[Samba] structuralObjectClass and smbldap-tools

Tony Earnshaw tonye at billy.demon.nl
Wed May 11 15:58:42 GMT 2005

ons, 11.05.2005 kl. 15.27 skrev Leonard Tulipan:

> Sorry, if this has been dealt with before, but I couldn't find it.

Hei Leonard!

> I tried installing openldap 2.2 + samba 3. Currently I only have one 
> install of openldap 2.0 and samba 2.2 running.
> Now, it all looks quite good, but the smbldap-tools do not add the 
> necessary structuralobjectClass entries, so using the tools fails.
> I was able to manually change the first populate - which could be 
> exported as an ldif.
> I had a quick look inside the perl scripts, but it looks like one 
> probably needs to touch ALL of them.

Maybe one does.

I have vented umpteen spews against the smbldap tools on this list. The
basis has always been, the scripts' naivety. They cater for a gang of
kiddies with no knowledge of LDAP and kid them along that they've done a
good job when things work the Samba way, but make it impossible for the
kiddies thenceforth to develop their LDAP database structure into what
the LDAP architects had envisaged.

> Has anybody done this. Should I revert back to an older openldap version 
> which doesn't enforce ldap v3 structuralobjectClass?

No way revert! Older OpenLDAP versions (i.e. anything before 2.1, which
itself is at present  lying on its deathbed, because it's useless for
loaded production systems) are to be regarded as cadavers. Those
administering them as deadibones.

> any tips and pointers are greatly appreciated

Basically, learn OpenLDAP *LONG* before you learn Samba. Or Postfix, or
Courier, or Pykota or whatever. OpenLDAP is the holy grail within Unix,
as far as authentication and authorization is concerned. It is the only
sustainable way of realizing SSO (Single Sign On). Learning and adapting
LDAP long before you begin with Samba will teach you exactly what
weaknesses the Samba LDAP model introduces.

(Open)LDAP confers a completely open method of establishing an
authentication model. There is no such strict regime such as the smbldap
tools infer and implement.

For those with the racism laws stuck up their derriers,  the smbldap
tools confer a kind of racism. "You can't be anything other than
white".  "Oh, why not?" "Because we say so".

In my - disjointed - (Open)LDAP model a group may be in any container I
choose. E.g., maybe I have a base dn of dc=example,dc=edu. Under that,
maybe, (which I do), I have Posix groups cn=teachers, cn=pupils,
cn=staff, cn=directors, whatever.

Under cn=teachers etc. I have all my Posix account teachers.

My system can cope with them all, since I write my own (disjointed)
scripts to make them all. And consequently execute them all. The secret
is the Samba 3 binary utilities that knit the whole together. 

Who said that the smbldap scripts are in any way capable of initiating a
Postfix account, a Courier account, a Pykota account? Of course they're
bleeding well not. They're utterly useless at doing anything other than
racist things, entirely confined to Samba.

So what tools are one supposed to use to make LDAP records for each user
comprising Samba, Postfix, Courier, Pykota and GDM, ssh, etc.?

Answer: learn ksh, bash, shell, awk, the Samba binary utilities, and use
them to write your tools. Try to make them work together, as far as

Sheesh ...


Nothing sucksseeds like a pigeon without a beak ...

mail: tonye at billy.demon.nl
They'll love us, won't they? They feed us, don't they? ...

More information about the samba mailing list