Possible to use 2 LDAP-Servers for different purposes?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Possible to use 2 LDAP-Servers for different purposes?

Oliver Heering
Hi,

is it possible to realize the following scenario? And if yes: how? ;)

The current setup is as follows:
We have a Samba 3 server on a linux machine as PDC and an OpenLDAP
server as passdb backend (on the same host). All users and groups were
inserted via the SMBLDAP tools by IDEALX. So far, so good. Everything
runs fine.

Now our plan is it to use another, external LDAP server for pure
authentication. This means the external LDAP server should _NOT_
contain the (most) Samba schema attributes for the users.

The idea behind this is that we will soon have one single
user-database for all campus-users (students and employees) at our
campus and if a user is registered there he should gain access to our
samba domain as well. But as there might be several other samba
domains on our campus we cannot store those samba schema attributes in
the "master LDAP" (for example the users profile is at a different
location in another domain).

The only way out i can think of (other proposals are welcome!) is that
Samba accesses two different LDAP-servers. The first one only for
authentication (does the user exist at all? and did he provide the
correct password?) and the second one for the storage of all his
domain-specific attributes like "where is my homedrive?", "where is my
profile located" and so on. If the user was authenticated successfully
but doesn't exist in the local LDAP server, the "add user script" will
add him.

Perhaps the "password server" configuration directive could be the
solution but as i read the manpage some questions arise: 1. How
exactly does samba authenticate a user if an LDAP server was entered?
What attributes are checked? 2. Specifying the "password server"
option only works with security = [ads|domain|server]. Is it still
possible that samba works as a primary domain controller afterwards?

I believe this is a very complex problem and i will be very happy if
anyone has anything to say about it. :-)

If there are any questions, feel free to ask! Maybe i wasn't exactly
enough. :)

mfg,
Oliver Heering
Medienzentrum der Universität Dortmund
http://www.medienzentrum.uni-dortmund.de

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: Possible to use 2 LDAP-Servers for different purposes?

Alejandro Escanero Blanco
Oliver Heering wrote:
>
> Now our plan is it to use another, external LDAP server for pure
> authentication. This means the external LDAP server should _NOT_
> contain the (most) Samba schema attributes for the users.
 >
 > The idea behind this is that we will soon have one single
 > user-database for all campus-users (students and employees) at our
 > campus and if a user is registered there he should gain access to our
 > samba domain as well. But as there might be several other samba
 > domains on our campus we cannot store those samba schema attributes in
 > the "master LDAP" (for example the users profile is at a different
 > location in another domain).
 >
 > The only way out i can think of (other proposals are welcome!) is that
 > Samba accesses two different LDAP-servers. The first one only for
 > authentication (does the user exist at all? and did he provide the
 > correct password?) and the second one for the storage of all his
 > domain-specific attributes like "where is my homedrive?", "where is my
 > profile located" and so on. If the user was authenticated successfully
 > but doesn't exist in the local LDAP server, the "add user script" will
 > add him.

Really need two servers?, any samba user in the ldap master server have a sambaDomainName,
it can be used in smb.conf to let this user get usage in his domain.

The standars solutions are:
- slave ldap servers, you can use them for each samba server, only need to get a copy of
things you need, and any server have his own access.

- kerberos server, well, is better, is complex, is... ####, You can try if you want, a lot
of people is using it, remember, kerberos is usable for passwords and samba for the other
stuff. For example i'm using heimdal kerberos over ldap, and i create the samba users and
the heimdal user at the same time.

--
_________________________________________________________________________________________________________
Alejandro Escanero Blanco
Administrador Sistemas
Centro Europeo De Congresos
Tel. +34 952058050
e-mail: [hidden email]
_________________________________________________________________________________________________________

Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene
información de carácter confidencial
+exclusivamente dirigida a su destinatario o destinatarios.
Queda prohibida su divulgación, copia o distribución, total o parcial, a terceros sin la
previa autorización escrita del
+remitente.
En caso de haber recibido este correo electrónico por error, se ruega notifíquese
inmediatamente esta circunstancia mediante
+reenvío a la dirección electrónica del remitente y borre el mensaje original junto con
sus ficheros anexos, sin grabarlos
+total o parcialmente.

This electronic mail and whatever files are attached thereto, contain confidential
information solely and exclusively for
+the addressee or addressees.
Its total or partial propagation, reproduction and distribution to third parties is
strictly forbidden without prior written
+authorization by the sender.
In the event of erroneous receipt of this electronic mail, kindly advise the sender
immediately by forwarding the message to
+sender, and erase the original message together with attached files, if any.
Please do not copy, totally or partially, the contents of this electronic mail.
Thank you for your cooperation.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba