ldap user/machine suffix

simo idra at samba.org
Mon Jun 23 20:28:30 GMT 2008

On Mon, 2008-06-23 at 22:18 +0200, Volker Lendecke wrote:
> Hi!
> Jeremy sent me the attached patch for review. He has a
> large site that needs it to work. Essentially, the patch
> introduces the ldap machine and user suffixes to searches
> into LDAP. From my (and some of my customers') point of view
> this would break setups.
> We have two kinds of setups that are "special" in their own
> respect: Jeremy's setup is special in the sense that DC's
> for multiple domains share a common LDAP tree with for
> example multiple machine accounts sharing a name. Thus the
> need for separating in multiple subtrees. "My" setup is
> special in the sense that I have sites that move around
> objects and which depend on objects being created in a
> subtree (i.e. under "ldap machine suffix"), but which can be
> moved later according to organizational needs. They will be
> found later because during searches will always do a full
> subtree search on the "ldap suffix" tree.
> These two kinds of "specialness" can not be satisfied with a
> common set of code, one or the other will not be happy. I
> would argue that sharing LDAP objects and names between
> domains is just too confusion, others might argue that the
> ability to move around objects in LDAP is too confusing,
> this flexibility is not needed.
> So, if I was asked, this patch should not go in, but let the
> battle begin :-)

I think both cases make sense, and we can easily support both by adding
a new parameter called something like "machines search suffix", if set
this would activate a path similar to Jeremy's patch, otherwise the
current behavior would be maintained.

I wouldn't like to break the current behavoir by default if possible.


Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com>

More information about the samba-technical mailing list