[Samba] Samba 3 with OpenLDAP multimaster or Fedora-DS

Carlos Eduardo Pedroza Santiviago carlos at santiviago.com
Thu Jun 19 13:02:15 GMT 2008


On Wed, Jun 18, 2008 at 2:16 PM, Charlie <medievalist at gmail.com> wrote:
> At each site, we have a separate domain, a samba PDC/WINS server, a
> print server, multiple samba file servers, and multiple ethernet
> segments.  If four or five WAN links go down simultaneously it's
> possible that people at one site will not be able to change their
> passwords until connectivity is restored, but everything will still
> work fine (including network browsing).  If there was some reason
> connectivity could not be restored within 24 hours, the on-site staff
> would promote a local LDAP replica (the "site master") and I would
> manually merge any changes after the connectivity was restored with a
> little shell scripting.

Sure... since you have multiple domains, that's a different story,
multiple pdcs/dmbs, etc. I'm interested in experiences with only one
domain, across multiple offices, using samba dcs/openldap multimaster,
to see if it's a reliable solution.

> All our POSIX hosts and samba servers implement LDAP failover, so that
> I can take LDAP replicas in and out of service temporarily without
> worrying about breaking anything.  The giant HP-UX monsters use HP's
> ldap-ux, the linux systems use PADL's nss_ldap and pam_ldap.  Samba is
> compiled to use the OpenLDAP libraries (we use Red Hat packages as
> much as possible, and I build custom RPMs when Red Hat's packages are
> insufficient).  I have no kerberos but we have LDAP-integrated RADIUS
> in our switches and routers.

Sure, i also have 10 slaves.

> We have a lot of WAN links, to our own remote sites, and also to more
> than 50 other organizations that we serve.  Our LDAP infrastructure
> has been fully functional for a long time (since before syncrepl was
> invented) and is pretty mature.  Now that syncrepl seems to be stable
> technology, I am thinking about multi-mastering again, but I am not in
> a hurry to re-architect everything.  I will probably have to set up
> kerberos eventually and I guess I will revisit all aspects of
> infrastructure design at that time.
> A well-integrated LDAP directory can provide single sign-on to
> hundreds of applications at more than 50 sites with HIPAA-compliant
> audit traces and access controls.  Samba expands what you can do with
> LDAP even more, because samba allows arbitrarily defined actions to be
> triggered by network logon and file access events.

Yeah... we all love LDAP! :-)

Carlos Eduardo Pedroza Santiviago - <carlos at santiviago.com>
http://softwarelivre.net | Passo-a-passo rumo à liberdade!

More information about the samba mailing list