The 'perfect' LDAP+Krb5+glue setup (was: Re: Current ideas on kerberos requirements for Samba4)

Andrew Bartlett abartlet at
Tue May 24 21:42:25 EDT 2005

On Tue, 2005-05-24 at 07:32 -0700, Howard Chu wrote:
> Andrew Tridgell wrote:
> > I think that Samba3 is far to hard too install and configure. I want
> > to make Samba4 much easier, and my fear is that it will in fact become
> > much harder as we start to become dependent on more external tools.
> You can create a nicely integrated package from multiple components 
> without needing to reimplement all of the components. Symas has done it 
> with our CDS packages (OpenLDAP+BerkeleyDB+Cyrus SASL+Heimdal+OpenSSL), 
> and PADL has done it with XAD. You get far more mileage out of your own 
> time and resources by leveraging what already exists. When you run into 
> rough edges, you beat them into submission and move on...  ;)

(now where did that send button jump out from...)

Just picking up this point for a moment:  Aside from your fine
commercial products, is there any public document that describes how to
do this?  

As you know, I've been working to make Samba3 play nicer in such a
setup, in the hope that I might one day get the time to deploy it at
Hawker (I deploy parts of this mix, to mixed success).  Entirely aside
from my Samba4 work I would love to be able to point admins,
particularly of Unix-oriented sites to a known working description of
how to do this.  

As you said before, it should be just 'make install', and we shouldn't
be so easily mislead by those 'self-proclaimed LDAP experts'.

I would love to be able to brow-beat the vendors we are still on
speaking terms with into actually shipping this combination *configured
correctly*, and I would love to see vendors taking advantage of the
'just add water' Heimdal KDC (0.7pre) when using the Samba3 LDAP schema
(removing the 're-enter the password' battle that scares off most first-
time kerberos admins).

Are there vendors other than Symas (I'm thinking Operating System/Linux
Distribution vendors in particular), who get this right, out of the box?

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list