[Samba] Samba AD DC: Keeping LDAP content in VCS

[Lorenz Schori]

Hi,

On Sun, 25 Jul 2021 13:59:29 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Sun, 2021-07-25 at 14:25 +0200, Lorenz Schori wrote:
> [...]
> You can do what you like with OU's and you can create groups, but you
> cannot change the schema and it is inadvisable to delete the standard
> groups e.g. Domain Users

Correct. Not at all what I'm.

> >  If there is a better interface for directory
> > management than ldif,   
> 
> AD uses ldifs to add users, groups etc , so I do not know of any other
> interface to use

Ok, good to know.

> > then I sure like to have some pointers on that as
> > well. Also note, this is not really about the LDAP schema.  
> 
> No, it sounds like it really about changing where the users, groups
> and computers are stored in AD and I cannot see where the versioning
> comes in.

Nope, it is really not about changing the default content of the
directory tree. The approach outlined in my initial mail (also look at
the linked wikipedia text) is about keeping a record of machine
readable/interpretable changes over time. This approach is also
comparable with the practice of Infrastructure as Code[1].

The big advantage of maintaining changes to infrastructure or database
schemas or (what I am after) ou/group entries is that every change is
versioned and commit messages can be linked to tickets in an issue
tracker. Also changes can be tested - and rolled back if the tool
permits it.

I'm not looking for help on how to run Samba AD DC or how to structure
the directory. I'm looking for pointers to tools which support my
preferred workflow. My preferred workflow is keeping stuff in git and
use automation tools.

Cheers,
Lorenz

1) https://en.wikipedia.org/wiki/Infrastructure_as_code