we have to present to
> users on the provision command line.
>    
as i already mentioned a few weeks ago in another thread,
one goal for future s4-releases should be to minimize the necessary 
interaction
during provision  - means: no need to create a (complex) provision 
string, especially
with backend-params like ol-mmr.

an enhancement/simplification could be to put _all_ provision-settings 
(not only the backend params)
in a "normal" linux-conf-style file, thats basically 
syntax/value-checked when
starting provision (e.g.: provision -f provision.conf) , before the 
params are applied
to the procedures inside provision.py/provisionbackend.py.

the admin has no need to handle a (complex) provision-string, instead he 
uses typical
linux-conf-file templates for the case he needs, e.g. like that:

## provision.conf - for use with built-in ldap-DB #
##  this file will be removed for security reasons after provisioning#
#
# enter your kerberos-realm here:
realm=
# enter your domain here:
domain=
....


##  provisionbackend.conf - for use with external ldap-backend #
##  this file will be removed for security reasons after provisioning#
#
# enter your krb-realm here:
realm=
# enter your domain here:
domain=
# enter your backend-type here:  (e.g.: openldap|fedora)
ldap-backend=
# ldap-distro: (e.g.: suse|debian|fedora|centos|standalone)
ldap-distro=
# enter all your openldap-server and ports here (hostname:port)
backend-server1=
backend-server2=
....

and so on.

the empty templates (one "normal" template for internal ldap-db, one  
for use with external ldap-backend
with the needed extra-params) could be copied during "make install" into 
../private/[ldap].
as they would keep password values, the "used" templates (with values in 
it) had to be automatically removed
after succesfull setup (raise a message to admin to inform him about 
this), to risk no security breaches.


thanks
oliver

More information about the samba-technical mailing list