[Samba] Re: Groupmap problem
Adam Tauno Williams
adam at morrison-ind.com
Mon Dec 27 20:31:41 GMT 2004
> >>>>It appears that
> >>>>you have users stored in one OU and Computers stored in another OU. I
> >>>>don't believe this is supported right now. (I believe this is because
> >>>>PAM will only search one OU for a UNIX user instead of multiples.)
> >>>NSS will only search one OU for account type objects; and both machines
> >>>and user are accounts.
> >>While quite correct in most instances, it somewhat confuses the issue to
> >>state this.
> >>NSS will search one SCOPE for whatever it is you're looking
> >The term "scope" in LDAP refers only to the depth of the search
> >performed: base, one, or sub. A search has four compnents: root,
> >filter, scope, and context (the security credentials of the users, their
> >source IP address, etc...). It is entirely correct to refer to the,
> >albiet subordinate, contents of an OU as contents of that OU.
> Ok, I'll accept bashing on that one... I was searching for a generalized
> term to apply. AFAIK, there's no reason you have to limit your search to
> an OU object class, unless the documentation is hiding that fact
> somewhere that I've not run across.
Assuming you mean: do containers have to be "organizationalUnit"
objects? No. In fact, many times it seems wrong, but it is a very well
entrenched standard practice.
You may use any objectclass as a container so long as your local content
rules/policies (if any) permit it.
The proper general term your looking for is "container", but most
newbies won't know what you mean. A "container" is 'a non-leaf object
within a Dit', where a "leaf" object is 'an object within a Dit which
has no subordinates'. Delightfully recursive!
> That's the crux of what I was
> getting at, saying that the terminology "OU" is unnecessarily
> restrictive. Feel free to point me towards enlightenment if I'm wrong.
More information about the samba
mailing list