[Samba] Re: LDAP account management tools?

Andreas Haumer andreas at xss.co.at
Wed Dec 14 17:29:45 GMT 2005

Hash: SHA1


Deryck Hodge schrieb:
> Gerald (Jerry) Carter wrote:
>>>Should we create a list of LDAP management tools that support
>>>the Samba schema?  For example, LAM & phpLdapAdmin.
> Sounds like a fine idea to me.  I probably need to do a bit of website
> reorganization so that tools, i.e. GUIs, LDAP management, etc., are easier
> to find.  I'll think through the best way to handle this.

One idea: it would be nice to have a site where infos about
"LDAP account database best practice" could be collected.

There are so many books (Jerry: I like your "LDAP System Administration"
very much ;-), HOWTOs, tips, emails etc. out there but I always have the
impression that the "least common demoninator" about several significant
decisions is very low. Not to mention that many tips and HOWTOs even
contradict each other or are outdated (It's a fast developing area!)

An (incomplete) list of those "best practice" topics might include:

* overall layout of LDAP tree
  Deep or shallow? What ou should be there?
* how to store passwords
  cleartext? crypt? SSHA? MD5? What are the pros and cons?
* where to store machine trust accounts?
  Should you sub-structure your accounts ou or not?
* use DSA for NSS, PAM, Samba, Radius, replication, etc.?
  pros? cons? Impact on ACL?
* Where to store the sambaDomainName entry?
  (directly at the tree root or use your own ou?)
* best way on how to configure your ACL
* Which tools should one use to change user passwords?
  smbldap tools? Web GUI? PAM with pam_ldap?


Decisions on all of these topics have impact on the way
each subsystem has to be configured and on how they all
work together.

Of course over the years I have developed a structure I
like best, but this is not to say it _is_ the best (under
any metrics you might imagine).

One should also take into account that different LDAP
administration tools might more or less enforce a specific
way of how to set up your LDAP database, which is the link
I see between the list of LDAP system admin tools and a
"LDAP account database best practice" info site.

> Meanwhile, can others chime in with their favorite LDAP tools?
I use GOSA on several installations and I like it!


- - andreas

- --
Andreas Haumer                     | mailto:andreas at xss.co.at
*x Software + Systeme              | http://www.xss.co.at/
Karmarschgasse 51/2/20             | Tel: +43-1-6060114-0
A-1100 Vienna, Austria             | Fax: +43-1-6060114-71
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the samba mailing list