[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal/OpenLDAP/Samba howto and bugreport

Hi,
> > Here's the patch, this time with some content. As I said, it adds a
> > searchbase to the configparams and searches for both account and
> > interorgperson instead of just account. If you like the patch, I'll
> > modify it so that the search will also search for structural_object if
> > that differs from account. 
> 
> I don't mind the patch, but I'm not sure but of this configuration should
> be in code and how much should be in configaration file.

Well it's my first C-patch so I didn't want to do anything advanced. :-)

I think a good principle for getting this to work is that all
configuration options should have sensible defaults.

> There are several possible ways to configure this, I think the things that
> needs to able to be tweeked are:
> heimdal add base
> samba add base
Q: How should the kdc know when it's supposed to add a sambauser and a
heimdaluser?

Q.2: Are there any good reasons for having to add a sambauser via the
KDC-code? Isn't this done easier and better via other channels?

> structural object name
IMHO, this should be like today: use account as base and do not bother
much with modifying it. Let the sambacode search for sambaSAMAccount
instead of the account objectclass.

If someone can point me to some sample code for schemadetection I'll try
to hack together something that may check if it is the old Samba2.x
ldapschema or the new one (and also to check if the krb schema exist).

> search base
Yes this should be the most important configuration attribute IMHO. 

> search filter, with two parameters, long principal name and optional short
>    search filter is both samba and heimdal search filters
> All these should be configurable per ldap database (not for the whole
> backend).
I'm not sure what you're going after here, but I'm thinking that the
databasedefinition could be something like this:

[kdc]
database {
	dbname  = ldap:<searchbase>
	ldap-kerberos-add-base = ou=Kerberos,<searchbase>
	# this defines the searchfilter, 
	# 0 : searchfilter
	# 1: searchfilter also searches for uid and sambasamaccount
objectclass.
	ldap-use-samba = 0|1 
	# optional, if you want to exclude some objects from your
	# domain
        ldap-samba-userbase = ou=People,<searchbase>
	# optional sambadomain, if you have multiple domains you want to 	#map
differently. Also adds to the searchstring.
	ldap-samba-domain = MYDOMAIN 

}

This makes it possible to set up a kerberos domain with only
database {
	dbname = ldap:<searchbase>
 	ldap-use-samba = 1
}
And be done if you got a fairly standard setup. 

Anyhow, just my 0.02c :-)

Tarjei


> 
> Or it this too complicated ? I feel I need feedback from ldap literate
> people because I'm not.
> 
> Love
>