[PATCH] Provisioning external LDAP server
Andrew Bartlett
abartlet at samba.org
Tue Feb 16 23:44:58 MST 2010
On Tue, 2010-02-16 at 22:07 -0500, Endi Sukma Dewata wrote:
> Andrew,
>
> ----- "Andrew Bartlett" <abartlet at samba.org> wrote:
>
> > No, I don't like it being in smb.conf. Firstly, it puts passwords in
> > the config file, and it includes options that should strictly be
> > determined by the realm (suffix).
>
> There are many instances where applications store passwords in the
> configuration file. OpenLDAP has "rootpw" in slapd.conf. FDS has
> "nsslapd-rootpw" in dse.ldif. Samba has "secret" in secrets.ldb.
> I think as long as it's well protected it should be ok.
>
> But that issue aside, let's not put it in smb.conf. For creating the
> backend let's use a separate config file, for example fedora-ds.conf.
> You would use it with the create-backend tool:
>
> % setup/create-backend --config-file fedora-ds.conf
>
> The file would contain the following parameters:
>
> [backend]
> type = fedora-ds
> home = /var/lib/dirsrv/samba4
>
> [fedora-ds]
> admin dn = cn=Manager,dc=samba,dc=example,dc=com
> admin password = secret
> suffix = dc=samba,dc=example,dc=com
> user = root
> ldap url = ldapi://%2Fvar%2Flib%2Fdirsrv%2Fsamba4%2Fldapi
>
> After the backend is created, this file can be removed for security.
>
> The suffix needs to be specified because in this file we want to put
> backend-specific parameters. I think realm belongs to smb.conf and I
> don't think we want to specify it twice. This tool is not intended to
> be used by most people, so I think it would be reasonable to expect
> that people who create this file someone must know what they are
> doing.
I'm not so sure that's a safe assumption, but I like your proposal.
> > Even for your external LDAP server case, is there actually a need for
> > the LDAPi socket to be in a different location?
>
> Not really, but if you run the backend on a separate machine you might
> want to use LDAP or LDAPS instead of LDAPI, for example:
>
> ldap url = ldap://ldap.example.com
>
> If you don't specify the ldap url it can default to ldapi://${home}/ldapi.
Sure. But do you need that for what you are doing? I'm trying to avoid
adding that option until someone gives me a reason why it's needed.
> > Once you move the password out of the smb.conf, then the username should
> > move too. We could leave the others in the smb.conf, but then it just
> > encourages users to set them (and that's dangerous - we don't want
> > variation here).
>
> To setup Samba frontend we will use another file, for example backend.conf.
> You would use it with the provision tool:
>
> % setup/provision <provision parameters> --backend-config backend.conf
>
> The file would contain the following parameters:
>
> [backend]
> type = external fedora-ds
>
> [fedora-ds]
> admin dn = cn=Manager,dc=samba,dc=example,dc=com
> admin password = secret
> ldap url = ldapi://%2Fvar%2Flib%2Fdirsrv%2Fsamba4%2Fldapi
>
> The provision tool will figure out the suffix from the realm. Once it's
> done you can remove this file for security. Samba will still have the
> password in the secrets.ldb.
>
> Since the fedora-ds.conf and backend.conf contain password, it is suggested
> above that we remove the files afterward. But wouldn't this defeat the
> purpose of creating the files in the first place?
The purpose of creating the files is to avoid typos on command lines,
and putting passwords on the command lines.
This looks like a reasonable proposal.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100217/e7c080a9/attachment.pgp>
More information about the samba-technical
mailing list