[Samba] Request to update slapd.conf and OpenLDAP info for Samba-Guide/happy.html

Tony Earnshaw tonye at billy.demon.nl
Thu Mar 3 10:18:23 GMT 2005

John H Terpstra:

> The book "Samba-3 by Example" was written at the time Samba-3.0.2 was
> just released. At that time (February 2004) the version of OpenLDAP that
> were shipping on SuSE Linux Enterprise Server and on Red Hat Enterprise
> Linux used
> ldbm.
> I agree entirely that this needs to be updated, in fact, it is necessary
> also to update all references to the smbldap-tools as well as many other
> subtle factors that have changed in Samba between Samba-3.0.2 and 3.0.12
> (the soon
> to be released version)

Going through the entire documentation for Samba 3.0.11 takes a long time;
I had a successful site running long before I could accomplish that. I
finally found Appendix A in the Official Samba Guide,namely: Alternative
LDAP Database Initialization. The steps detailed cover exactly what I
found out for myself by trial and error, after finding out that the
smbldap-tools would ruin my existing DIT. If I'd have gone to this
Appendix first, before attempting to configure my ldapsam backend, I'd
never have griped ;) I just didn't know what to look for.

> I will update the entire book at the first opportunity I get. If you wish
> to submit patches I would be most appreciative.

The thing about the tools is, that they are not flexible. Apart from
anything else, they assume that the user is starting out with a blank DIT,
whereas I dad an existing DIT with 1150+ users, divided into different
groups at different points in the tree.

The actual 3.0.11 smb-utility code and ldapsam backend are enormously
flexible and can easily cope with this, if used correctly. Even scripts
using these utilities can be written (I use ordinary shell scripts) to
take full advantage of this flexibility.

I'd be pleased to send examples of what I've done (very beginner-like and
could be far better, but they only have to do specific things for my
sites) and why. Writing a HOWTO at this stage is impossible, since I only
have a couple of sites to refer to and both architecture an implementation
are highly specific.

With regard to the choice of which OpenLDAP version to use, there's no
doubt in my mind. Not just me, but most enterprise-size admins
contributing to the OpenLDAP mailing list agree that the latest 2.2
versions are a pre. I use source code, for the following components and
configure them myself:

Sleepycat BDB 4.2.52, with 2 mandatory patches
Cyrus SASL 2.1.20 (necessary for Postfix 2.1 auxprop SASL smtp auth)
Openssl 0.9.7e
Openldap 2.2.17 through 2.2.23.

I haven't found any combined sets of Red Hat rpms (I use RHAS/RHEL3) that
are satisfactory, and the above sources contain no spec files, so I just
have to attempt as best as possible to keep compiled utilities separate
from Red Hat's own.

With regard to configuring BDB 4.2.52 (using DB_CONFIG) correctly, this is
covered fully in the Sleepcat docs that come with the source code.
However, it's not for beginners. Quanah Gibson-Mount has put a large
amount of useful info on Stanford University's ICT department web pages,
with many examples.

Perhaps you'd let me know if you think I can help, and specifically how.



mail: tonye at billy.demon.nl

More information about the samba mailing list