[Samba] LDAP Master/Slave

John H Terpstra jht at samba.org
Wed Aug 18 22:27:30 GMT 2004 

On Wednesday 18 August 2004 16:11, rruegner wrote:
> thats right

I am not sure if I understand what is being said here. Samba should refer 
password changes to the PDC and it should apply the changes to the LDAP 
directory.

- John T.

> regards
>
> Jason C. Waters schrieb:
> > I don't think this is a solution.  If I understand what you were saying,
> > on the BDC I should have this as the passwd backend:
> >
> > passwd backend = ldapsam:"ldaps://ldap.server2 ldaps://ldap.server1"
> >
> > server2 - the BDC and ldap slave which is read only
> > server1 - is the PDB and has the ldap master which users can read/write,
> > so they could update their passwords.
> >
> > If I have it setup this way, the users that on the other side will never
> > be able to update their passwords, at least on that leg of the VPN.  Or
> > maybe I just thinking about this the wrong way.
> >
> > Jason
> >
> > rruegner wrote:
> >> Hi,
> >> if you want to stay bdc stay alive, in cases
> >> when vpn broke so on your bdc smb.conf
> >> your slave ldap should be the first entry in the passwd backend,
> >> so if vpn brake , the slave ldap operates with its last
> >> entries from the master and will give the win clients any chance
> >> to operate just like if the pdc is alive.
> >> If vpn is up again it the ldap should refresh the slave automatic.
> >> But note, a bdc is read only so changes can olny be made to the master
> >> ldap on the pdc.So no changes can be made to the domain during the
> >> blackout period.
> >> If you want a full functional bdc you also should setup user clients
> >> homes and profiles in your outside ( vpn ) office hosted on the bdc.
> >> ( a seperate dhcp server and an bind slave with longtime zone caching
> >> is very usefull, too )
> >>
> >> Regards
> >>
> >> Jason C. Waters schrieb:
> >>> Is anyone using this?  My smb.conf file has this line in
> >>> server1(master)
> >>>
> >>> passwd backend = ldapsam:"ldaps://ldap.server1 ldaps://ldap.server2"
> >>>
> >>> and this is what server2(slave ldap, BDC) looks like:
> >>>
> >>> passwd backend = ldapsam:"ldaps://ldap.server1 ldap.server2"
> >>>
> >>> This is what happens.  When I take down server 1's ldap server,
> >>> server2 just starts using its local ldap server.  But if I take down
> >>> the VPN between the two, I try the same test, pdbedit -L, it works
> >>> but it take about 6 seconds for it to timeout on server1.  Is this
> >>> normal or do I need to change some DNS setting?  Thanks for your help.
> >>>
> >>> Jason

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.

More information about the samba mailing list