[Samba] LDAP Q: What for use Containers

Adam Tauno Williams adam at morrison-ind.com
Tue Apr 20 15:12:54 GMT 2004

> well, on NDS and Netware you could give file system access rights to a 
> container and then all users in that container would inherit these rights. 
> BTW, Windows and AD also cannot do this.

This just doesn't conceptually exist in a windows domain;  but you might be 
able to use dynamic groups in OpenLDAP to fake it.  Dynamic groups are 
assembled by the DSA based on a variety of criteria, which could I suppose, 
include being the leaf of a given container.

> Basically it is a way to not use groups but assign information to objects 
> based on their position in the LDAP tree. I can imagine many more uses, 
> e.g. default servers, logon servers, share access rights, ...
> The point is, is there any use of the hierarchical structure of the LDAP 
> directory for Samba ? Or does Samba use the LDAP dir only like flat file 
> or SQL DB ?

Samba uses LDAP via a password database, so in many ways it treats them all the 
same.  But you can do alot in the DSA to streamline things.

> AFAIK there is not yet much or maybe any support for such settings, but I 
> want to discuss why not and wether others find it a useful thing to have.

I'd suggest digging into dynamic groups, overlays, etc... in very recent 
version of OpenLDAP and see if you can achieve what you want.

More information about the samba mailing list