[Samba] Re: LDAP account management tools?
craigwhite at azapple.com
Wed Dec 14 19:17:10 GMT 2005
On Wed, 2005-12-14 at 18:29 +0100, Andreas Haumer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Deryck Hodge schrieb:
> > Gerald (Jerry) Carter wrote:
> >>>Should we create a list of LDAP management tools that support
> >>>the Samba schema? For example, LAM & phpLdapAdmin.
> > Sounds like a fine idea to me. I probably need to do a bit of website
> > reorganization so that tools, i.e. GUIs, LDAP management, etc., are easier
> > to find. I'll think through the best way to handle this.
> One idea: it would be nice to have a site where infos about
> "LDAP account database best practice" could be collected.
> There are so many books (Jerry: I like your "LDAP System Administration"
> very much ;-), HOWTOs, tips, emails etc. out there but I always have the
> impression that the "least common demoninator" about several significant
> decisions is very low. Not to mention that many tips and HOWTOs even
> contradict each other or are outdated (It's a fast developing area!)
> An (incomplete) list of those "best practice" topics might include:
> * overall layout of LDAP tree
> Deep or shallow? What ou should be there?
not really a samba issue
> * how to store passwords
> cleartext? crypt? SSHA? MD5? What are the pros and cons?
not really a samba issue
> * where to store machine trust accounts?
> Should you sub-structure your accounts ou or not?
> * use DSA for NSS, PAM, Samba, Radius, replication, etc.?
> pros? cons? Impact on ACL?
> * Where to store the sambaDomainName entry?
> (directly at the tree root or use your own ou?)
> * best way on how to configure your ACL
> * Which tools should one use to change user passwords?
> smbldap tools? Web GUI? PAM with pam_ldap?
Methinks that the future samba wiki might be a good place for this
> Decisions on all of these topics have impact on the way
> each subsystem has to be configured and on how they all
> work together.
> Of course over the years I have developed a structure I
> like best, but this is not to say it _is_ the best (under
> any metrics you might imagine).
> One should also take into account that different LDAP
> administration tools might more or less enforce a specific
> way of how to set up your LDAP database, which is the link
> I see between the list of LDAP system admin tools and a
> "LDAP account database best practice" info site.
> > Meanwhile, can others chime in with their favorite LDAP tools?
> I use GOSA on several installations and I like it!
More information about the samba