[Samba] Re: Samba/LDAP/PDC Questions

Buchan Milne bgmilne at obsidian.co.za
Fri Jul 23 12:06:00 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Gienger wrote:
|
|> |         1. In what situtation do I need People group as the group for
|> | machines?
|>
|> In the case where you use:
|> nss_base_passwd        ou=Users,dc=ab,dc=com?one
|>
|> If you use:
|> nss_base_passwd        dc=ab,dc=com?sub
|
|
|
| Would people please stop suggesting this without explaining the
| ramifications?

When people stop giving the other reply (that it is impossible).

|  If you do this, you are going to (theoretically)(1)
| severely harm the performance on your server.

Yes, for only the LDAP clients which are samba servers.

|  Setting the nss library
| to do a search on the 'entire' directory every time it needs to look up
| user information is asinine to put it in a word.

That really depends on the structure of your LDAP server.

And, you are also ignoring the fact that nss_ldap will use a search
fileter for the specific user - and doing a search for
"(&(objectclass=posixAccount)(uid=xxxx))" isn't going to be much slower
for most small implentations. Then of course, there's always nscd ...

If you've tuned your LDAP server, it should be getting most of the
entries out of cache anyway.

|  It's like doing this
| in DNS terms... rather than looking for a machine named
| 'something.else.com' in the dns servers for else.com you go ask .com who
| then goes in and asks else.com by proxy.  Doing the first example (the
| one searching with ?one) you are restricting searches to a respectable
| scope, doing the second you are searching all OUs which may be numerous
| and deep (in our LDAP tree we have 10 OUs, two of which are at least 3
| levels deep).

If your OUs are so deep, you should be able to have a deeper search
filter. I suggested reducing the depth of the search by one level and
increasing the scope. If there was already a huge and complex DIT, that
still would not have made a big impact.

| You would be better served by defining ou=Computers and ou=People under
| something like ou=Accounts (which would give you DNs of
| ou=Computers,ou=Accounts,dc=ab,dc=com and
| ou=People,ou=Accounts,dc=ab,dc=com)
|

Sure, but the user *first* wanted to get something working ... he didn't
ask on the generic LDAP list how to structure his directory for
efficient searching (the samba list is the wrong place to ask these
questions anyway).

| and then then set:
| nss_base_passwd        ou=Accounts,dc=ab,dc=com?sub
|
|
| Note that I'm not saying that doing a sub search is necessarily bad,
| just when you are searching your entire ldap DIT, especially for
| something that happens as often as passwd lookups.

If your LDAP server is tuned and indexed well enough, queries that
happen so often should cost nothing.


| (1) I say theoretically because I've never tried it, it's a Bad Idea(C)
| from the word go.   There are a lot of other things that I haven't tried
| that are bad ideas but I can safely say they are also dangerous, such as
| sticking forks in my eyes and jumping off cliffs.

Regards,
Buchan

- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBAP8orJK6UGDSBKcRAvOlAJwOXIGWe5YzmtVIO+AFJg5Vn37idQCgrDTG
KqZ1ZXGDjLyPeN49b8CY2fw=
=qvFj
-----END PGP SIGNATURE-----

More information about the samba mailing list