[Samba] Samba and LDAP backend - howto docs problems?
John H Terpstra
jht at samba.org
Thu Mar 11 06:02:15 GMT 2004
Thanks for your well thought out illumination on this. Your comments are
I must confess that I was out to draw out from our users what their
experience and frustrations are. As you know, I encourage feedback.
Feedback demonstrates how users approach the problem of digging themselves
out of a dark hole.
While we are in a hole, there is no light and all logic escapes us.
Because we do not understand the right terms yet, we cannot find anything
that we might be looking for. Disparate software applications that are
completely un-related and do not work the way we want appear to violate
our sense of justice. In the end we want to get even with the foolhardy
critters that wrote the software.
One user wrote to me claiming that Samba is the first open source
application that forces its users to use LDAP. Well, you know that is not
true. LDAP seems like the right thing to replace MS Active Directory so
that proves that you need LDAP - so the thinking goes.
So in wrapping up, here is what I have learned from the feedback:
1. There is a need for two types of information:
- Purely informative about HOW something works
- Purely example of how to implement a solution
2. Example implementation information needs to be painfully clear and
3. Just sending configuration files can actually aggrevate someone's
problem. Example configuration files must be sent with clear "Do this,
then this, then this ..." type guidance.
4. One of the most important aspects of a book is the Index at the rear of
I hope that "Samba-3 by Example" will meet with more positive approval as
a result of implementing the lessons learned from feedback.
Now so far as changes to how Samba works goes, the forum for making any
points for adoption in Samba are:
a) The Samba-Technical mailing list (samba-technical at samba.org)
b) The #samba-technical IRC channel
c) Bug reports to https://bugzilla.samba.org
Oh, before I forget: If you absolutely want someone to seriously consider
your recommendations/bug report/complaints - Bugzilla is your vehicle.
Craig, again thanks for crystallizing the issues.
On Wed, 10 Mar 2004, Craig White wrote:
> I can tell by the volume of your messages that you feel that you have a
> message worthy of delivery but I don't agree. You have bundled a lot of
> your frustration with learning LDAP into Samba and Samba doesn't require
> you to use LDAP at all.
> If you used smbpasswd or tdb backend, you wouldn't be going through this
> at all. I am amazed that I stupidly thought the same things that you
> did...that I pretty much already knew samba 2.2x and that the changes in
> 3.0 would be minimal and all I needed was to get LDAP working with
> samba. But LDAP is far more of a beast than I had ever dreamed and even
> though it appears to be much of the same, samba 3 was a tremendous
> upgrade to 2.2x - That meant all the things I assumed to be manageable
> were not skills easily acquired at all. Finally, I took a week or so out
> to learn LDAP and get that set up and authenticating before I worried
> about integrating with Samba. I can't imagine many people having much
> success trying to get both up and running simultaneously. I am presuming
> that you are suffering from your own realistic expectations as I had to
> suffer mine.
> LDAP is an incredibly flexible, powerful and potent tool but it is not
> easily mastered - not with openldap, not with SunOne, not with Windows.
> The expectation in all things LDAP is that the system administrator will
> take great pains to have a working system, a reasonably good
> understanding of ACL's for security, a plan for maintaining
> interactivity with the underlying authentication systems and the
> wherewithall to stitch LDAP together with other software that may
> require sips from the LDAP fountain. If you want easy, if you want total
> consistency so someone without knowledge can follow your footsteps 6
> months from now, you should be implementing Windows.
> smbldap tools isn't part of the samba software package, I believe you
> know this now so your criticism of the lack of documentation in the
> samba package was off base. A system administrator with knowledge of
> LDAP would understand that and most will write their own scripts because
> if there's one thing that's certain about LDAP implementations, there
> isn't much that is standard.
> Had you had a working knowledge of LDAP, your criticisms might be of
> some value but in light of the fact that you really want to vent about
> LDAP and how it integrates, it's meaning is lost on this samba message
> base. You don't need to use LDAP to use Samba, in fact, the other
> backends (omitting sql for this discussion), will be much simpler and
> probably more to your liking.
> Your last bit of frustration about the consistency (or lack thereof)
> between smbldap-tools, smb.conf, ldap.conf is really more about your
> distro (RH AS 3) as they have configured the defaults (or failed to
> consider is probably more likely the explanation). I understand this
> because I am using it too - and while this was part of my early
> confusion, once I understood how all these things worked, it really
> didn't matter. So in the end, the problem was the amount I was trying to
> accomplish with my limited understanding of LDAP - I solved that problem
> and you can too.
> Some people light a candle and some curse the darkness.
John H Terpstra
Email: jht at samba.org
More information about the samba