[Samba] my samba3+ldap+SSO plan

tbsky at annsky.com tbsky at annsky.com
Wed Nov 12 08:53:07 GMT 2003


>>    i see. thanks for the hint!! so just configure each samba
>>    as PDC, right?
>
> Yep. There is a small hitch in the way the replication works, I'll have
> a patch in CVS fairly soon, so watch out for it and update before you
> deploy.  The issue is about 'ldap rebind sleep' (we need to wait for our
> local slave to catch up with the master, after we change the master).

    i see! will this include to 3.0.1?


>> >>    my concern is about machine account.i know client machine and
>> server
>> >> keep a shared seceret. but i don't know if this seceret will
>> >>    changing over time? or the seceret will keep staic?
>> >
>> > It changes over time, and the client will not contact the PDC to make
>> > that change.  It will ask the local DC it is connected to.
>> >
>> >>    and although openldap has replication feature, but multi-master
>> >>    replication seems experimental and hard to maintain.
>> >>    we don't need real time replication. are there existing tools for
>> >>    syncing entries between two ldap servers?
>> >
>> > You really should have one master LDAP server, and slaves for all the
>> > remote sites.  These slaves will only need to contact the master on
>> > machine account change, adding machines etc.
>>
>>     but since the machine account password chagne over time, it
>> allways need to talk to master LDAP, right? what happen if the
>> wan link break?
>
> How often does this happen?
>
> In any case, it just fails, and the machine tries again later.
> Similarly if your users change their passwords or you do some admin
> changes they will just need to just try later.

   so i think the normal solution is to make every samba as
PDC, make HQ ldap server as master, and make branch ldap server as
slave, right?
   our wan link from HQ to branch site sometimes break, and it may
take several hours to fix :(
   can client keep working when wan link break? it's ok if
branch user can not change password or add machine when wan link
break. but i want to make sure the existing users can still work.
if existing users can still work, then i think this architechture
plus ur "ldap rebind sleep" patch  is a beautiful solution for
me!!
   and since all machine account change their password against
master ldap server and replicate to branch, so i think machines
can travel arround the branch sites. right?

  thanks again for ur information. i m lucky to understand
these before i deploy :)

Best Regards,
tbsky










More information about the samba mailing list