Proposal to add ldap flexability in DIT layout

Michael Cunningham archive at
Tue Jan 15 10:56:11 GMT 2002

> > > One thing I have noticed is that I can only specify         
> > > one suffix for the base of the DIT tree.                    
> > > ldap suffix = "dc=xpedite, dc=com"                          
> > > This means that both computer accounts and people           
> > > accounts end up in uid=something, dc=xpedite, dc=com        

> > not mandatory.                                                

It is mandatory when using smbpasswd to create machine 
accounts in ldap on the fly. Smbpasswd puts the machine 
account in "uid=something, ldap suffix from smb.conf"
without exception. 

If ldap suffix = "dc=xpedite, dc=com" then adding a machine account 
with smbpasswd results in "uid=desktop$, dc=xpedite, dc=com"

I dont want to keep machine accounts at this level in my DIT. 
I would like to keep them in 

uid=something, ou=computers, dc=xpedite, dc=com

Lets say I change the ldap suffix to ou=computers, dc=xpedite, dc=com
adding a machine account now with smbpasswd results in 
"uid=desktop$, ou=computers, dc=xpedite, dc=com"

This is good so far... Howerver.. "ldap suffix" is also used as a search 
base for user and machine account searches. 

I keep all our samba(windows)/unix user accounts in 
ou=people, dc=xpedite, dc=com

This way everything stays neat.. user accounts are in one location 
and machine accounts are in another. This makes writing web clients 
easy to manage this whole DIT and makes searching more efficient. 

This means that when samba now goes to look up a user it ends up 
searching only ou=computers, dc=xpedite, dc=com branch of the DIT 
and never finds the user accounts in ou=people, dc=xpedite, dc=com. 

So I am stuck in a catch22.. 

Adding something like below to the smb.conf file would solve this 
issue for me and others, keep the old functionality if they were 
set to the same thing, allow total flexibility when designing your DIT,
and improve ldap search speed on large ldap/samba installiations. 

ldap machine suffix = place to put (via smbpasswd)  
                      and search for machine accounts in ldap.

ldap user suffix = place to put (future?) and search for 
                   user accounts in ldap. 

It should be a pretty easy change in the code.. Basically 
when searching for a user account, use "ldap user suffix" 
as the search base. 

When creating/searching for a machine account.. use 
"ldap machine suffix" as the search/insertion base

Thanks for any assistance you can offer,


More information about the samba-technical mailing list