LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Multiple domains in LDAP and 1 samba server for all domains, what to do? (http://www.linuxquestions.org/questions/linux-server-73/multiple-domains-in-ldap-and-1-samba-server-for-all-domains-what-to-do-683041/)

xnomad 11-13-2008 12:41 AM

Multiple domains in LDAP and 1 samba server for all domains, what to do?
 
Are there any LDAP admins who can help me with this?

We are a group of 3 companies, all belonging to the same owner, so we share office space and IT infrastructure. Each company has it's own domain name eg.

red.com
blue.com.au
green.com.au

We want to centralize logins for shell, email and file server accounts (samba/CIFS) using OpenLDAP

I'm completely new to LDAP and have set up a test LDAP server on 1 machine.

I have created a directory database for each company in the /etc/openldap/slapd.conf

So far this is all in the design phase so nothing has really been populated yet.

There are two problems I see in the future:

1.

We want one samba server handling the file server and the logins handled by ldap.

In the samba.conf I would have

ldap admin dn = "cn=smbadmin,ou=people,dc=red,dc=com"

This will allow me to add users to the samba system and authenticate them via LDAP but probably only for the domain red.com.
Question is how can I allow the ldap admin DN login to the other domains on LDAP and create or authenticate users there? I'm starting to think that we'll need three samba daemons or servers.


2.

The second problem, how can users from one domain authenticate and search the directory of another domain? I'm flirting with the idea that I should just create one fake domain name and have everyone in that, but I'm sure that's going to cause problems in the future.

irishbitte 11-14-2008 10:12 AM

Why not have one 'fake' domain name, and then create users in groups within subdomains within one LDAP db? This really shouldn't pose a problem, since you can configure individual machines to only allow a subset of users.

It does take a lot of work, but I would bet that one database in LDAP is alot easier to implement than three, and it is easily replicated onto other servers if that is required.


All times are GMT -5. The time now is 01:02 AM.