[Samba] Scaleable LDAP Backends for Samba;
Domain Controllers group access
Jim C.
jcllings at javahop.com
Sun Oct 3 19:41:31 GMT 2004
OK, just went through the research on how to set up scalable LDAP
backends. By scaleable I mean without having Samba use the root dn to
access ldap. This way, if you are going through the logs, you will be
able to tell which domain controller is doing what.
As far as I know, it *HAS* to be done this way because the posixGroup
schema is way out of date (it wont take a dn as a member). This info
according to the gurus on the OpenLDAP list. In effect we have to keep a
duplicate set of group records for those that will have access to the
database. For example, if you want to give group based access to a group
like "Domain Controllers", you would have to keep a duplicate record
using a different objectClass.
Oh, yes and if you know a better way, I am always looking for better
ways to get things done. :-)
How I did it was like this:
1. I set up a new OU called "Access Groups".
2. I created a new groupOfNames object in that OU called "Domain
Controllers" For the "member" attribute, use the dn of the host record
for your primary DC.
3. Using gq, I added simpleSecurityObject to the host record so that it
would have a password. Note: Probably can't use the machine account
instead due to some rather complex password issues.
4. I set the password by pasting the results of the following command
into the userPassword attribute:
[root at massive openldap]$ read -sp "Enter password to be used:"
pw;echo;slappasswd -s $pw;unset pw
Enter password to be used:
{SSHA}4FMerwu0qcafPYXwxlpTxuRcdtTTvZN6
[root at massive openldap]$
5. I verified that I had a proper set of ACLs by using "slapd -t" to
test them. That way you don't have to restart to find out if they are
bad. You also need a line like the following to each Access clause:
by group="cn=Domain Controllers,ou=Access Groups,$2" write
6. Group access can now be had by placing the dn of the controller's
host record (which must have a simpleSecurityObject) in the member
attribute of the new groupOfNames group called "Domain Controllers".
To add more controllers, just create a new host record, add
simpleSecurityObject to it, and add the dn of that host record as a
member of the groupOfNames group called "Domain Controllers".
More details at:
http://mandrake.vmlinuz.ca/bin/view/Main/SambaThreeDomainController#OpenLDAP_Structural_Adjustments
Jim C.
--
-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings at hotmail.com AIM: WyteLi0n ICQ: 123291844 |
|---------------------------------------------------------------|
| Y!: j_c_llings Jabber: jcllings at njs.netlab.cz |
-----------------------------------------------------------------
More information about the samba
mailing list