preliminary account separation pseudo-patch

[Michael Cunningham]

> this doesn't handle the fact that it would only conceivably 
> work if 'ldap machine suffix' and 'ldap user suffix' are 
> branches of the 'ldap suffix'  (and that's the only 
> reasonable way I see to do it, otherwise we can run into a 
> number of situations where we have to search both machine and 
> user trees, which would be non-optimal, but possible).
> 
> Well, now that I've thought about this a little bit more 
> (namely in typing this email) the same could be accomplished 
> through actually searching both trees, however that's just 
> icky.  Then, the only time the "right" base would even need 
> to be known is at insert time, when we do actually know the 
> account type . . . hmm. Thoughts?
> 

Searching the whole tree everytime would be fine by me, I just need the 
insertion feature for machine accounts. 

Perhaps we can do a combination for the old and new way... 

ldap machine suffix = "ou=computer, dc=xpedite, dc=com"
ldap suffix = "dc=xpedite, dc=com" 

ldap suffix is used for searching for anything ldap related.. just like
it is now. 
ldap machine suffix is only used for inserting into a specific location
machine accounts. 
I can then put my user accounts anywhere as long as they are under "ldap
suffix"

I am not sure if the samba team plans on supporting some sort of
adding/removing user 
accounts in ldap some day but perhaps a "ldap user suffix" would also be
useful to 
declare an insertion point. shrug.. just a thought. 

Now a total search separation would be ideal for search speed on large
ldap systems 
but with a limited DIT and good caching/indexing on the server, it
wouldn't be so 
bad searching everything.

What attributes does samba use very often in the sambaAccount schema 
that I should index for in Openldap?

Any ideas how to make the modification to the insertion code to add in
ldap machine suffix?  I'm not much of a c coder:( I could send a pizza:)


Thanks for any assistance you can offer.. 
Mike