On Sun, 2021-07-25 at 14:25 +0200, Lorenz Schori wrote:> Hi, > > On Sun, 25 Jul 2021 13:09:32 +0100 > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > On Sun, 2021-07-25 at 13:10 +0200, Lorenz Schori via samba wrote: > > [...] > > If Samba is involved, then I probably should mention that apart > > from a > > Samba AD DC (where once something is added to the schema, it cannot > > be > > removed), Samba only really uses ldap for NT4-style domains and > > they > > [...] > > I'd like to manage the structure (i.e., organization units and > groups) > of a Samba AD DC that way.You can do what you like with OU's and you can create groups, but you cannot change the schema and it is inadvisable to delete the standard groups e.g. Domain Users> If there is a better interface for directory > management than ldif,AD uses ldifs to add users, groups etc , so I do not know of any other interface to use> then I sure like to have some pointers on that as > well. Also note, this is not really about the LDAP schema.No, it sounds like it really about changing where the users, groups and computers are stored in AD and I cannot see where the versioning comes in. Rowland
Hi, On Sun, 25 Jul 2021 13:59:29 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sun, 2021-07-25 at 14:25 +0200, Lorenz Schori wrote: > [...] > You can do what you like with OU's and you can create groups, but you > cannot change the schema and it is inadvisable to delete the standard > groups e.g. Domain UsersCorrect. Not at all what I'm.> > If there is a better interface for directory > > management than ldif, > > AD uses ldifs to add users, groups etc , so I do not know of any other > interface to useOk, good to know.> > then I sure like to have some pointers on that as > > well. Also note, this is not really about the LDAP schema. > > No, it sounds like it really about changing where the users, groups > and computers are stored in AD and I cannot see where the versioning > comes in.Nope, it is really not about changing the default content of the directory tree. The approach outlined in my initial mail (also look at the linked wikipedia text) is about keeping a record of machine readable/interpretable changes over time. This approach is also comparable with the practice of Infrastructure as Code[1]. The big advantage of maintaining changes to infrastructure or database schemas or (what I am after) ou/group entries is that every change is versioned and commit messages can be linked to tickets in an issue tracker. Also changes can be tested - and rolled back if the tool permits it. I'm not looking for help on how to run Samba AD DC or how to structure the directory. I'm looking for pointers to tools which support my preferred workflow. My preferred workflow is keeping stuff in git and use automation tools. Cheers, Lorenz 1) https://en.wikipedia.org/wiki/Infrastructure_as_code