[Samba] Samba and LDAP backend - howto docs problems?

Graham Leggett minfrin at sharp.fm
Wed Mar 10 18:33:39 GMT 2004

John H Terpstra wrote:

> We feel your learning curve pain with you. How can we solve this? What
> specifically should be done to eliminate the pain? Who should do this and
> how?

"Simplify simply simplify" - Henry David Thoreau.

> You are assuming that Samba only needs to work with OpenLDAP.

Not so:

[root at dungeon root]# rpm -q -f /etc/ldap.conf

The config file to which I refer is part of nss_ldap, and has nothing to 
do with OpenLDAP whatsoever.

 > You are also
> assuming that ALL OpenLDAP configurations use the same directory
> structure. Too many assumptions. How can we implement a universal
> solution? What must we do to arrive at nirvana?

1) Eliminate the duplication through the use of sensible defaults.

A sensible default for most of the LDAP setup is to read it from 
/etc/ldap.conf, or wherever else this file lives on other platforms.

If Samba has a dependancy on nss_ldap, it makes sense to use the 
information in nss_ldap's config files.

2) Have sensible config files

None of the ldap config directives appear in the default smb.conf file 
as shipped with v3.0.2 (which could be Redhat's idea, I don't know). So 
to set up LDAP, it's off to the HOWTO.

Much of the setup pain can be largely reduced if config directives lived 
in the config file commented out, ready to be put into action if the 
admin so wanted, along with some sensible comments exaplining what each 
one does.

An example of such a config appears in the HOWTO, but it's incomplete, 
as it excludes any mention of the "add * script" parameters. The first 
time I heard they existed was when you asked if I had set them up on 
this list.

>>And you are assuming they are different. Why should the system be any
>>more complex than it needs to be?

> That is an administrator decision that Samba can not impose.

Samba need not impose, but through a sensible default, it can suggest a 
recommended configuration.

I find it very frustrating when I get to configure some software and it 
tells me "so what would you like to do?". Being a new user of that 
software, my most sensible answer is "what would you recommend I do?". 
To which the software replies "anything at all, I can do anything at all".

Samba + LDAP is usually practically deployed with a third party LDAP 
maintenance package. If a suggested layout for the LDAP server existed 
that made it easier for the maintenance package and Samba to be looking 
in the same place for things, it would save the administrator a lot of 
time. Yes, I would like the rope to be able to change my mind, if I 
didn't agree with the layout of the directory by default, however I want 
at least a suggested default layout so I can start with something.

> And every constraint we put into Samba results in feedback that we just
> lost another user site because we have tightened the noose. This is open
> source software. We try NOT to limit the usability of Samba.

How many sites has Samba lost simply because the admin couldn't get 
their head around the software in a reasonable amount of time? There are 
other solutions available in the marketplace, with their own advantages 
and disadvantages.

> Then suggest a better solution please.

1) Sensible defaults
2) Elimination of duplicated config where possible, with the option to 
override this behaviour if the admin needs to
3) Elimination of hacks to add users, instead having a proper user 
adding component built into Samba, that can be enabled if needed.
4) Be consistent. The default LDAP layoput for Samba in the HOWTO, and 
the default layout for smbldap-tools do not seem to be the same (though 
my perl is bad, so I'm not sure).


More information about the samba mailing list