johnh@primebuchholz.com
2009-Jun-22 13:21 UTC
[Samba] Copy *just* user accounts from LDAP?
Greetings All, I have a Samba-controlled domain, with everything in LDAP. I also have an off-site server that I rsync all our files to every couple hours. What I'd like to do is set up a new Samba domain on the off-site server so users can log into it for disaster recovery purposes - and I'd like to keep the user account information synchronized with the main server so user's passwords are the same, etc. - while leaving behind workstation accounts, etc. Does anyone have any ideas on how best to approach this? I guess what I'm asking is, I'm OK with slapcat/slapadd'ing periodically from the main server to the off-site server, but does anyone have ideas for how to filter just the user accounts into the LDIF? Thanks in advance, -John -- Please consider the environment before printing this e-mail. This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee, or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of the sender. If you are not the intended recipient, you are nevertheless bound to respect the sender's worldwide legal rights. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media. If you have received this e-mail in error, please immediately notify us by calling our Help Desk at (603) 433-1143, or e-mail to it@primebuchholz.com. We appreciate your cooperation.
johnh@primebuchholz.com schrieb:> What I'd like to do is set up a new Samba domain on the off-site server so > users can log into it for disaster recovery purposes - and I'd like to > keep the user account information synchronized with the main server so > user's passwords are the same, etc. - while leaving behind workstation > accounts, etc.Why you don't want to sync the machine accounts? The workstations wouldn't be allowed to logon to the domain, if the machine account passwort differs. And doesn't you require the ldap groups too for managing access?> Does anyone have any ideas on how best to approach this? I guess what I'm > asking is, I'm OK with slapcat/slapadd'ing periodically from the main > server to the off-site server, but does anyone have ideas for how to > filter just the user accounts into the LDIF?Instead of export/transfer/delete-ldap/import, I would use the openldap replication functions. If you really don't want to have access to groups/machine account OU, you can define a ACL in your slave server, that denies access to that branches.
ldapsearch -v -x -h roark.mdah.state.ms.us -D "cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxxx -b "ou=People,dc=mdah,dc=state,dc=ms,dc=us" > somefile scp somefile over. load it with slapadd or ldapadd. johnh@primebuchholz.com wrote:> Greetings All, > > I have a Samba-controlled domain, with everything in LDAP. > > I also have an off-site server that I rsync all our files to every couple > hours. > > What I'd like to do is set up a new Samba domain on the off-site server so > users can log into it for disaster recovery purposes - and I'd like to > keep the user account information synchronized with the main server so > user's passwords are the same, etc. - while leaving behind workstation > accounts, etc. > > Does anyone have any ideas on how best to approach this? I guess what I'm > asking is, I'm OK with slapcat/slapadd'ing periodically from the main > server to the off-site server, but does anyone have ideas for how to > filter just the user accounts into the LDIF? > > Thanks in advance, > > -John > > -- > Please consider the environment before printing this e-mail. > > This e-mail is intended only for the named person or entity to which it > is addressed and contains valuable business information that is > privileged, confidential and/or otherwise protected from disclosure. > Dissemination, distribution or copying of this e-mail or the information > herein by anyone other than the intended recipient, or an employee, or > agent responsible for delivering the message to the intended recipient, > is strictly prohibited. All contents are the copyright property of the > sender. If you are not the intended recipient, you are nevertheless > bound to respect the sender's worldwide legal rights. We require that > unintended recipients delete the e-mail and destroy all electronic > copies in their system, retaining no copies in any media. If you have > received this e-mail in error, please immediately notify us by calling > our Help Desk at (603) 433-1143, or e-mail to it@primebuchholz.com. > We appreciate your cooperation. > >