Ceci est une ancienne révision du document !
Make everything dynamic with LDAP
This page just lists a few thing I have in mind to make SME Server better. LDAP authentication is nearly ready (there's still a few little things to fix, but I'm running with LDAP auth enabled on my own personal server for 3 years now without issue). What I'd like now is make more use of LDAP.
The goal
The goal I have is to have more things in LDAP, ultimately, adding users and groups shouldn't require anything but adding the user or the group in LDAP. No templates to expand, no service to restart. This means for example, all the mail stuff (qpsmtpd, qmail) should read LDAP to get the required info, no more flat files, no more static configuration.
In which way this can be useful
A first bonus we would have with this is adding, removing, modifying groups and users really faster, but that would just be a side effect. The real benefit is that SME could then use another LDAP directory. You can manage all your users and groups elsewhere, in any LDAP server you want, and then connect your SME box (or several SME servers). Your master LDAP server could of course be another SME, but should not be required, as long as you use a compatible LDAP schema.
What needs to be done to get there
Switch to LDAP auth
The first step (of course) is to enable LDAP as the main source of authentication on SME. Most of the work is already done, we just need some testers, bugs reports etc…
Here's a list of bugs which need to be fixed:
- Configure a valid binddn and bindpw for nss_ldap (http://bugs.contribs.org/show_bug.cgi?id=6445)
Modify a few things in LDAP
Here's a list of a few things which can be enhanced in LDAP
Switch to rfc2307bis ?
The main difference between rfc2307 (currently used) and rfc2307bis is the way groups are handled. The buggest advantage of rfc2307bis is the possibility to enabled the memberOf overlay
Add smbk5pwd
smbk5pwd is a overlay which makes sure Unix and samba passwords stay in sync (as long as you use LDAP exop to chane the password)
Add pseudonyms as mailAlternateAddress attributes
- Add all the virtual domains / pseudonyms combinations
Automatically create the home dir on first connection
- Enable pam_mkhomedir
- Create a script to create it as a root preexec script (so connecting to the personal samba share create the dir)
Switch to qmail-ldap (or another LDAP aware MTA, like postfix)
- Add required schema to LDAP
- switch to qmail-ldap
Modify qpsmtpd to use LDAP
- Replace goodrcptto with an LDAP equivalent (rcpt_ldap ?)
Modify esmith::AccountsDB to read LDAP
- Read operations should first try to read LDAP directly
- Write/read fallback to standard flat file DB
Configure OpenLDAP as a proxy
Disable user/group managements
- Make it possible to disable user and group management