ldap filter gone and sambadomainnname not checked
Pierre Filippone
pierre.filippone at retail-sc.com
Fri Mar 10 09:52:12 GMT 2006
Volker Lendecke <vlendec at sernet.de> wrote on 08.03.2006 16:09:10:
> On Wed, Mar 08, 2006 at 10:00:35AM -0500, simo wrote:
> > Only, I am not sure we want to follow this path.
>
> Jerry just almost killed me over the phone :-)
Oh, I did not want anyone to get hurt...
> My very strong vote is to not put this in again. There are
> just too many good and correct ways next to this to fix this
> problem. Different suffixes, good ACLs for different ldap
> admin dn settings, and so on.
Last try, then I shut up.
An application that uses LDAP, should be able to adapt to the structure of
as many directories as possible.
And a natural (thank you Olaf) and correct way to do this, is by allowing
customizable searchfilters.
The alternatives you mention adapt the directory to the application. You
can only configure different suffixes, if you have entries under that
different suffix or you have to move entries around, and if you do this it
will have implications on other applications, that use these entries. IMHO
ACLs should be used to restrict access to entries or attributes only for
security reasons, because they are not very easy to manage. Samba is just
one (though an excellent one) application of ~50 plus tools and utilities
that use our directory.
I understand, that you probably expect support nightmares, if every user
is able to create her/his own filters.
And its probably also true, that most users will not need these options.
But if you think of larger enterprises that heavily use opensource
applications and that already have a large directory, for those this would
be really, really useful options. How about developer options with a
comment like "Every support request caused by false usage of these options
will cost you a pizza scampi delivered to each team member".
<End of pleading "Free the searchfilters"> ;-)
Of course one alternative is to move samba to its own tree, database or
own direcory server and write some synchronisation scripts. But until
today, we are quite happy with the integration of all applications in a
central directory.
Thank you for listening again.
Pierre
More information about the samba-technical
mailing list