[Samba] ldap machine suffix fixed?
Adam Tauno Williams
awilliam at whitemice.org
Thu Dec 16 11:18:24 GMT 2004
> >>> Did ldap machine suffix ever get fixed so that it can be in a sperate
> >>> container from ldap user suffix?
> >> Is there any problem to be fix on samba side? I've been using separate
> >> container for machine without any problem ( almost 8 months now)
> > Yes, there was a problem, and maybe still is.
> > You are using separate containers for users and machines, because you
> > probably search for them in the whole LDAP tree.
> Yes. I did not specify filter on pam/nss_ldap. However the limitation is
> coming from nss_ldap not samba.
Ah, I can see that. We met this limitation a long time ago (NSS only
supports a single search base per object type, which actually seems
reasonable. We simply structured the Dit in a different way -
dc..
dc..,ou=SAM
dc..,ou=SAM,ou=Groups
dc..,ou=SAM,ou=Entities
dc..,ou=SAM,ou=Entities,ou=People
dc..,ou=SAM,ou=Entities,ou=System Accounts
dc..,ou=SAM,ou=ipServices
etc...
NSS's account search base can be set to "dc..,ou=SAM,ou=Entities" for
account objects and will see both; applications like Samba can be
split. There is no need to search the 'whole LDAP tree', as that would
be bad since it also contains things like -
dc..,ou=Customers
dc..,ou=Access Control
etc...
- and may be huge.
If you insist on having a traditional dc..,ou=People that is simple
enough with a subordinate back-ldap backend that rewrites
ou=SAM,ou=Entities,ou=People to ou=People DN's.
More information about the samba
mailing list