[Samba] Samba and LDAP backend - howto docs problems?

Craig White craigwhite at azapple.com
Thu Mar 11 04:48:31 GMT 2004

On Wed, 2004-03-10 at 11:33, Graham Leggett wrote:
> John H Terpstra wrote:
> > We feel your learning curve pain with you. How can we solve this? What
> > specifically should be done to eliminate the pain? Who should do this and
> > how?
> "Simplify simply simplify" - Henry David Thoreau.
> > You are assuming that Samba only needs to work with OpenLDAP.
> Not so:
> [root at dungeon root]# rpm -q -f /etc/ldap.conf
> nss_ldap-207-5
> The config file to which I refer is part of nss_ldap, and has nothing to 
> do with OpenLDAP whatsoever.
>  > You are also
> > assuming that ALL OpenLDAP configurations use the same directory
> > structure. Too many assumptions. How can we implement a universal
> > solution? What must we do to arrive at nirvana?
> 1) Eliminate the duplication through the use of sensible defaults.
> A sensible default for most of the LDAP setup is to read it from 
> /etc/ldap.conf, or wherever else this file lives on other platforms.
> If Samba has a dependancy on nss_ldap, it makes sense to use the 
> information in nss_ldap's config files.
> 2) Have sensible config files
> None of the ldap config directives appear in the default smb.conf file 
> as shipped with v3.0.2 (which could be Redhat's idea, I don't know). So 
> to set up LDAP, it's off to the HOWTO.
> Much of the setup pain can be largely reduced if config directives lived 
> in the config file commented out, ready to be put into action if the 
> admin so wanted, along with some sensible comments exaplining what each 
> one does.
> An example of such a config appears in the HOWTO, but it's incomplete, 
> as it excludes any mention of the "add * script" parameters. The first 
> time I heard they existed was when you asked if I had set them up on 
> this list.
> >>And you are assuming they are different. Why should the system be any
> >>more complex than it needs to be?
> > That is an administrator decision that Samba can not impose.
> Samba need not impose, but through a sensible default, it can suggest a 
> recommended configuration.
> I find it very frustrating when I get to configure some software and it 
> tells me "so what would you like to do?". Being a new user of that 
> software, my most sensible answer is "what would you recommend I do?". 
> To which the software replies "anything at all, I can do anything at all".
> Samba + LDAP is usually practically deployed with a third party LDAP 
> maintenance package. If a suggested layout for the LDAP server existed 
> that made it easier for the maintenance package and Samba to be looking 
> in the same place for things, it would save the administrator a lot of 
> time. Yes, I would like the rope to be able to change my mind, if I 
> didn't agree with the layout of the directory by default, however I want 
> at least a suggested default layout so I can start with something.
> > And every constraint we put into Samba results in feedback that we just
> > lost another user site because we have tightened the noose. This is open
> > source software. We try NOT to limit the usability of Samba.
> How many sites has Samba lost simply because the admin couldn't get 
> their head around the software in a reasonable amount of time? There are 
> other solutions available in the marketplace, with their own advantages 
> and disadvantages.
> > Then suggest a better solution please.
> 1) Sensible defaults
> 2) Elimination of duplicated config where possible, with the option to 
> override this behaviour if the admin needs to
> 3) Elimination of hacks to add users, instead having a proper user 
> adding component built into Samba, that can be enabled if needed.
> 4) Be consistent. The default LDAP layoput for Samba in the HOWTO, and 
> the default layout for smbldap-tools do not seem to be the same (though 
> my perl is bad, so I'm not sure).
I can tell by the volume of your messages that you feel that you have a
message worthy of delivery but I don't agree. You have bundled a lot of
your frustration with learning LDAP into Samba and Samba doesn't require
you to use LDAP at all.

If you used smbpasswd or tdb backend, you wouldn't be going through this
at all. I am amazed that I stupidly thought the same things that you
did...that I pretty much already knew samba 2.2x and that the changes in
3.0 would be minimal and all I needed was to get LDAP working with
samba. But LDAP is far more of a beast than I had ever dreamed and even
though it appears to be much of the same, samba 3 was a tremendous
upgrade to 2.2x - That meant all the things I assumed to be manageable
were not skills easily acquired at all. Finally, I took a week or so out
to learn LDAP and get that set up and authenticating before I worried
about integrating with Samba. I can't imagine many people having much
success trying to get both up and running simultaneously. I am presuming
that you are suffering from your own realistic expectations as I had to
suffer mine.

LDAP is an incredibly flexible, powerful and potent tool but it is not
easily mastered - not with openldap, not with SunOne, not with Windows.
The expectation in all things LDAP is that the system administrator will
take great pains to have a working system, a reasonably good
understanding of ACL's for security, a plan for maintaining
interactivity with the underlying authentication systems and the
wherewithall to stitch LDAP together with other software that may
require sips from the LDAP fountain. If you want easy, if you want total
consistency so someone without knowledge can follow your footsteps 6
months from now, you should be implementing Windows.

smbldap tools isn't part of the samba software package, I believe you
know this now so your criticism of the lack of documentation in the
samba package was off base. A system administrator with knowledge of
LDAP would understand that and most will write their own scripts because
if there's one thing that's certain about LDAP implementations, there
isn't much that is standard.

Had you had a working knowledge of LDAP, your criticisms might be of
some value but in light of the fact that you really want to vent about
LDAP and how it integrates, it's meaning is lost on this samba message
base. You don't need to use LDAP to use Samba, in fact, the other
backends (omitting sql for this discussion), will be much simpler and
probably more to your liking.

Your last bit of frustration about the consistency (or lack thereof)
between smbldap-tools, smb.conf, ldap.conf is really more about your
distro (RH AS 3) as they have configured the defaults (or failed to
consider is probably more likely the explanation). I understand this
because I am using it too - and while this was part of my early
confusion, once I understood how all these things worked, it really
didn't matter. So in the end, the problem was the amount I was trying to
accomplish with my limited understanding of LDAP - I solved that problem
and you can too.

Some people light a candle and some curse the darkness.


More information about the samba mailing list