Comment va depuis notre longue discussion sur Solutions Linux ?
Lapin(c) wrote:
I was exploring a local LDAP solution, as it's for a very large network (1000 sites / 100000 users) we want a disjunction between local administration for machines and global administration for users.
What do you mean for disjunction between local administration and users ?
Do you mean :
1. Separation between directory insertion (etheir user or machine) and local PC admin rights :
- class D people can insert machines, as well as users
- class T people can login to machines as local admin
2. Separation between directory insertion (users inserted by some people, machine by others) and local PC admin rights :
- class M people (local support I guess) can insert local machine, in the right ou=site,ou=Computers sub-ou
- class D people can insert users (centrally managed I guess), and maybe Computers
- class T people (see below).
I guess (read I think, but not yet investigated further) that it could be done, maybe with the help of LDAP management application and carefully crafted LDAP ACLs.
I think that, if using IdealX scripts, and different sub-ou configuration for these, you may can do what you intend to, directly using Samba and inserting machine directly from the Windows PC.
I'll let the tdb solution down anyway
You'd better...
Thanks
I'll give a feedback on large network architecture as soon as we have finish the deployment.
Andrew Bartlett <[EMAIL PROTECTED]>:
On Mon, 2004-03-01 at 23:01, Lapin(c) wrote:
Hi,
I wonder if it's possible to have multiple backend in order to fragment
SAM
information. For example, i'd like to have a central LDAP directory for
user
authentication purpose but a local tdb format for Machines accounts.
What is the size of the biggest site (I beg it is the Lyon one in Part-Dieu) ? Or maybe Paris'ones.
I guess that machine passwords traffic (once per week) would not be that huge, even on 64kb/s lines
I want to minimize network traffic but still keep a central user account
DB.
Setup a central directory, replicated to each the 6/10 central sites, or maybe to each of your 1000 local site. This way, authentication would be local/not too far away, and machine account password will be ref'd to the central directory.
Has anybody tried this kind of config ?
Not yet, but on a much smaller site (600 people).
Agreed.
This is a really bad idea. The network traffic (LDAP lookups) for machine accounts really are minimal. If you want to reduce network read traffic, you might set up a local LDAP slave.
Get your system working, before you try to create a more complex system.
Regards,
J�r�me
-- J�r�me Fenal - Consultant Unix/SAN/Logiciel Libre Groupe Expert & Managed Services - LogicaCMG France http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
