Re: [Samba] Possible to use 2 LDAP-Servers for different purposes?

Oliver Heering wrote:
>
> Now our plan is it to use another, external LDAP server for pure
> authentication. This means the external LDAP server should _NOT_
> contain the (most) Samba schema attributes for the users.
>
> The idea behind this is that we will soon have one single
> user-database for all campus-users (students and employees) at our
> campus and if a user is registered there he should gain access to our
> samba domain as well. But as there might be several other samba
> domains on our campus we cannot store those samba schema attributes in
> the "master LDAP" (for example the users profile is at a different
> location in another domain).
>
> The only way out i can think of (other proposals are welcome!) is that
> Samba accesses two different LDAP-servers. The first one only for
> authentication (does the user exist at all? and did he provide the
> correct password?) and the second one for the storage of all his
> domain-specific attributes like "where is my homedrive?", "where is my
> profile located" and so on. If the user was authenticated successfully
> but doesn't exist in the local LDAP server, the "add user script" will
> add him.

Really need two servers?, any samba user in the ldap master server have a sambaDomainName,
it can be used in smb.conf to let this user get usage in his domain.

The standars solutions are:
- slave ldap servers, you can use them for each samba server, only need to get a copy of
things you need, and any server have his own access.

- kerberos server, well, is better, is complex, is... ####, You can try if you want, a lot
of people is using it, remember, kerberos is usable for passwords and samba for the other
stuff. For example i'm using heimdal kerberos over ldap, and i create the samba users and
the heimdal user at the same time.

--
__________________________________________________ __________________________________________________ _____
Alejandro Escanero Blanco
Administrador Sistemas
Centro Europeo De Congresos
Tel. +34 952058050
e-mail: alejandro.escanero@chlgrupo.com
__________________________________________________ __________________________________________________ _____

Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene
información de carácter confidencial
+exclusivamente dirigida a su destinatario o destinatarios.
Queda prohibida su divulgación, copia o distribución, total o parcial, a terceros sin la
previa autorización escrita del
+remitente.
En caso de haber recibido este correo electrónico por error, se ruega notifíquese
inmediatamente esta circunstancia mediante
+reenvío a la dirección electrónica del remitente y borre el mensaje original junto con
sus ficheros anexos, sin grabarlos
+total o parcialmente.

This electronic mail and whatever files are attached thereto, contain confidential
information solely and exclusively for
+the addressee or addressees.
Its total or partial propagation, reproduction and distribution to third parties is
strictly forbidden without prior written
+authorization by the sender.
In the event of erroneous receipt of this electronic mail, kindly advise the sender
immediately by forwarding the message to
+sender, and erase the original message together with attached files, if any.
Please do not copy, totally or partially, the contents of this electronic mail.
Thank you for your cooperation.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba