[Samba] my samba3+ldap+SSO plan

Andrew Bartlett abartlet at samba.org
Wed Nov 12 08:59:25 GMT 2003 

On Wed, 2003-11-12 at 19:53, tbsky at annsky.com wrote:
> >>    i see. thanks for the hint!! so just configure each samba
> >>    as PDC, right?
> >
> > Yep. There is a small hitch in the way the replication works, I'll have
> > a patch in CVS fairly soon, so watch out for it and update before you
> > deploy.  The issue is about 'ldap rebind sleep' (we need to wait for our
> > local slave to catch up with the master, after we change the master).
> 
>     i see! will this include to 3.0.1?

Assuming I get it tested up in time, it should be.

> 
> >> >>    my concern is about machine account.i know client machine and
> >> server
> >> >> keep a shared seceret. but i don't know if this seceret will
> >> >>    changing over time? or the seceret will keep staic?
> >> >
> >> > It changes over time, and the client will not contact the PDC to make
> >> > that change.  It will ask the local DC it is connected to.
> >> >
> >> >>    and although openldap has replication feature, but multi-master
> >> >>    replication seems experimental and hard to maintain.
> >> >>    we don't need real time replication. are there existing tools for
> >> >>    syncing entries between two ldap servers?
> >> >
> >> > You really should have one master LDAP server, and slaves for all the
> >> > remote sites.  These slaves will only need to contact the master on
> >> > machine account change, adding machines etc.
> >>
> >>     but since the machine account password chagne over time, it
> >> allways need to talk to master LDAP, right? what happen if the
> >> wan link break?
> >
> > How often does this happen?
> >
> > In any case, it just fails, and the machine tries again later.
> > Similarly if your users change their passwords or you do some admin
> > changes they will just need to just try later.
> 
>    so i think the normal solution is to make every samba as
> PDC, make HQ ldap server as master, and make branch ldap server as
> slave, right?

Correct.

>    our wan link from HQ to branch site sometimes break, and it may
> take several hours to fix :(
>    can client keep working when wan link break? it's ok if
> branch user can not change password or add machine when wan link
> break. but i want to make sure the existing users can still work.
> if existing users can still work, then i think this architechture
> plus ur "ldap rebind sleep" patch  is a beautiful solution for
> me!!

Yep - it would be pointless having a BDC that couldn't work without a
PDC around, and this should be fine :-)

>    and since all machine account change their password against
> master ldap server and replicate to branch, so i think machines
> can travel arround the branch sites. right?

Exactly.

>   thanks again for ur information. i m lucky to understand
> these before i deploy :)

Always well worth doing,

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20031112/3587c120/attachment.bin

More information about the samba mailing list