[Samba] Re: LDAP account management tools?

Thu Dec 15 01:54:39 GMT 2005

On Wed, 2005-12-14 at 21:52 +0100, Andreas Haumer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi!
> 
> Craig White schrieb:
> > On Wed, 2005-12-14 at 18:29 +0100, Andreas Haumer wrote:
> > 
> [...]
> >>
> >>An (incomplete) list of those "best practice" topics might include:
> >>
> >>* overall layout of LDAP tree
> >>  Deep or shallow? What ou should be there?
> > 
> > ----
> > not really a samba issue
> > ----
> > 
> >>* how to store passwords
> >>  cleartext? crypt? SSHA? MD5? What are the pros and cons?
> > 
> > ----
> > not really a samba issue
> > ----
> > 
> 
> Agreed, but still these decisions have to be made if a
> LDAP database is to be set up and used as system
> account database, with or without Samba.
> 
> And for me (and I'm sure for many others, too) Samba
> (read: the release of Samba3 with much improved LDAP
> support) was the main reason to deep into the universe
> of LDAP directories and account databases.
----
don't stop there - LDAP offers much more than just account management
for posixAccounts and sambaSamAccounts.
----
> 
> >>* where to store machine trust accounts?
> >>  Should you sub-structure your accounts ou or not?
> >>* use DSA for NSS, PAM, Samba, Radius, replication, etc.?
> >>  pros? cons? Impact on ACL?
> >>* Where to store the sambaDomainName entry?
> >>  (directly at the tree root or use your own ou?)
> >>* best way on how to configure your ACL
> >>* Which tools should one use to change user passwords?
> >>  smbldap tools? Web GUI? PAM with pam_ldap?
> > 
> > ----
> > Methinks that the future samba wiki might be a good place for this
> > ----
> > 
> I agree.
> 
> This even might be sort of a "standardisation driving force"
> for LDAP system account database structure. Currently there
> doesn't seem to exist such standard (apart from very basic
> things)
----
The problem with this is right from the base, everybody's structure is
going to be different. What works for a small company isn't going to
work for a medium size company which isn't even going to slightly
resemble what the DIT would look like for a big company.

LDAP is by nature not designed to have a specific shape or style
(standardization as you put it) and if you are constrained into thinking
that the structure is to be dictated by Samba (as proxy for Microsoft),
then you probably ought to just use Microsoft AD as they have already
configured the parts they are interested in. For the record, Microsoft
didn't create LDAP. I am continually finding more uses for LDAP and
those have nothing to do with Samba at all. 

Craig