[Samba] Re: LDAP account management tools?
andreas at xss.co.at
Thu Dec 15 11:32:09 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Craig White schrieb:
> On Wed, 2005-12-14 at 21:52 +0100, Andreas Haumer wrote:
>>And for me (and I'm sure for many others, too) Samba
>>(read: the release of Samba3 with much improved LDAP
>>support) was the main reason to deep into the universe
>>of LDAP directories and account databases.
> don't stop there - LDAP offers much more than just account management
> for posixAccounts and sambaSamAccounts.
True. I did never claim the opposite :-)
>>This even might be sort of a "standardisation driving force"
>>for LDAP system account database structure. Currently there
>>doesn't seem to exist such standard (apart from very basic
> The problem with this is right from the base, everybody's structure is
> going to be different. What works for a small company isn't going to
> work for a medium size company which isn't even going to slightly
> resemble what the DIT would look like for a big company.
I don't agree here, or at least I don't agree with the
implications this statement has.
a) If everybody's structure really is different, IMHO we have
something fundamentally wrong. It would also be a nightmare
for maintainers of LDAP client software like Samba and others.
It is also not true even now: There _are_ similar concepts used
in all HOWTOs, books etc. about LDAP , but at a (IMHO) low level
and there is much room for improvement.
b) From my experience (I have set up dozends of Linux File/Printer/
Mail/VPN/etc. servers using LDAP account databases for small and
medium sized companies) a standardized LDAP database structure
_does_ fit systems from a few to, let's say, several hundert users,
from the typical single-server-small-office-network to the larger
network with dozends of servers and many services distributed over
several locations and several departments. It took me quite some
time to put together the LDAP database structure, all the tools
needed and tweak them to work together seamlessly, though.
> LDAP is by nature not designed to have a specific shape or style
> (standardization as you put it) and if you are constrained into thinking
> that the structure is to be dictated by Samba (as proxy for Microsoft),
> then you probably ought to just use Microsoft AD as they have already
> configured the parts they are interested in. For the record, Microsoft
I read this statement several times now and I can't help but
thinking that you must be kidding.
> didn't create LDAP. I am continually finding more uses for LDAP and
> those have nothing to do with Samba at all.
Of course I don't say Samba has to "dictate" something here
(it can't, anyway), but I think Samba plays an important role
in this game which puts it into a special position.
I currently use LDAP databases for PAM, NSS, Samba, RADIUS,
Mail, Adressbook, User-Preferences, User authentication in
various applications and other purposes and it works fine.
But it's hard work to have everything work together in the
beginning as many components have their own idea of how LDAP
is to be used. It's the lack of standardization what makes
Read the various books written by most prominent members of the
Samba community. They talk about all this. But IMHO we have to
do the next step and reduce entropy a little bit more.
I think we are currently at the beginning of what might be _the_
standard way to set up Unix/Linux networks in maybe 5 years from
now. I really would like to see this happen!
Just my 2 €-cent... :-)
- - andreas
PS: Jerry: maybe this all means that you have to write
"LDAP System Administration, 2nd edition", soon :-)
Andreas Haumer | mailto:andreas at xss.co.at
*x Software + Systeme | http://www.xss.co.at/
Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0
A-1100 Vienna, Austria | Fax: +43-1-6060114-71
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba