[Samba] Re: Multiple DB / fragmented information
Jérôme Fenal
jerome.fenal at logicacmg.com
Thu Mar 4 10:58:06 GMT 2004
Salut Lapin(c),
Comment va depuis notre longue discussion sur Solutions Linux ?
Lapin(c) wrote:
> I was exploring a local LDAP solution, as it's for a very large network (1000
> sites / 100000 users) we want a disjunction between local administration for
> machines and global administration for users.
What do you mean for disjunction between local administration and users ?
Do you mean :
1. Separation between directory insertion (etheir user or machine) and
local PC admin rights :
- class D people can insert machines, as well as users
- class T people can login to machines as local admin
2. Separation between directory insertion (users inserted by some
people, machine by others) and local PC admin rights :
- class M people (local support I guess) can insert local machine, in
the right ou=site,ou=Computers sub-ou
- class D people can insert users (centrally managed I guess), and maybe
Computers
- class T people (see below).
I guess (read I think, but not yet investigated further) that it could
be done, maybe with the help of LDAP management application and
carefully crafted LDAP ACLs.
I think that, if using IdealX scripts, and different sub-ou
configuration for these, you may can do what you intend to, directly
using Samba and inserting machine directly from the Windows PC.
> I'll let the tdb solution down anyway
You'd better...
>
> Thanks
>
> I'll give a feedback on large network architecture as soon as we have finish the
> deployment.
>
> Andrew Bartlett <abartlet at samba.org>:
>
>
>>On Mon, 2004-03-01 at 23:01, Lapin(c) wrote:
>>
>>>Hi,
>>>
>>>I wonder if it's possible to have multiple backend in order to fragment
>>
>>SAM
>>
>>>information. For example, i'd like to have a central LDAP directory for
>>
>>user
>>
>>>authentication purpose but a local tdb format for Machines accounts.
What is the size of the biggest site (I beg it is the Lyon one in
Part-Dieu) ? Or maybe Paris'ones.
I guess that machine passwords traffic (once per week) would not be that
huge, even on 64kb/s lines
>>>
>>>I want to minimize network traffic but still keep a central user account
>>
>>DB.
Setup a central directory, replicated to each the 6/10 central sites, or
maybe to each of your 1000 local site. This way, authentication would be
local/not too far away, and machine account password will be ref'd to
the central directory.
>>
>>>Has anybody tried this kind of config ?
Not yet, but on a much smaller site (600 people).
>>
>>This is a really bad idea. The network traffic (LDAP lookups) for
>>machine accounts really are minimal. If you want to reduce network read
>>traffic, you might set up a local LDAP slave.
>>
>>Get your system working, before you try to create a more complex system.
Agreed.
Regards,
Jérôme
--
Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>
More information about the samba
mailing list