[Samba] Re: LDAP account management tools?

Wed Dec 14 19:17:10 GMT 2005

On Wed, 2005-12-14 at 18:29 +0100, Andreas Haumer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi!
> 
> Deryck Hodge schrieb:
> > Gerald (Jerry) Carter wrote:
> > 
> >>>Deryck,
> >>>
> >>>Should we create a list of LDAP management tools that support
> >>>the Samba schema?  For example, LAM & phpLdapAdmin.
> >>>
> >>>http://lam.sf.net/
> >>>http://phpldapadmin.sf.net/
> >>>
> > 
> > 
> > Sounds like a fine idea to me.  I probably need to do a bit of website
> > reorganization so that tools, i.e. GUIs, LDAP management, etc., are easier
> > to find.  I'll think through the best way to handle this.
> > 
> 
> One idea: it would be nice to have a site where infos about
> "LDAP account database best practice" could be collected.
> 
> There are so many books (Jerry: I like your "LDAP System Administration"
> very much ;-), HOWTOs, tips, emails etc. out there but I always have the
> impression that the "least common demoninator" about several significant
> decisions is very low. Not to mention that many tips and HOWTOs even
> contradict each other or are outdated (It's a fast developing area!)
> 
> An (incomplete) list of those "best practice" topics might include:
> 
> * overall layout of LDAP tree
>   Deep or shallow? What ou should be there?
----
not really a samba issue
----
> * how to store passwords
>   cleartext? crypt? SSHA? MD5? What are the pros and cons?
----
not really a samba issue
----
> * where to store machine trust accounts?
>   Should you sub-structure your accounts ou or not?
> * use DSA for NSS, PAM, Samba, Radius, replication, etc.?
>   pros? cons? Impact on ACL?
> * Where to store the sambaDomainName entry?
>   (directly at the tree root or use your own ou?)
> * best way on how to configure your ACL
> * Which tools should one use to change user passwords?
>   smbldap tools? Web GUI? PAM with pam_ldap?
----
Methinks that the future samba wiki might be a good place for this
----
> 
> etc.
> 
> Decisions on all of these topics have impact on the way
> each subsystem has to be configured and on how they all
> work together.
> 
> Of course over the years I have developed a structure I
> like best, but this is not to say it _is_ the best (under
> any metrics you might imagine).
> 
> One should also take into account that different LDAP
> administration tools might more or less enforce a specific
> way of how to set up your LDAP database, which is the link
> I see between the list of LDAP system admin tools and a
> "LDAP account database best practice" info site.
> 
> > Meanwhile, can others chime in with their favorite LDAP tools?
> > 
> I use GOSA on several installations and I like it!
> <http://oss.gonicus.de/gosa/index.php/Main_Page>
> 
----
Thanks

Craig