[Samba] Re: Multiple DB / fragmented information

Jérôme Fenal jerome.fenal at logicacmg.com
Thu Mar 4 10:58:06 GMT 2004 

Salut Lapin(c),

Comment va depuis notre longue discussion sur Solutions Linux ?

Lapin(c) wrote:

> I was exploring a local LDAP solution, as it's for a very large network (1000
> sites / 100000 users) we want a disjunction between local administration for
> machines and global administration for users.

What do you mean for disjunction between local administration and users ?

Do you mean :
1. Separation between directory insertion (etheir user or machine) and 
local PC admin rights :
- class D people can insert machines, as well as users
- class T people can login to machines as local admin

2. Separation between directory insertion (users inserted by some 
people, machine by others) and local PC admin rights :
- class M people (local support I guess) can insert local machine, in 
the right ou=site,ou=Computers sub-ou
- class D people can insert users (centrally managed I guess), and maybe 
  Computers
- class T people (see below).

I guess (read I think, but not yet investigated further) that it could 
be done, maybe with the help of LDAP management application and 
carefully crafted LDAP ACLs.
I think that, if using IdealX scripts, and different sub-ou 
configuration for these, you may can do what you intend to, directly 
using Samba and inserting machine directly from the Windows PC.

> I'll let the tdb solution down anyway

You'd better...

> 
> Thanks
> 
> I'll give a feedback on large network architecture as soon as we have finish the
> deployment.
> 
> Andrew Bartlett <abartlet at samba.org>:
> 
> 
>>On Mon, 2004-03-01 at 23:01, Lapin(c) wrote:
>>
>>>Hi,
>>>
>>>I wonder if it's possible to have multiple backend in order to fragment
>>
>>SAM
>>
>>>information. For example, i'd like to have a central LDAP directory for
>>
>>user
>>
>>>authentication purpose but a local tdb format for Machines accounts.

What is the size of the biggest site (I beg it is the Lyon one in 
Part-Dieu) ? Or maybe Paris'ones.

I guess that machine passwords traffic (once per week) would not be that 
huge, even on 64kb/s lines

>>>
>>>I want to minimize network traffic but still keep a central user account
>>
>>DB.

Setup a central directory, replicated to each the 6/10 central sites, or 
maybe to each of your 1000 local site. This way, authentication would be 
local/not too far away, and machine account password will be ref'd to 
the central directory.

>>
>>>Has anybody tried this kind of config ?

Not yet, but on a much smaller site (600 people).

>>
>>This is a really bad idea.  The network traffic (LDAP lookups) for
>>machine accounts really are minimal.  If you want to reduce network read
>>traffic, you might set up a local LDAP slave.
>>
>>Get your system working, before you try to create a more complex system.
Agreed.

Regards,

Jérôme

-- 
Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>

More information about the samba mailing list