[PATCH] ldap account separation patch
Gerald Carter
jerry at samba.org
Thu Jan 17 08:18:14 GMT 2002
On 16 Jan 2002, Shahms E. King wrote:
> This patch adds two new parameters:
> ldap machine suffix
> ldap user suffix
>
> these are only used when creating new accounts, and if not set they
> default to "ldap suffix" they are also required to be sub-trees of "ldap
> suffix" if they are not, it won't work, as the code currently sets them
> to be if they aren't.
>
> (oh, yeah, it's against HEAD, but applies cleanly to SAMBA_2_2)
>
> --Shahms
Sahms,
I'm a little reluctant to apply this patch because it adds
another smb.conf parameter that I really don't think is necessary.
In my thinking, you can simply design your namespace such that
ou=accounts,.... <- top level for all user/machine accounts
ou=people,ou=accounts <- users
ou=computer,ou=accounts <- machine accounts
Now specify
ldap suffix = "ou=account,..."
in smb.conf.
Create the posixAccount entries for machine first in ou=computer,... and
then the sambaAccount information for each machine simply gets added to
the current entry (either using smbpasswd or from smbd).
Can you comment? I just really don't see the need to enforce this
type of policy directly in smbd.
chau, jerry
---------------------------------------------------------------------
Hewlett-Packard http://www.hp.com
SAMBA Team http://www.samba.org
-- http://www.plainjoe.org
"Sam's Teach Yourself Samba in 24 Hours" 2ed. ISBN 0-672-32269-2
--"I never saved anything for the swim back." Ethan Hawk in Gattaca--
More information about the samba-technical
mailing list