Vincent Danen wrote: > On Thu Jan 30, 2003 at 12:39:25PM +0200, Buchan Milne wrote: > > >>We're completing our LDAP setup now, in conjunction with the samba-ldap >>packages, and it is really starting to work well (except for the small >>niggles such as with ssh/ssl etc). >> >>So, I am trying to make setting up an LDAP server easier, and I would >>also appreciate feedback on the samba-ldap stuff from others who are >>using it (or just LDAP, but might want better tools).
I had a response already, biggest issue with it was the need to currently have the password for the ldap dn used by samba in clear text in /etc/samba/smbldap_conf.pm. Unfortunately there is no way around this if you want to allow domain admins to join windows machines to the domain. It would be possible to have the domain admins know the password, and hack smbldaptools to take a password prompt, but you don't win that much (someone could still just slapcat the ldap db anyway ...). BTW, in the current samba packages, /usr/share/samba/scripts/smbldap* are rwxr-x--- root adm, and /etc/samba/smbldap_conf.pm is rw-r----- root adm, to allow any members of adm to join machines to the domain. User ldap is a member of adm by default on Mandake, so if the ldap user were compromised, so would the password and dn used by samba if people set it up for easy domain joining. But if the ldap user were compromised, they could get 'slapcat' and brute-force anyway. >> >>I don't know if it's appropriate for this list, and may be too >>high-volume for [EMAIL PROTECTED], so if you're interested in >>working on these issues, mail me off-list (unless significant numbers >>think it should stay on-list) and I will cc everyone tomorrow to get going. > > > I think you should either keep it here or on discuss@ (probably > discuss@ would be better considering all the noise on this list). OK, moving to discuss ... > > The reason I suggest it is so that there can be an archive of all that > happens, so others can benefit from it. > Cool. For cookers: http://ranger.dnsalias.com/mandrake/cooker/drakwizard-ldap-0.0.20030130.tar.gz For those on 9.0: http://ranger.dnsalias.com/mandrake/mandrake9.0/drakwizard-ldap-mdk9-0.0.20030130.tar.gz To use it: # urpmi drakwizard # cd /usr/share/wizards # tar -xzvf /path/to/drakwizard-ldap*.tar.gz # drakwizard /usr/share/wizards/ldap_wizard/ldap.wiz I need some help with the perl functions that need to be run as 'func' entries on some of the pages, I will get away with bash for the fillscripts I think. I am thinking of something like: # ldapsearch -x -h master -D "$rootdn" -w "$rootpw" | \ su ldap - -c "slapadd; slapindex" for creating an ldap master. BTW, does anyone know what the "DSA IT Control" is, it might be useful here if we knew what it did ... Regards, Buchan -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
