[Samba] Samba AD DC: Keeping LDAP content in VCS

Rowland Penny rpenny at samba.org
Sun Jul 25 14:33:15 UTC 2021 

On Sun, 2021-07-25 at 15:59 +0200, Lorenz Schori wrote:
> 
> 
> > > then I sure like to have some pointers on that as
> > > well. Also note, this is not really about the LDAP schema. 

You mentioned the schema first :-)

> > >  
> > 
> > No, it sounds like it really about changing where the users, groups
> > and computers are stored in AD and I cannot see where the
> > versioning
> > comes in.
> 
> Nope, it is really not about changing the default content of the
> directory tree. The approach outlined in my initial mail (also look
> at
> the linked wikipedia text) is about keeping a record of machine
> readable/interpretable changes over time.

With AD, this is likely to get extremely large. The AD schema is fairly
immutable and the objects can change without human intervention, for
instance, a user can mistype their password  enough times to lock their
account, there are many other changes that happen automatically.
   
>  This approach is also
> comparable with the practice of Infrastructure as Code[1].

I am not saying that you cannot or should not do this, I am saying it
is going to be difficult to do (not impossible) and the resultant
database is going to be extremely large. It all sort of defeats the
idea behind using AD, for AD is the database.
Most people set up the basic AD structure once, from then on it's
adding users, group, groups, etc, or the modification of existing AD
objects.
  
> 
> The big advantage of maintaining changes to infrastructure or
> database
> schemas or (what I am after) ou/group entries is that every change is
> versioned and commit messages can be linked to tickets in an issue
> tracker. Also changes can be tested - and rolled back if the tool
> permits it.

If you wish to do this, then you will probably have to write your own
tools, I cannot think of any tools that will do what you want out of
the box, unless someone knows better (highly possible).

> 
> I'm not looking for help on how to run Samba AD DC or how to
> structure

I never thought you were.

> the directory. I'm looking for pointers to tools which support my
> preferred workflow. My preferred workflow is keeping stuff in git and
> use automation tools.

Your workflow methods are your decision, but I don't know of any tools
that will do what you want to do, probably because, as I said, once the
AD structure is set up, it usually doesn't change much.

Rowland

More information about the samba mailing list