On Wed, 2004-03-10 at 11:33, Graham Leggett wrote: > John H Terpstra wrote: > > > We feel your learning curve pain with you. How can we solve this? What > > specifically should be done to eliminate the pain? Who should do this and > > how? > > "Simplify simply simplify" - Henry David Thoreau. > > > You are assuming that Samba only needs to work with OpenLDAP. > > Not so: > > [EMAIL PROTECTED] root]# rpm -q -f /etc/ldap.conf > nss_ldap-207-5 > > The config file to which I refer is part of nss_ldap, and has nothing to > do with OpenLDAP whatsoever. > > > You are also > > assuming that ALL OpenLDAP configurations use the same directory > > structure. Too many assumptions. How can we implement a universal > > solution? What must we do to arrive at nirvana? > > 1) Eliminate the duplication through the use of sensible defaults. > > A sensible default for most of the LDAP setup is to read it from > /etc/ldap.conf, or wherever else this file lives on other platforms. > > If Samba has a dependancy on nss_ldap, it makes sense to use the > information in nss_ldap's config files. > > 2) Have sensible config files > > None of the ldap config directives appear in the default smb.conf file > as shipped with v3.0.2 (which could be Redhat's idea, I don't know). So > to set up LDAP, it's off to the HOWTO. > > Much of the setup pain can be largely reduced if config directives lived > in the config file commented out, ready to be put into action if the > admin so wanted, along with some sensible comments exaplining what each > one does. > > An example of such a config appears in the HOWTO, but it's incomplete, > as it excludes any mention of the "add * script" parameters. The first > time I heard they existed was when you asked if I had set them up on > this list. > > >>And you are assuming they are different. Why should the system be any > >>more complex than it needs to be? > > > That is an administrator decision that Samba can not impose. > > Samba need not impose, but through a sensible default, it can suggest a > recommended configuration. > > I find it very frustrating when I get to configure some software and it > tells me "so what would you like to do?". Being a new user of that > software, my most sensible answer is "what would you recommend I do?". > To which the software replies "anything at all, I can do anything at all". > > Samba + LDAP is usually practically deployed with a third party LDAP > maintenance package. If a suggested layout for the LDAP server existed > that made it easier for the maintenance package and Samba to be looking > in the same place for things, it would save the administrator a lot of > time. Yes, I would like the rope to be able to change my mind, if I > didn't agree with the layout of the directory by default, however I want > at least a suggested default layout so I can start with something. > > > And every constraint we put into Samba results in feedback that we just > > lost another user site because we have tightened the noose. This is open > > source software. We try NOT to limit the usability of Samba. > > How many sites has Samba lost simply because the admin couldn't get > their head around the software in a reasonable amount of time? There are > other solutions available in the marketplace, with their own advantages > and disadvantages. > > > Then suggest a better solution please. > > 1) Sensible defaults > 2) Elimination of duplicated config where possible, with the option to > override this behaviour if the admin needs to > 3) Elimination of hacks to add users, instead having a proper user > adding component built into Samba, that can be enabled if needed. > 4) Be consistent. The default LDAP layoput for Samba in the HOWTO, and > the default layout for smbldap-tools do not seem to be the same (though > my perl is bad, so I'm not sure). ---- I can tell by the volume of your messages that you feel that you have a message worthy of delivery but I don't agree. You have bundled a lot of your frustration with learning LDAP into Samba and Samba doesn't require you to use LDAP at all.
If you used smbpasswd or tdb backend, you wouldn't be going through this at all. I am amazed that I stupidly thought the same things that you did...that I pretty much already knew samba 2.2x and that the changes in 3.0 would be minimal and all I needed was to get LDAP working with samba. But LDAP is far more of a beast than I had ever dreamed and even though it appears to be much of the same, samba 3 was a tremendous upgrade to 2.2x - That meant all the things I assumed to be manageable were not skills easily acquired at all. Finally, I took a week or so out to learn LDAP and get that set up and authenticating before I worried about integrating with Samba. I can't imagine many people having much success trying to get both up and running simultaneously. I am presuming that you are suffering from your own realistic expectations as I had to suffer mine. LDAP is an incredibly flexible, powerful and potent tool but it is not easily mastered - not with openldap, not with SunOne, not with Windows. The expectation in all things LDAP is that the system administrator will take great pains to have a working system, a reasonably good understanding of ACL's for security, a plan for maintaining interactivity with the underlying authentication systems and the wherewithall to stitch LDAP together with other software that may require sips from the LDAP fountain. If you want easy, if you want total consistency so someone without knowledge can follow your footsteps 6 months from now, you should be implementing Windows. smbldap tools isn't part of the samba software package, I believe you know this now so your criticism of the lack of documentation in the samba package was off base. A system administrator with knowledge of LDAP would understand that and most will write their own scripts because if there's one thing that's certain about LDAP implementations, there isn't much that is standard. Had you had a working knowledge of LDAP, your criticisms might be of some value but in light of the fact that you really want to vent about LDAP and how it integrates, it's meaning is lost on this samba message base. You don't need to use LDAP to use Samba, in fact, the other backends (omitting sql for this discussion), will be much simpler and probably more to your liking. Your last bit of frustration about the consistency (or lack thereof) between smbldap-tools, smb.conf, ldap.conf is really more about your distro (RH AS 3) as they have configured the defaults (or failed to consider is probably more likely the explanation). I understand this because I am using it too - and while this was part of my early confusion, once I understood how all these things worked, it really didn't matter. So in the end, the problem was the amount I was trying to accomplish with my limited understanding of LDAP - I solved that problem and you can too. Some people light a candle and some curse the darkness. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba