samba - Oct 2004 - Scaleable LDAP Backends for Samba; Domain Controllers group access

OK, just went through the research on how to set up scalable LDAP 
backends.  By scaleable I mean without having Samba use the root dn to 
access ldap. This way, if you are going through the logs, you will be 
able to tell which domain controller is doing what.

As far as I know, it *HAS* to be done this way because the posixGroup 
schema is way out of date (it wont take a dn as a member).  This info 
according to the gurus on the OpenLDAP list. In effect we have to keep a 
duplicate set of group records for those that will have access to the 
database. For example, if you want to give group based access to a group 
like "Domain Controllers", you would have to keep a duplicate record 
using a different objectClass.

Oh, yes and if you know a better way, I am always looking for better 
ways to get things done. :-)

How I did it was like this:

1. I set up a new OU called "Access Groups".

2. I created a new groupOfNames object in that OU called "Domain 
Controllers"  For the "member" attribute, use the dn of the host
record
for your primary DC.

3. Using gq, I added simpleSecurityObject to the host record so that it 
would have a password.  Note: Probably can't use the machine account 
instead due to some rather complex password issues.

4. I set the password by pasting the results of the following command 
into the userPassword attribute:

[root@massive openldap]$  read -sp "Enter password to be used:" 
pw;echo;slappasswd -s $pw;unset pw
Enter password to be used:
{SSHA}4FMerwu0qcafPYXwxlpTxuRcdtTTvZN6
[root@massive openldap]$

5. I verified that I had a proper set of ACLs by using "slapd -t" to 
test them. That way you don't have to restart to find out if they are 
bad. You also need a line like the following to each Access clause:

        by group="cn=Domain Controllers,ou=Access Groups,$2" write

6. Group access can now be had by placing the dn of the controller's 
host record (which must have a simpleSecurityObject) in the member 
attribute of the new groupOfNames group called "Domain Controllers".

To add more controllers, just create a new host record, add 
simpleSecurityObject to it, and add the dn of that host record as a 
member of the groupOfNames group called "Domain Controllers".

More details at:

http://mandrake.vmlinuz.ca/bin/view/Main/SambaThreeDomainController#OpenLDAP_Structural_Adjustments

Jim C.
-- 
-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings@njs.netlab.cz	|
-----------------------------------------------------------------

> As far as I know, it *HAS* to be done this way because the posixGroup 
> schema is way out of date (it wont take a dn as a member).
That is true, well the "out of date" part.  It doesn't have to be
done
this way.
>   This info 
> according to the gurus on the OpenLDAP list. In effect we have to keep a 
> duplicate set of group records for those that will have access to the 
> database. 
No.  Duplicate is bad, only a matter of time till someone screws it up,
and debugging the ensuing wierdness will be a real headache.
> For example, if you want to give group based access to a group 
> like "Domain Controllers", you would have to keep a duplicate
record
> using a different objectClass.
Recent versions of NSS LDAP support RFC2307BIS, where groups can contain
"member" attributes rather than "memberuid" attributes.  So
OS groups
can be objectclass "groupOfNames" rather than posixAccount. 

The schema is busted however, since posixGroup is structural.

So load -

objectclass ( 1.3.6.1.4.1.6921.1.18
    NAME 'nssBisGroup'
    DESC 'Adds POSIX Attributes To A GroupOfNames'
    SUP top
    AUXILIARY
    MUST ( cn, gidNumber )
    MAY ( userPassword, description )
 )

Since groupOfNames already requires cn, you just add a gidNumber and the
objectclass to groups that you want to be OS groups.

And set the NSS configuration to:
nss_map_objectclass posixGroup nssBisGroup
pam_member_attribute member