ldap filter gone and sambadomainnname not checked

Pierre Filippone pierre.filippone at retail-sc.com
Fri Mar 10 09:52:12 GMT 2006

Volker Lendecke <vlendec at sernet.de> wrote on 08.03.2006 16:09:10:

> On Wed, Mar 08, 2006 at 10:00:35AM -0500, simo wrote:
> > Only, I am not sure we want to follow this path.
> Jerry just almost killed me over the phone :-)

Oh, I did not want anyone to get hurt...
> My very strong vote is to not put this in again. There are
> just too many good and correct ways next to this to fix this
> problem. Different suffixes, good ACLs for different ldap
> admin dn settings, and so on.

Last try, then I shut up.

An application that uses LDAP, should be able to adapt to the structure of 
as many directories as possible.
And a natural (thank you Olaf) and correct way to do this, is by allowing 
customizable searchfilters.
The alternatives you mention adapt the directory to the application. You 
can only configure different suffixes, if you have entries under that 
different suffix or you have to move entries around, and if you do this it 
will have implications on other applications, that use these entries. IMHO 
ACLs should be used to restrict access to entries or attributes only for 
security reasons, because they are not very easy to manage. Samba is just 
one (though an excellent one) application of ~50 plus tools and utilities 
that use our directory. 

I understand, that you probably expect support nightmares, if every user 
is able to create her/his own filters.
And its probably also true, that most users will not need these options. 
But if you think of larger enterprises that heavily use opensource 
applications and that already have a large directory, for those this would 
be really, really useful options. How about developer options with a 
comment like "Every support request caused by false usage of these options 
will cost you a pizza scampi delivered to each team member".

<End of pleading "Free the searchfilters"> ;-)

Of course one alternative is to move samba to its own tree, database or 
own direcory server and write some synchronisation scripts. But until 
today, we are quite happy with the integration of all applications in a 
central directory.

Thank you for listening again.

More information about the samba-technical mailing list