[PATCH] ldap account separation patch

Gerald Carter jerry at samba.org
Thu Jan 17 08:18:14 GMT 2002


On 16 Jan 2002, Shahms E. King wrote:

> This patch adds two new parameters:
> ldap machine suffix
> ldap user suffix
>
> these are only used when creating new accounts, and if not set they
> default to "ldap suffix" they are also required to be sub-trees of "ldap
> suffix" if they are not, it won't work, as the code currently sets them
> to be if they aren't.
>
> (oh, yeah, it's against HEAD, but applies cleanly to SAMBA_2_2)
>
> --Shahms

Sahms,

I'm a little reluctant to apply this patch because it adds
another smb.conf parameter that I really don't think is necessary.
In my thinking, you can simply design your namespace such that

ou=accounts,....	<- top level for all user/machine accounts
ou=people,ou=accounts	<- users
ou=computer,ou=accounts	<- machine accounts

Now specify

	ldap suffix = "ou=account,..."

in smb.conf.

Create the posixAccount entries for machine first in ou=computer,... and
then the sambaAccount information for each machine simply gets added to
the current entry (either using smbpasswd or from smbd).

Can you comment?  I just really don't see the need to enforce this
type of policy directly in smbd.






chau, jerry
 ---------------------------------------------------------------------
 Hewlett-Packard                                     http://www.hp.com
 SAMBA Team                                       http://www.samba.org
 --                                            http://www.plainjoe.org
 "Sam's Teach Yourself Samba in 24 Hours" 2ed.      ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--





More information about the samba-technical mailing list