Hi,
a couple of weeks ago I started to learn ldap and set up some test servers with the latest openldap for centos 5.4. I learned about schemas, ldif, ldap browsers etc. So I have an advanced basic knowledge about the technical fundamentals.
The primary goal is to have the login information for our mail and fileserver system in one place.
Right now we do use sendmail, dovecot and samba.
After testing some of the migration tools for migrating posix and sambaSam accounts, I was asking myselve: what is the best way to start the migration? Right now the directory is completely empty, so I can start from scratch.
Both types of accounts do have different attributes and furthermore I'd like to use some inetOrgPerson/organizationalPerson attributes.
So should I first run the smbldaptool or first fill the directory with the migrate_....sh script?
Thanks for any suggestion or comment or pointing me to any how to/doc.
Best regards,
Götz
On Thursday, 25 March 2010 14:12:40 Götz Reinicke - IT-Koordinator wrote:
Hi,
a couple of weeks ago I started to learn ldap and set up some test servers with the latest openldap for centos 5.4. I learned about schemas, ldif, ldap browsers etc. So I have an advanced basic knowledge about the technical fundamentals.
The primary goal is to have the login information for our mail and fileserver system in one place.
Right now we do use sendmail, dovecot and samba.
After testing some of the migration tools for migrating posix and sambaSam accounts, I was asking myselve: what is the best way to start the migration? Right now the directory is completely empty, so I can start from scratch.
Both types of accounts do have different attributes and furthermore I'd like to use some inetOrgPerson/organizationalPerson attributes.
The only thing to worry about here is which structural objectclass to use, it is usually either a choice between 'account' and 'inetOrgPerson'. There is no issue with posixAccount or sambaSamAccount, they are both auxiliary. For the rgc2307 vs rfc2307bis group issue, I don't think samba supports rfc2307bis, so you should go with rfc2307 (using memberUid for denoting members of groups, holding the username, not the DN).
So should I first run the smbldaptool or first fill the directory with the migrate_....sh script?
You may have to do some preparation of the directory, for example, if you are going to use smbldap-tools in your final system, you could use smbldap-populate for the initial setup (ensure you set the SIDs correctly in the configuration file).
Once you have samba and smbldap-tools configured correctly, you can migrate your samba accounts to LDAP using pdbedit, which should use the 'add user script' and 'add machine script' commands and/or the direct LDAP write support in samba to do the migration of the accounts for you.
If you have a test system available, I would definitely test first, especially if you are running samba as a DC.
Regards, Buchan
Buchan Milne schrieb:
On Thursday, 25 March 2010 14:12:40 Götz Reinicke - IT-Koordinator wrote:
Hi,
a couple of weeks ago I started to learn ldap and set up some test servers with the latest openldap for centos 5.4. I learned about schemas, ldif, ldap browsers etc. So I have an advanced basic knowledge about the technical fundamentals.
The primary goal is to have the login information for our mail and fileserver system in one place.
Right now we do use sendmail, dovecot and samba.
After testing some of the migration tools for migrating posix and sambaSam accounts, I was asking myselve: what is the best way to start the migration? Right now the directory is completely empty, so I can start from scratch.
Both types of accounts do have different attributes and furthermore I'd like to use some inetOrgPerson/organizationalPerson attributes.
The only thing to worry about here is which structural objectclass to use, it is usually either a choice between 'account' and 'inetOrgPerson'. There is no issue with posixAccount or sambaSamAccount, they are both auxiliary. For the rgc2307 vs rfc2307bis group issue, I don't think samba supports rfc2307bis, so you should go with rfc2307 (using memberUid for denoting members of groups, holding the username, not the DN).
For what I've read so far, I'd go with the 'inetOrgPerson' class, as it provides more attributes and sooner or later we will use lot of tham.
Concerning the rfc2307 vs rfc2307bis I'm yet not that familier with the differences and handling. But from http://www.devshed.com/c/a/Administration/Handling-User-Accounts-in-Samba/
it seams, that it is possible to enable RFC2307bis for the nss_ldap:
"The nss_ldap library from PADL software (http://www.padl.com) supports this by enabling the library’s RFC2307bis extensions (pass the --enable-rfc2307bis option to the nss_ldap configure script when compiling) ..."
And http://www.padl.com/OSS/nss_ldap.html mentions also Support for the RFC 2307/RFC 2307bis.
Or do I get something wrong?
So should I first run the smbldaptool or first fill the directory with the migrate_....sh script?
You may have to do some preparation of the directory, for example, if you are going to use smbldap-tools in your final system, you could use smbldap-populate for the initial setup (ensure you set the SIDs correctly in the configuration file).
Once you have samba and smbldap-tools configured correctly, you can migrate your samba accounts to LDAP using pdbedit, which should use the 'add user script' and 'add machine script' commands and/or the direct LDAP write support in samba to do the migration of the accounts for you.
If you have a test system available, I would definitely test first, especially if you are running samba as a DC.
Thanks for your comment and best regards,
Götz
On Friday, 26 March 2010 11:27:28 Götz Reinicke - IT-Koordinator wrote:
Buchan Milne schrieb:
For the rgc2307 vs rfc2307bis group issue, I don't think samba supports rfc2307bis, so you should go with rfc2307 (using memberUid for denoting members of groups, holding the username, not the DN).
"The nss_ldap library from PADL software (http://www.padl.com) supports this by enabling the library’s RFC2307bis extensions (pass the --enable-rfc2307bis option to the nss_ldap configure script when compiling) ..."
And http://www.padl.com/OSS/nss_ldap.html mentions also Support for the RFC 2307/RFC 2307bis.
Or do I get something wrong?
nss_ldap supports rfc2307bis, but samba does not (AFAIK). If you are using Samba as a Domain Controller, the groups visible on windows clients (for local ACLs on windows computers, rights etc.) will not align with your unix groups if you use rfc2307bis.
Regards, Buchan
Am Freitag 26 März 2010 14:29:04 schrieb Buchan Milne:
On Friday, 26 March 2010 11:27:28 Götz Reinicke - IT-Koordinator wrote:
Buchan Milne schrieb:
For the rgc2307 vs rfc2307bis group issue, I don't think samba supports rfc2307bis, so you should go with rfc2307 (using memberUid for denoting members of groups, holding the username, not the DN).
"The nss_ldap library from PADL software (http://www.padl.com) supports this by enabling the library’s RFC2307bis extensions (pass the --enable-rfc2307bis option to the nss_ldap configure script when compiling) ..."
And http://www.padl.com/OSS/nss_ldap.html mentions also Support for the RFC 2307/RFC 2307bis.
Or do I get something wrong?
nss_ldap supports rfc2307bis, but samba does not (AFAIK). If you are using Samba as a Domain Controller, the groups visible on windows clients (for local ACLs on windows computers, rights etc.) will not align with your unix groups
IIRC that depends on the samba configuration. I.e. if you have ldapsam:trusted=yes in smb.conf your statement is true. But the default for ldapsam:trusted is "no" (at least according to the smb.conf man-page) and then samba will use the NSS Subsystem (and through that nss_ldap, if configured) to access user and group information. So unless you use ldapsam:trusted=yes, the rfc2307bis is usable with Samba as well.
openldap-technical@openldap.org
-
Buchan Milne -
Götz Reinicke - IT-Koordinator -
Ralf Haferkamp