option ldap filter remove in 3.0.20

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Sep 20 05:57:58 GMT 2005

On Tue, Sep 20, 2005 at 07:28:51AM +0200, Ingo Steuwer wrote:

> In an example: Three locations A, B and C have each its own PDC (no common
> wins-server) based on the same ldap. Location A has no ldap filter, B has
> filter (&(uid=%u) (location=B)) and C has filter (&(uid=%u)(location=C)). I
> can decide per user on which location he may work (he can always login at
> A), while I've got the complete address-book and other LDAP-stuff at each
> location.

I'd say that this is asking for heavy trouble. As Andrew already pointed out
these users are not correctly separated. What happens for example to groups?
They are all in the same sid space. Whant happens if you ever wanted to
install a trust relationship between those domains? On the other hand, having
several PDCs for the same domain is a thing that I would call just broken.

If I look at the nss_base_passwd option of nss_ldap, it provides

nss_base_passwd base?scope?filter

so you even don't need an auth module, simply configure nss_ldap with a

Hope that helps,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20050920/74aeece1/attachment.bin

More information about the samba-technical mailing list