John H Terpstra wrote:
On Thursday 11 October 2007 22:57, Daniel L. Miller wrote:
Are the IDEALX tools necessary for "complete" integration with LDAP? Or
is the built-in support sufficiently advanced now?
Daniel
Daniel,
What function do you believe the IDEALX tools serve? Why do you think these
scripts are needed? What makes you think that "built-in support" might be
the right (or best) solution?
Have you read the Samba documentation? Specifically, is there anything in the
Samba3-HOWTO or in Samba3-ByExample that would lead you to believe that there
is any attempt to supercede the necessity for the IDEALX tools (or an
alternative set of scripts that is external to Samba itself)?
What does "complete" integration with LDAP mean to you?
You are not the first person to ask questions like these. It would help me to
write more useful documentation if I could better understand what is behind
the questions.
In case you do not know of the books "Samba3-HOWTO" and "Samba3-byExample"
they can be obtained from:
http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
http://www.samba.org/samba/docs/Samba3-ByExample.pdf
The IDEALX tools are a means of creating and managing UNIX user and group
accounts in the LDAP directory. Samba can then create and manage the Windows
(SambaSAM) account information that is necessary to support Windows network
activities.
As a network administrator, I want total control over how UNIX accounts are
managed in my LDAP directory and I would not want this done by Samba -
particularly if that removes my ability to control how this is done. Your
mileage may vary, but I suspect most UNIX administrators who manage Samba
would not want to lose control of the UNIX part of the directory.
For example, if Samba had total control over all Windows networking (Samba)
accounts, and the Windows network administrator deletes a user account, but
the users also has vital UNIX files, how should the deletion of the UNIX
account information be handled?
By keeping the LDAP administration scripts that impact the UNIX account
management separate from the Windows (Samba) account part, the administrator
can exercise greater control over. - Just my $0.02 worth.
Cheers,
John T.
By "built-in support", I am referring to the ldapsam:trusted and
ldapsam:editposix extensions - documented at:
http://wiki.samba.org/index.php/Ldapsam_Editposix
Because using these extensions appeared to simplify my configuration,
and inferred that they were "optimized", I thought this was the future
of Samba+LDAP and the IDEALX scripts were a holdover from the past.
Since I have had difficulty in getting this configuration to work
solidly - I'm still questioning whether or not these extensions are what
I should be using.
"Complete" integration to me means after setting the appropriate
smb.conf parameters - and having a configured LDAP backend - no
information is stored external to the LDAP server and standard tools for
Samba account manipulation perform all needed functions without the need
for manipulating the LDAP database directly. Such account manipulation
should be exclusive to Samba - if the UNIX accounts are also LDAP based
then obviously the UNIX accounts MAY be impacted by such Samba
configuration - but it should not be a requirement for any Samba
accounts to map to UNIX - unless the administrator wants that.
How to handle account deletion is a matter of individual preference -
both for Samba and for UNIX. In any case, the option to either leave
the user files intact, move them to a repository, or delete upon account
deletion should be a simple configuration setting.
I'm still learning how all these components interconnect - I have yet to
have a fully-functional Samba PDC, that has no errors/warnings in the
logs, and communicates with the compatible Windows NT tools for domain
manipulation. I had thought that if the IDEALX tools had been
superseded by the ldapsam:trusted extensions, that was one less item I
had to worry about.
Daniel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
