[Samba] ldap machine suffix fixed?

[Adam Tauno Williams]

> >>> Did ldap machine suffix ever get fixed so that it can be in a sperate
> >>> container from ldap user suffix?
> >> Is there any problem to be fix on samba side? I've been using separate 
> >> container for machine without any problem ( almost 8 months now)
> > Yes, there was a problem, and maybe still is.
> > You are using separate containers for users and machines, because you 
> > probably search for them in the whole LDAP tree.
> Yes. I did not specify filter on pam/nss_ldap. However the limitation is 
> coming from nss_ldap not samba.

Ah, I can see that.  We met this limitation a long time ago (NSS only
supports a single search base per object type, which actually seems
reasonable.  We simply structured the Dit in a different way -

dc..
dc..,ou=SAM
dc..,ou=SAM,ou=Groups
dc..,ou=SAM,ou=Entities
dc..,ou=SAM,ou=Entities,ou=People
dc..,ou=SAM,ou=Entities,ou=System Accounts
dc..,ou=SAM,ou=ipServices
etc...

NSS's account search base can be set to "dc..,ou=SAM,ou=Entities" for
account objects and will see both;  applications like Samba can be
split.  There is no need to search the 'whole LDAP tree', as that would
be bad since it also contains things like -

dc..,ou=Customers
dc..,ou=Access Control
etc...

- and may be huge.

If you insist on having a traditional dc..,ou=People that is simple
enough with a subordinate back-ldap backend that rewrites
ou=SAM,ou=Entities,ou=People to ou=People DN's.