samba - Jul 2004 - Base ldap access file.

Hi, 

Having set up a few Samba-ldap installations, I always end up with the
feeling that OpenLDAP ACLs is what took time. The following patches /
scripts might help someone else.

I would appreciate some input on the access.conf.pl file so that it is
even better tuned.

Mr Tournier and the sambateam: Please include the files you find
usefull.

The attached files are:

slapd.conf.pl : 
A simple utility to generate a bafis slapd.conf file. Usage:
./slapd.conf.pl <basedn> <hostname> [tls] > slapd.conf.
Note: This one is not that important.

access.conf.pl:
This is a simple utility to generate a working set of ACLs for a basic
samba-ldap installation.

Usage:
./access.conf.pl <basedn> <hostname> > access.conf

access.conf must then be added as a include at the end of slapd.conf.

smbldap-populate.patch: 
This is a patch to add an extra ou=Services to the ldaptree and add a
simpelSecurityObject samba to that ou. Use this as the "sambauser".
The
only thing samba needs is access to the ldap-tree not be a complete
Unix/Windos user.

The patch is written so that if you run configure.pl in smbldaptools
first, it will use the password you have set for the master ldapserver,
thus you save a bit work there :-)

Please comment and commit ;-)

Tarjei

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry, where are your patches?

- --
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 587369
M +44 (0) 7930 323266
F +44 (0) 1224 742001
E ghenry@suretecsystems.com

Open Source. Open Solutions.

http://www.suretecsystems.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBAOAseWseh9tzvqgRAmTDAJ0SThc3rQ4B1GF4M7dqUQqXdOvQCQCeOJI3
L9TfjBWkIjFsnTH8HNZq8y0=L6VP
-----END PGP SIGNATURE-----

Now with the files attached :-)

On Fri, 2004-07-23 at 10:52, Tarjei Huse wrote:
> Hi, 
> 
> Having set up a few Samba-ldap installations, I always end up with the
> feeling that OpenLDAP ACLs is what took time. The following patches /
> scripts might help someone else.
> 
> I would appreciate some input on the access.conf.pl file so that it is
> even better tuned.
> 
> Mr Tournier and the sambateam: Please include the files you find
> usefull.
> 
> The attached files are:
> 
> slapd.conf.pl : 
> A simple utility to generate a bafis slapd.conf file. Usage:
> ./slapd.conf.pl <basedn> <hostname> [tls] > slapd.conf.
> Note: This one is not that important.
> 
> access.conf.pl:
> This is a simple utility to generate a working set of ACLs for a basic
> samba-ldap installation.
> 
> Usage:
> ./access.conf.pl <basedn> <hostname> > access.conf
> 
> access.conf must then be added as a include at the end of slapd.conf.
> 
> smbldap-populate.patch: 
> This is a patch to add an extra ou=Services to the ldaptree and add a
> simpelSecurityObject samba to that ou. Use this as the
"sambauser". The
> only thing samba needs is access to the ldap-tree not be a complete
> Unix/Windos user.
> 
> The patch is written so that if you run configure.pl in smbldaptools
> first, it will use the password you have set for the master ldapserver,
> thus you save a bit work there :-)
> 
> Please comment and commit ;-)
> 
> Tarjei
-------------- next part --------------
--- smbldap-tools-0.8.2/smbldap-populate.pl	2003-11-28 16:21:35.000000000 +0100
+++ smbldap-tools-0.8.2.p/smbldap-populate.pl	2003-12-08 19:35:31.000000000
+0100
@@ -94,18 +94,19 @@
 	die "can't extract first attr and value from suffix $suffix";
   }
   #print "$attr=$val\n";
+  my $org;
   my ($organisation,$ext) = ($suffix =~ m/dc=(.*),dc=(.*)$/);
-
+  if ($organisation ne '') {
+    $org = "\nobjectclass: organization\no: $organisation";
+  }
   #my $FILE="|cat";
   my $FILE=$tmp_ldif_file;
   open (FILE, ">$FILE") || die "Can't open file $FILE:
$!\n";
 
   print FILE <<EOF;
 dn: $suffix
-objectClass: $objcl
-objectclass: organization
+objectClass: $objcl$org
 $attr: $val
-o: $organisation
 
 dn: $usersdn
 objectClass: organizationalUnit
@@ -309,7 +310,6 @@
 } else {
   $tmp_ldif_file=$_ldifName;
 }
-
 my $ldap_master=connect_ldap_master();
 my $ldif = Net::LDAP::LDIF->new($tmp_ldif_file, "r", onerror =>
'undef' );
 while( not $ldif->eof() ) {