[PATCH] ldap account separation patch

Michael Cunningham m.cunningham at xpedite.com
Thu Jan 17 10:54:22 GMT 2002


> Sahms,
> 
> I'm a little reluctant to apply this patch because it adds 
> another smb.conf parameter that I really don't think is 
> necessary. In my thinking, you can simply design your 
> namespace such that
> 
> ou=accounts,....	<- top level for all user/machine accounts
> ou=people,ou=accounts	<- users
> ou=computer,ou=accounts	<- machine accounts
> 
> Now specify
> 
> 	ldap suffix = "ou=account,..."
> 
> in smb.conf.
> 
> Create the posixAccount entries for machine first in 
> ou=computer,... and then the sambaAccount information for 
> each machine simply gets added to the current entry (either 
> using smbpasswd or from smbd).
> 
> Can you comment?  I just really don't see the need to enforce 
> this type of policy directly in smbd.

Once I have samba up and running as a pdc (in production) 
it is going to become esssential that the system be able to
automatically 
create and setup machine accounts on its own (over 1k machines here, 
it would be a nightmare without it). Now it is wonderful that smbpasswd 
provides this functionality but it is too restrictive in where it
inserts things
in the ldap DIT. It needs more flexability. 

Smbpasswd proivides a method to automatically add machine 
accounts using "uid=machinename$, ldap suffix"

example: ldap suffix = "dc=xpedite, dc=com"
insertion point would then be.. uid=machinename$, dc=xpedite, dc=com

I want to keep user accounts and machine accounts separate
in the ldap DIT which keeps things nice and neat. 

Keeping users in uid=someone, ou=people, dc=xpedite, dc=com
Keeping machine accounts in uid=someone, ou=computers, dc=xpedite,
dc=com

I can't do this with how you have it setup.. with just one ldap suffix. 

if I set ldap suffix to ou=computers, dc=xpedite, dc=com
the smbpasswd insertion goes in 
uid=someone, ou=computers, dc=xpedite, dc=com
which looks good so far... 

But.. when the samba system now tries to look for a user account
which are in uid=someone, ou=people, dc=xpedite, dc=com
it cant find them because it is searching ldap suffix branch of the 
DIT. 

Basically this patch adds a LOT of flexibility into the ldap setup.
If the variables are not set.. then they default to what ldap suffix is 
set to so those who need this feature can use it.. and those who 
don't can ignore it. 

Thanks.. Mike





More information about the samba-technical mailing list