[Samba] samba failed to authenticate to openLDAP
Tony Earnshaw
tonye at billy.demon.nl
Thu Mar 3 10:58:07 GMT 2005
Paul Gienger:
>> 2: doing that nearly fscked up my already existent DIT for always;
>>
>>
>>
> I'd be very interested in hearing how this happened and what almost got
> borked. I can't for the life of me think of anything that the
> smbldap-tools package should have done above just adding random attributes
> and entries in a lot of places if badly configured. The worst (again,
> that I can imagine) that you would have had to do would be clean with a
> fine tooth scrub brush.
>
> I haven't delved deep into the code, so I don't doubt that things could
> be pretty powerful, just that I haven't seen how they could go far enough
> to completely bork up a whole LDAP database.
The smbldap-tools allow for only one group suffix, only one user suffix.
At a site, I already have a DIT with 1150+ users:
rootdn
| ou=directors
cn=director1
cn=director2
| ou=teachers
cn=teacher1
cn=teacher2
| ou=staff
cn=member1
cn=member2
| ou=pupils
cn=pupil1
cn=pupil2
| ou=system
| ou=pykota
| ou=smb
etc.
Even worse, at my test site I have:
rootdn
| ou=groups
| cn=people (Posix group)
cn=person1
cn=person2
| ou=smb
etc.
The tools can't cope. What's more, LAM can't cope with my test site,
either (wants an ou for a container, won't accept a cn). Neither you nor
anyone else can tell me that my architecture is wrong ;)
I've written my own awk script for adding basic Posix users to groups
(from lists of first-middle-last names) and my own (disjointed) shell
scripts for adding Samba users to Posix users (using ldapsearch).
Best,
--Tonni
--
mail: tonye at billy.demon.nl
http://www.billy.demon.nl
More information about the samba
mailing list