[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal/OpenLDAP/Samba howto and bugreport



Hi,
<(snip)> 

> > > structural object name
> > IMHO, this should be like today: use account as base and do not bother
> > much with modifying it. Let the sambacode search for sambaSAMAccount
> > instead of the account objectclass.
> We should search for both - so that we can find the 'account' to put a
> new heimdal entry on, if there is only the posixAccount.  
Is this handled in the code today?

> > If someone can point me to some sample code for schemadetection I'll try
> > to hack together something that may check if it is the old Samba2.x
> > ldapschema or the new one (and also to check if the krb schema exist).
> There is no point looking for Samba 2.2 - production sites should be
> running 3.0.  (And certainly anybody playing with kerberos and other
> development things should certainly be).
Ok. You don't happen to know some code?

<snipp some more>
> > I'm not sure what you're going after here, but I'm thinking that the
> > databasedefinition could be something like this:

> > [kdc]
> > database {
> > 	dbname  = ldap:<searchbase>
> > 	ldap-kerberos-add-base = ou=Kerberos,<searchbase>
> > 	# this defines the searchfilter, 
> > 	# 0 : searchfilter
> > 	# 1: searchfilter also searches for uid and sambasamaccount
> > objectclass.
> > 	ldap-use-samba = 0|1 
> > 	# optional, if you want to exclude some objects from your
> > 	# domain
> >         ldap-samba-userbase = ou=People,<searchbase>
> If we are not adding Samba accounts, how does this help?
If you got a large ldaptree, having a narow searchbase is a good idea (IMHO).
> > 	# optional sambadomain, if you have multiple domains you want to 	#map
> > differently. Also adds to the searchstring.
> > 	ldap-samba-domain = MYDOMAIN 
> I don't think we need this.
Ok, I'll dropp it for now.




Tarjei
> 
> > }
> > 
> > This makes it possible to set up a kerberos domain with only
> > database {
> > 	dbname = ldap:<searchbase>
> >  	ldap-use-samba = 1
> > }
> > And be done if you got a fairly standard setup. 
> > 
> > Anyhow, just my 0.02c :-)
> 
> Thanks for taking such an interest in all this!
> 
> Andrew Bartlett