On Sun, 2004-05-30 at 01:29, Tarjei Huse wrote:
> Hi,
> > > Here's the patch, this time with some content. As I said, it adds a
> > > searchbase to the configparams and searches for both account and
> > > interorgperson instead of just account. If you like the patch, I'll
> > > modify it so that the search will also search for structural_object if
> > > that differs from account.
> >
> > I don't mind the patch, but I'm not sure but of this configuration should
> > be in code and how much should be in configaration file.
>
> Well it's my first C-patch so I didn't want to do anything advanced. :-)
>
> I think a good principle for getting this to work is that all
> configuration options should have sensible defaults.
>
> > There are several possible ways to configure this, I think the things that
> > needs to able to be tweeked are:
> > heimdal add base
> > samba add base
> Q: How should the kdc know when it's supposed to add a sambauser and a
> heimdaluser?
It can't add a Samba user. There is other 'Samba' user information that
it doesn't know.
> Q.2: Are there any good reasons for having to add a sambauser via the
> KDC-code? Isn't this done easier and better via other channels?
This is best handled by Samba.
> > structural object name
> IMHO, this should be like today: use account as base and do not bother
> much with modifying it. Let the sambacode search for sambaSAMAccount
> instead of the account objectclass.
We should search for both - so that we can find the 'account' to put a
new heimdal entry on, if there is only the posixAccount.
> If someone can point me to some sample code for schemadetection I'll try
> to hack together something that may check if it is the old Samba2.x
> ldapschema or the new one (and also to check if the krb schema exist).
There is no point looking for Samba 2.2 - production sites should be
running 3.0. (And certainly anybody playing with kerberos and other
development things should certainly be).
> > search base
> Yes this should be the most important configuration attribute IMHO.
>
> > search filter, with two parameters, long principal name and optional short
> > search filter is both samba and heimdal search filters
> > All these should be configurable per ldap database (not for the whole
> > backend).
> I'm not sure what you're going after here, but I'm thinking that the
> databasedefinition could be something like this:
>
> [kdc]
> database {
> dbname = ldap:<searchbase>
> ldap-kerberos-add-base = ou=Kerberos,<searchbase>
> # this defines the searchfilter,
> # 0 : searchfilter
> # 1: searchfilter also searches for uid and sambasamaccount
> objectclass.
> ldap-use-samba = 0|1
> # optional, if you want to exclude some objects from your
> # domain
> ldap-samba-userbase = ou=People,<searchbase>
If we are not adding Samba accounts, how does this help?
> # optional sambadomain, if you have multiple domains you want to #map
> differently. Also adds to the searchstring.
> ldap-samba-domain = MYDOMAIN
I don't think we need this.
> }
>
> This makes it possible to set up a kerberos domain with only
> database {
> dbname = ldap:<searchbase>
> ldap-use-samba = 1
> }
> And be done if you got a fairly standard setup.
>
> Anyhow, just my 0.02c :-)
Thanks for taking such an interest in all this!
Andrew Bartlett
--
Andrew Bartlett abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet@samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
This is a digitally signed message part