[Samba] Winxp / LDAP No account in domain

Paul Gienger pgienger at ae-solutions.com
Mon Aug 16 16:24:51 GMT 2004



Andrew Reilly wrote:

>>Maybe so, but this also incurs the extra overhead of searching the
>>entire DIT for account information.  While it is true that you can most
>>likely tune your directory server to guard against performacnce issues,
>>widening your search scope is a Bad Thing (TM), especially if you store
>>much else than posix account information.
>>    
>>
>
>Would be interested if you have any metrics regarding
>load differences on LDAP directories for the two types
>of searches.  Particularly if they also include the
>size of the directory and the number of searches per
>second.
>  
>
Nope I sure don't, but that still doesn't make it a good idea.  In our 
setup at present, I'm pretty sure that our servers are way overmatched 
(too much horsepower) for what they are doing, and our DIT isn't 
anywhere big enough to cause painful searches. I can see where it would 
very easily get out of hand with a growing environment that is designed 
badly from the start and then you just can't find a way to migrate it 
back to sanity without major pain.  Or a sloppy admin could put a uid in 
a bad location and really start to make things messy. For these reasons 
it is preferrable to do it right the first time, as painful as it may 
seem on the front end.

I'm going to be testing (in the next couple days hopefully) a method of 
aliasing the People and Computers OUs into one to see if that works 
better than overly broadening the base search.  Since we'll have a few 
things that check against the users tree, we don't like having the 
computer accounts in there either, but it would be easy enough to script 
out that if the last char is $ it should be excluded from any search.

>Haven't done any hard performance testing myself, but we
>have not noticed a marked performance difference between
>the two configurations to date.  We reasoned that this
>change only needs to be done for unix servers running
>samba, rather than all unix servers on the network. As a
>result a small sub set of searches are larger, but the
>majority of servers work with a reduced number of objects
>in the People OU and we have negated the possibility of
>those accounts being used for nefarious purposes on the
>vast majority of our unix server that do not use samba
>but do use NSS LDAP.
>
>cheers,
>andrew
>  
>

-- 
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger at ae-solutions.com




More information about the samba mailing list