[PATCH] ldap account separation patch

Andrew Morgan morgan at orst.edu
Thu Jan 17 09:39:19 GMT 2002


On Thu, 17 Jan 2002, Gerald Carter wrote:

> On 16 Jan 2002, Shahms E. King wrote:
>
> > This patch adds two new parameters:
> > ldap machine suffix
> > ldap user suffix
> >
> > these are only used when creating new accounts, and if not set they
> > default to "ldap suffix" they are also required to be sub-trees of "ldap
> > suffix" if they are not, it won't work, as the code currently sets them
> > to be if they aren't.
> >
> > (oh, yeah, it's against HEAD, but applies cleanly to SAMBA_2_2)
> >
> > --Shahms
>
> Sahms,
>
> I'm a little reluctant to apply this patch because it adds
> another smb.conf parameter that I really don't think is necessary.
> In my thinking, you can simply design your namespace such that
>
> ou=accounts,....	<- top level for all user/machine accounts
> ou=people,ou=accounts	<- users
> ou=computer,ou=accounts	<- machine accounts
>
> Now specify
>
> 	ldap suffix = "ou=account,..."
>
> in smb.conf.
>
> Create the posixAccount entries for machine first in ou=computer,... and
> then the sambaAccount information for each machine simply gets added to
> the current entry (either using smbpasswd or from smbd).
>
> Can you comment?  I just really don't see the need to enforce this
> type of policy directly in smbd.

Just to be clear, this means you are hard-coding the subtree names in
Samba to "ou=people" and "ou=computer", right?  I don't think this will be
too much trouble, but it should be clear in the docs that you are required
to setup your directory in this fashion.  Actually, if you hard-code these
values in place, then samba still could create the machine account...

	Andy





More information about the samba-technical mailing list