Proposal to add ldap flexability in DIT layout
Michael Cunningham
archive at xpedite.com
Tue Jan 15 10:56:11 GMT 2002
> > > One thing I have noticed is that I can only specify
> > > one suffix for the base of the DIT tree.
> > > ldap suffix = "dc=xpedite, dc=com"
> > > This means that both computer accounts and people
> > > accounts end up in uid=something, dc=xpedite, dc=com
> > not mandatory.
It is mandatory when using smbpasswd to create machine
accounts in ldap on the fly. Smbpasswd puts the machine
account in "uid=something, ldap suffix from smb.conf"
without exception.
If ldap suffix = "dc=xpedite, dc=com" then adding a machine account
with smbpasswd results in "uid=desktop$, dc=xpedite, dc=com"
I dont want to keep machine accounts at this level in my DIT.
I would like to keep them in
uid=something, ou=computers, dc=xpedite, dc=com
Lets say I change the ldap suffix to ou=computers, dc=xpedite, dc=com
adding a machine account now with smbpasswd results in
"uid=desktop$, ou=computers, dc=xpedite, dc=com"
This is good so far... Howerver.. "ldap suffix" is also used as a search
base for user and machine account searches.
I keep all our samba(windows)/unix user accounts in
ou=people, dc=xpedite, dc=com
This way everything stays neat.. user accounts are in one location
and machine accounts are in another. This makes writing web clients
easy to manage this whole DIT and makes searching more efficient.
This means that when samba now goes to look up a user it ends up
searching only ou=computers, dc=xpedite, dc=com branch of the DIT
and never finds the user accounts in ou=people, dc=xpedite, dc=com.
So I am stuck in a catch22..
Adding something like below to the smb.conf file would solve this
issue for me and others, keep the old functionality if they were
set to the same thing, allow total flexibility when designing your DIT,
and improve ldap search speed on large ldap/samba installiations.
ldap machine suffix = place to put (via smbpasswd)
and search for machine accounts in ldap.
ldap user suffix = place to put (future?) and search for
user accounts in ldap.
It should be a pretty easy change in the code.. Basically
when searching for a user account, use "ldap user suffix"
as the search base.
When creating/searching for a machine account.. use
"ldap machine suffix" as the search/insertion base
Thanks for any assistance you can offer,
Mike
More information about the samba-technical
mailing list