[Samba] Samba and LDAP backend - howto docs problems?
minfrin at sharp.fm
Wed Mar 10 18:33:39 GMT 2004
John H Terpstra wrote:
> We feel your learning curve pain with you. How can we solve this? What
> specifically should be done to eliminate the pain? Who should do this and
"Simplify simply simplify" - Henry David Thoreau.
> You are assuming that Samba only needs to work with OpenLDAP.
[root at dungeon root]# rpm -q -f /etc/ldap.conf
The config file to which I refer is part of nss_ldap, and has nothing to
do with OpenLDAP whatsoever.
> You are also
> assuming that ALL OpenLDAP configurations use the same directory
> structure. Too many assumptions. How can we implement a universal
> solution? What must we do to arrive at nirvana?
1) Eliminate the duplication through the use of sensible defaults.
A sensible default for most of the LDAP setup is to read it from
/etc/ldap.conf, or wherever else this file lives on other platforms.
If Samba has a dependancy on nss_ldap, it makes sense to use the
information in nss_ldap's config files.
2) Have sensible config files
None of the ldap config directives appear in the default smb.conf file
as shipped with v3.0.2 (which could be Redhat's idea, I don't know). So
to set up LDAP, it's off to the HOWTO.
Much of the setup pain can be largely reduced if config directives lived
in the config file commented out, ready to be put into action if the
admin so wanted, along with some sensible comments exaplining what each
An example of such a config appears in the HOWTO, but it's incomplete,
as it excludes any mention of the "add * script" parameters. The first
time I heard they existed was when you asked if I had set them up on
>>And you are assuming they are different. Why should the system be any
>>more complex than it needs to be?
> That is an administrator decision that Samba can not impose.
Samba need not impose, but through a sensible default, it can suggest a
I find it very frustrating when I get to configure some software and it
tells me "so what would you like to do?". Being a new user of that
software, my most sensible answer is "what would you recommend I do?".
To which the software replies "anything at all, I can do anything at all".
Samba + LDAP is usually practically deployed with a third party LDAP
maintenance package. If a suggested layout for the LDAP server existed
that made it easier for the maintenance package and Samba to be looking
in the same place for things, it would save the administrator a lot of
time. Yes, I would like the rope to be able to change my mind, if I
didn't agree with the layout of the directory by default, however I want
at least a suggested default layout so I can start with something.
> And every constraint we put into Samba results in feedback that we just
> lost another user site because we have tightened the noose. This is open
> source software. We try NOT to limit the usability of Samba.
How many sites has Samba lost simply because the admin couldn't get
their head around the software in a reasonable amount of time? There are
other solutions available in the marketplace, with their own advantages
> Then suggest a better solution please.
1) Sensible defaults
2) Elimination of duplicated config where possible, with the option to
override this behaviour if the admin needs to
3) Elimination of hacks to add users, instead having a proper user
adding component built into Samba, that can be enabled if needed.
4) Be consistent. The default LDAP layoput for Samba in the HOWTO, and
the default layout for smbldap-tools do not seem to be the same (though
my perl is bad, so I'm not sure).
More information about the samba