[Samba] Re: Groupmap problem

Adam Tauno Williams adam at morrison-ind.com
Mon Dec 27 19:51:01 GMT 2004

> >>It appears that
> >>you have users stored in one OU and Computers stored in another OU.  I
> >>don't believe this is supported right now.  (I believe this is because 
> >>PAM will only search one OU for a UNIX user instead of multiples.)
> >NSS will only search one OU for account type objects; and both machines
> >and user are accounts.
> While quite correct in most instances, it somewhat confuses the issue to 
> state this.  
> NSS will search one SCOPE for whatever it is you're looking 

The term "scope" in LDAP refers only to the depth of the search
performed: base, one, or sub.   A search has four compnents: root,
filter, scope, and context (the security credentials of the users, their
source IP address, etc...).  It is entirely correct to refer to the,
albiet subordinate, contents of an OU as contents of that OU.

> for.  More often than anything, you point your ldap configuration to 
> search an OU, such as OU=People,dc=etc?one.  Notice the ?one at the 
> end.  That tells the search that it is to not dive down into the tree 
> farther than the first level.  An often suggested workaround for this 
> OU=Computers situation is to set your passwd search to dc=etc.?sub which 
> will take you to a full directory search for the needed accounts.  

The problem arises from a common, but bad, Dit design.  It is entirely
possible to perform sub searches from roots not 'the root'.  All
searches that require a root of 'the root' indicate poor Dit design.
The person(s) you merrily accept whatever MigrationTools (or other
scripts) generated is in for trouble in many respects.  But Dit design
is a topic for another list - ldap at umich.edu

> I'll 
> leave the performance issues as an excersize for the readers' search 
> tool as it has been brought up here before.  A less suggested 
> alternative is to configure your accounts in a common tree and then 
> split people and computers below that.  Something like 
> ou=Accounts,dc=etc and then making ou=People,ou=Accounts,dc=etc and such.


> What is often dreamed of by people would be something like specifying 
> multiple scopes in the ldap configuration, something like follows:
> passwd   ou=People,dc=etc?one
> passwd   ou=Computers,dc=etc?one

Which would serve no purpose;  the Dit should be correctly designed to
take into account that these are all account objects and will need to be
commonly searched as one unit.

More information about the samba mailing list