[Samba] Request to update slapd.conf and OpenLDAP info for Samba-Guide/happy.html

John H Terpstra jht at samba.org
Thu Mar 3 15:34:41 GMT 2005


Thanks for this posting. We can now better appreciate the pain barriers you 
have been through. For the new-comer LDAP is a difficult technology to master 
largely because the right questions that need to be answered are not obvious.

The best OpenLDAP documentation I have seen so far was written by Jerry 
Carter; "OpenLDap System Administration" (publisher is OReilly). Now that I 
understand LDAP much better I am amazed at how much he was able to pack into 
that book, but while I was finding my way I shared the frustrations you had.

The appendix information I added to "Samba-3 by Example" was put there so that 
the information would not be lost. and so that others could use it to expand 
the technique to suit more complex environments.

Unfortunately, the complexity barriers of Samba plus LDAP is proving a lot 
more than some sites are willing to endure. The discussions we have had on 
this mailing list regarding LDAP configuration problems as well as the 
importance of getting the UID=0 situation right are of benefit to many and a 
turn-off to a few people also. In many ways, for us and for them, it is 
probably better that they get turned off sooner, rather than create something 
that might be more negative later on. For those of us who have found the 
right solution Samba is liberating.

I look forward to your notes and/or updates on the HOWTO and will do my best 
to integrate them into the text.

Thanks for persisting in this.

- John T.

On Thursday 03 March 2005 03:18, Tony Earnshaw wrote:
> John H Terpstra:
> > The book "Samba-3 by Example" was written at the time Samba-3.0.2 was
> > just released. At that time (February 2004) the version of OpenLDAP that
> > were shipping on SuSE Linux Enterprise Server and on Red Hat Enterprise
> > Linux used
> > ldbm.
> >
> > I agree entirely that this needs to be updated, in fact, it is necessary
> > also to update all references to the smbldap-tools as well as many other
> > subtle factors that have changed in Samba between Samba-3.0.2 and 3.0.12
> > (the soon
> > to be released version)
> Going through the entire documentation for Samba 3.0.11 takes a long time;
> I had a successful site running long before I could accomplish that. I
> finally found Appendix A in the Official Samba Guide,namely: Alternative
> LDAP Database Initialization. The steps detailed cover exactly what I
> found out for myself by trial and error, after finding out that the
> smbldap-tools would ruin my existing DIT. If I'd have gone to this
> Appendix first, before attempting to configure my ldapsam backend, I'd
> never have griped ;) I just didn't know what to look for.
> > I will update the entire book at the first opportunity I get. If you wish
> > to submit patches I would be most appreciative.
> The thing about the tools is, that they are not flexible. Apart from
> anything else, they assume that the user is starting out with a blank DIT,
> whereas I dad an existing DIT with 1150+ users, divided into different
> groups at different points in the tree.
> The actual 3.0.11 smb-utility code and ldapsam backend are enormously
> flexible and can easily cope with this, if used correctly. Even scripts
> using these utilities can be written (I use ordinary shell scripts) to
> take full advantage of this flexibility.
> I'd be pleased to send examples of what I've done (very beginner-like and
> could be far better, but they only have to do specific things for my
> sites) and why. Writing a HOWTO at this stage is impossible, since I only
> have a couple of sites to refer to and both architecture an implementation
> are highly specific.
> With regard to the choice of which OpenLDAP version to use, there's no
> doubt in my mind. Not just me, but most enterprise-size admins
> contributing to the OpenLDAP mailing list agree that the latest 2.2
> versions are a pre. I use source code, for the following components and
> configure them myself:
> Sleepycat BDB 4.2.52, with 2 mandatory patches
> Cyrus SASL 2.1.20 (necessary for Postfix 2.1 auxprop SASL smtp auth)
> Openssl 0.9.7e
> Openldap 2.2.17 through 2.2.23.
> I haven't found any combined sets of Red Hat rpms (I use RHAS/RHEL3) that
> are satisfactory, and the above sources contain no spec files, so I just
> have to attempt as best as possible to keep compiled utilities separate
> from Red Hat's own.
> With regard to configuring BDB 4.2.52 (using DB_CONFIG) correctly, this is
> covered fully in the Sleepcat docs that come with the source code.
> However, it's not for beginners. Quanah Gibson-Mount has put a large
> amount of useful info on Stanford University's ICT department web pages,
> with many examples.
> Perhaps you'd let me know if you think I can help, and specifically how.
> Best,
> --Tonni
> --
> mail: tonye at billy.demon.nl
> http://www.billy.demon.nl

John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list