You should be able to have separate OU's in LDAP for each domain. From
the point-of-view of samba, each samba PDC would only know about its own
section of the LDAP tree- and in effect would be the same as separate
LDAP servers.
You would want to make sure that the underlying unix authentication on
that server would also only used the domain-specific section of LDAP for
user authentication.
You would still want to use idmap. Do you need all domains trusting
each other- or is it a series of trusts between each remote office and
the central office. A full mesh could get really messy, although I
haven't tried this yet. If you have six domains, potentially each
domain OU is could contain 5 ou's for idmap entries. I think you
could have one, enterprise-wide idmap ldap section, with a ou underneath
for each domain. You might even want to make them read-only for most
domains so that the entries stay consistent.
By default, winbind allocates uid and gid's from a dynamic range that
does NOT overlap the uid and gid ranges for "local" users. I
personally would either modify entries as they are created, or actually
prepopulate entries, so that the uid/gid entries in the idmap are the
same as the real uid/gid values for the actual unix account. I used
to do this when using idmap with member servers with in the domain to
make sure that when a windows user created or modified a file on an NFS
shared, a consistent unix uid was used between windows and nfs on all
servers.
So your LDAP structure would be similar to
ou=DomainA
ou=people,ou=DomainA
ou=DomainB
ou=people,ou=DomainB
...
ou=DomainF
ou=people,ou=DomainF
...
ou=IDMAP
ou=DomainA,ou=IDMAP
ou=DomainB,ou=IDMAP
...
ou=DomainF,ou=IDMAP
I don't know if OpenLDAP handles multi-master replication (I am using
Sun Directory Server.) Assuming it did, each site could have its
own LDAP server but in the same LDAP tree.
the other approach would be to have a separate LDAP server and structure
for each site BUT configure referrals between each LDAP server (i.e. on
ServerA, ou=DomainB points to ou=DomainB on ServerB) to create the
appearance of a single LDAP tree.
On 02/01/10 04:02, Thibault Vançon wrote:
Thanks Gaiseric for your answer,
I know this things about trust relashionship even if i still don't
have setup one, but we need to have only one LDAP backend, to allow
others applications to authenticate user with LDAP. We can't specifie
more than one backend in our application.
I've thought that i could create different OU with each domain, and
configure smbldap-tools and pam to work with this OU, with a base like
: dc=DOMAIN, dc=company, dc=com , and replicate this LDAP on other
site.
But is it possible to use trust relationship with this kind of LDAP
structure ? will i need IDMAP ?
Thanks,
Thibault
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
