[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal/OpenLDAP/Samba howto and bugreport

On Sun, 2004-05-30 at 01:29, Tarjei Huse wrote:
> Hi,
> > > Here's the patch, this time with some content. As I said, it adds a
> > > searchbase to the configparams and searches for both account and
> > > interorgperson instead of just account. If you like the patch, I'll
> > > modify it so that the search will also search for structural_object if
> > > that differs from account. 
> > 
> > I don't mind the patch, but I'm not sure but of this configuration should
> > be in code and how much should be in configaration file.
> Well it's my first C-patch so I didn't want to do anything advanced. :-)
> I think a good principle for getting this to work is that all
> configuration options should have sensible defaults.
> > There are several possible ways to configure this, I think the things that
> > needs to able to be tweeked are:
> > heimdal add base
> > samba add base
> Q: How should the kdc know when it's supposed to add a sambauser and a
> heimdaluser?

It can't add a Samba user.  There is other 'Samba' user information that
it doesn't know.  

> Q.2: Are there any good reasons for having to add a sambauser via the
> KDC-code? Isn't this done easier and better via other channels?

This is best handled by Samba.

> > structural object name
> IMHO, this should be like today: use account as base and do not bother
> much with modifying it. Let the sambacode search for sambaSAMAccount
> instead of the account objectclass.

We should search for both - so that we can find the 'account' to put a
new heimdal entry on, if there is only the posixAccount.  

> If someone can point me to some sample code for schemadetection I'll try
> to hack together something that may check if it is the old Samba2.x
> ldapschema or the new one (and also to check if the krb schema exist).

There is no point looking for Samba 2.2 - production sites should be
running 3.0.  (And certainly anybody playing with kerberos and other
development things should certainly be).

> > search base
> Yes this should be the most important configuration attribute IMHO. 
> > search filter, with two parameters, long principal name and optional short
> >    search filter is both samba and heimdal search filters
> > All these should be configurable per ldap database (not for the whole
> > backend).
> I'm not sure what you're going after here, but I'm thinking that the
> databasedefinition could be something like this:
> [kdc]
> database {
> 	dbname  = ldap:<searchbase>
> 	ldap-kerberos-add-base = ou=Kerberos,<searchbase>
> 	# this defines the searchfilter, 
> 	# 0 : searchfilter
> 	# 1: searchfilter also searches for uid and sambasamaccount
> objectclass.
> 	ldap-use-samba = 0|1 
> 	# optional, if you want to exclude some objects from your
> 	# domain
>         ldap-samba-userbase = ou=People,<searchbase>

If we are not adding Samba accounts, how does this help?

> 	# optional sambadomain, if you have multiple domains you want to 	#map
> differently. Also adds to the searchstring.
> 	ldap-samba-domain = MYDOMAIN 

I don't think we need this.

> }
> This makes it possible to set up a kerberos domain with only
> database {
> 	dbname = ldap:<searchbase>
>  	ldap-use-samba = 1
> }
> And be done if you got a fairly standard setup. 
> Anyhow, just my 0.02c :-)

Thanks for taking such an interest in all this!

Andrew Bartlett

Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

This is a digitally signed message part