[Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED

José Ildefonso Camargo Tolosa icamargo at merkurio.com.ve
Tue Jul 20 15:20:58 GMT 2004 

Craig White wrote:

>On Mon, 2004-07-19 at 19:34, José Ildefonso Camargo Tolosa wrote:
>
>  
>
>>>http://samba.idealx.org/smbldap-howto.fr.html as you
>>>recommended. I have one big question, which one do I
>>>put in '/etc/ldap.conf'
>>>
>>>nss_base_passwd dc=wbcoll,dc=edu?one
>>>nss_base_shadow dc=wbcoll,dc=edu?one
>>>nss_base_group  ou=Groups,dc=wbcoll,dc=edu?one
>>>
>>>or
>>>
>>>nss_base_passwd        ou=Users,dc=wbcoll,dc=edu?one
>>>nss_base_shadow        ou=Users,dc=wbcoll,dc=edu?one
>>>nss_base_group         ou=Groups,dc=wbcoll,dc=edu?one
>>> 
>>>
>>>      
>>>
>>Neither, use this:
>>
>>nss_base_passwd dc=wbcoll,dc=edu?sub
>>nss_base_shadow dc=wbcoll,dc=edu?sub
>>nss_base_group  ou=Groups,dc=wbcoll,dc=edu?one
>>
>>Look at the sub, it tells the system to descend to all the sub-objects it may have.
>>
>>    
>>
>---
>It is pertinent to consider that this suggestion waives any efficiency
>for ease of use as it will tell all user lookups to search the entire
>LDAP tree.
>  
>
In fact, you should do something like this (that's what I did, if you 
read the thread):

nss_base_passwd ou=Accounts,dc=wbcoll,dc=edu?sub
nss_base_shadow ou=Accounts,dc=wbcoll,dc=edu?sub
nss_base_group  ou=Groups,dc=wbcoll,dc=edu?one

And under ou=Accounts,dc=wbcoll,dc=edu, you create another ou:

ou=People,ou=Accounts,dc=wbcoll,dc=edu  here you place user accounts, 
and put this in the smb.conf for users
ou=Computers,ou=Accounts,dc=wbcoll,dc=edu  and here you place computers 
accounts.

Off course, you can call Accounts whatever you want to call it: samba, 
domains, I don't know.

>I already told him to use his second choice as that is most efficient. I
>recognize that your option would permit the option of trying to use a
>separate organizational unit for Computers but this guy is endlessly
>confused, and simple is clearly better for his purposes, without
>considering the impact of excessive searching of the LDAP db.
>  
>
If you only have the ldap for samba, there will not be any problem.

It will also allow you to create others ou to futher organize your users 
(you can't ask someone to have, let's say, 900 users in just one ou).  
This would also allow you to delegate the administration of a group of 
users to another person, without giving him access to the whole directory.

I was endlessly confused myself when I started with this, I read many 
different howtos, all of them saying different things.  And I have been 
a samba user for more than two years, I just started to use it with ldap 
about five months ago.

>Craig
>
>  
>
Ildefonso Camargo

More information about the samba mailing list