[K12OSN] Samba/LDAP how-to in OO format

David Trask dtrask at vcs.u52.k12.me.us
Wed Jun 16 23:00:37 UTC 2004


You are all right....TLS should be used....etc....etc....etc.  BUT...much
of that stuff is difficult to get working.  If you can follow the how-to
from idealx.org they outline how to do all of that (I tried..without
success)...with the exception of the bdb....they too use lbdm.  I will be
working with Chris Johnson to try and make this a much more complete
document.  In my situation, a k-8 school, security isn't much of a
concern.  This is what I've been running for over a year...and so have
many other schools in the area.  This is not to say it's the best way, but
it works.  We are looking for folks who might like to help us write
scripts and package things up.  The security piece definitely needs to be
addressed...I agree.  The whole Samba/LDAP thing needs to be rolled up and
made easier for newbies and tech admins alike.  Unfortunately it'll be
nearly impossible to roll it up for all distros, so we should concentrate
on one that we know will work seamlessly with K12LTSP such as FC2 (please
let's not have the whole WBEL, RHEL, Gentoo...etc. debate)  It'd be nice
for someone to be able to launch an installer....answer some questions and
have the whole thing just work.  It's time...this is IMHO the wave of the
future of authentication...etc.


"Support list for opensource software in schools." <k12osn at redhat.com>
writes:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Wednesday 16 Jun 2004 21:22, Christopher K. Johnson wrote:
>> Gavin Henry wrote:
>> >-----BEGIN PGP SIGNED MESSAGE-----
>> >Hash: SHA1
>> >
>> >On Wednesday 16 Jun 2004 03:28, David Trask wrote:
>> >>http://web.vcs.u52.k12.me.us/linux/Samba-LDAP.sxw
>> >>
>> >>here's the Samba LDAP how-to in OO format
>> >
>> >I have 3 points and one request:
>> >
>> >1. The backend ldap should be bdb not ldbm (discussed very indepth on
>the
>> >OpenLDAP lists).
>> >
>> >2. You should really have access controls on the LDAP database, as
>anyone
>> > can hen read your hashed password over the wire, unless, which I
>didn't
>> > notice, you only have the LDAP server listening on localhost?
>> >
>> >3. You should be using TLS.
>> >
>> >4. Could you do a wee conclusion, rounding everything off.
>> >
>> >
>> >Would you mind if some of us add the 3 points above in?
>> >
>> >Lastly, this is great document and must of taken you ages. ALl it
>needs is
>> >someone to start this of, then others can help.
>> >
>> >Due you mind if I forward this to the fedora-docs list as they can do
>all
>> > this for us?
>>
>> All good suggestions, some of which David and I have already discussed.
>> He expressed to me that he wanted to first get it working, and then go
>> back and work to incorporate better security such as you have
>> indicated.  Thanks for working to move this along with other doc folks
>> in implementing them.
>
>No, you are right, It is the right way to do it, and then progress to the 
>other ways. 
>
>No problems with the docs. By the way, I have seen the HTML version on
>his 
>site, is David's mostly original? Does he have the OO version of it? 
>
>It's just it has all the references and conclusion/intro etc, to make it
>a 
>complete document.
>
>>
>> Comments:
>> Re 1. In that case why is bdb not the default in slapd.conf as provided
>> by the FC2 openldap-servers rpm? 
>> I suspect that David simply used what 
>> was there, not changing the backend.  I'm not trying to disagree - just
>> to point out that if this is now the standing recommendation then in
>> addition to changing the how-to it should be changed in the slapd.conf
>> provided by the rpm.
>
>I totally agree and will start voicing this in the fedora-devel list.
>
>>
>> Re 2. Definitely, although the issue is actually whether ldap directory
>> users have query or update access to other users' hashed passwords.  The
>> over the wire comment relates to the TLS recommendation.
>
>Agreed, but with no access controls what so ever, then anyone can query
>them, 
>not just the rootdn.
>
>>
>> Re 3. Definitely.
>
>:-)
>
>>
>> Other points:
>> 5. The smbldap-tools provided by the FC2 samba rpm under
>> /usr/share/samba-n.n.n/LDAP/smbldap-tools are out of date.  They should
>> either be brought current, or removed and placed in a separate
>> smbldap-tools rpm _included_ in FC2 distro with a pre-requisite of the
>> perl-LDAP rpm, which in turn requires other perl- rpms.  I believe this
>> change would avoid the need for any of the CPAN steps, and allow
>> installing the smbldap-tools from the FC2 distro.
>
>Agreed, I think this is due for a massive upgrade.
>
>>
>> 6. The how-to should include using slappasswd to create a good password
>> hash for inclusion within slapd.conf in lieu of the default password.
>
>Definitely.
>
>>
>> 7. Yum would work just as well as apt.  Perhaps alternative commands for
>> updating and installing rpms either way would make the how-to equally as
>> friendly to people who prefer yum.
>
>Good point.
>
>>
>> I hope the community does remedy all those points to give this very
>> useful document a more robust treatment of security, and make FC2 a
>> little less complex to implement samba/ldap on.
>>
>
>It is complicated, but shouldn't be as RPMs are used, if that makes any
>sense 
>to a Gentoo user say ;-)



David N. Trask
Technology Teacher/Coordinator
Vassalboro Community School
dtrask at vcs.u52.k12.me.us
(207)923-3100





More information about the K12OSN mailing list