[Samba] Re: Groupmap problem

Paul Gienger pgienger at ae-solutions.com
Mon Dec 27 18:58:23 GMT 2004


>>It appears that
>>you have users stored in one OU and Computers stored in another OU.  I
>>don't believe this is supported right now.  (I believe this is because 
>>PAM will only search one OU for a UNIX user instead of multiples.)
>>    
>>
>
>NSS will only search one OU for account type objects; and both machines
>and user are accounts.
>
While quite correct in most instances, it somewhat confuses the issue to 
state this.  NSS will search one SCOPE for whatever it is you're looking 
for.  More often than anything, you point your ldap configuration to 
search an OU, such as OU=People,dc=etc?one.  Notice the ?one at the 
end.  That tells the search that it is to not dive down into the tree 
farther than the first level.  An often suggested workaround for this 
OU=Computers situation is to set your passwd search to dc=etc.?sub which 
will take you to a full directory search for the needed accounts.  I'll 
leave the performance issues as an excersize for the readers' search 
tool as it has been brought up here before.  A less suggested 
alternative is to configure your accounts in a common tree and then 
split people and computers below that.  Something like 
ou=Accounts,dc=etc and then making ou=People,ou=Accounts,dc=etc and such.


What is often dreamed of by people would be something like specifying 
multiple scopes in the ldap configuration, something like follows:
passwd   ou=People,dc=etc?one
passwd   ou=Computers,dc=etc?one

-- 
--
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger at ae-solutions.com




More information about the samba mailing list