[Samba] Re: Groupmap problem

[Adam Tauno Williams]

> >>>>It appears that
> >>>>you have users stored in one OU and Computers stored in another OU.  I
> >>>>don't believe this is supported right now.  (I believe this is because 
> >>>>PAM will only search one OU for a UNIX user instead of multiples.)
> >>>NSS will only search one OU for account type objects; and both machines
> >>>and user are accounts.
> >>While quite correct in most instances, it somewhat confuses the issue to 
> >>state this.  
> >>NSS will search one SCOPE for whatever it is you're looking 
> >The term "scope" in LDAP refers only to the depth of the search
> >performed: base, one, or sub.   A search has four compnents: root,
> >filter, scope, and context (the security credentials of the users, their
> >source IP address, etc...).  It is entirely correct to refer to the,
> >albiet subordinate, contents of an OU as contents of that OU.
> Ok, I'll accept bashing on that one... I was searching for a generalized 
> term to apply. AFAIK, there's no reason you have to limit your search to 
> an OU object class, unless the documentation is hiding that fact 
> somewhere that I've not run across.  

Assuming you mean: do containers have to be "organizationalUnit"
objects?  No.  In fact, many times it seems wrong, but it is a very well
entrenched standard practice.

You may use any objectclass as a container so long as your local content
rules/policies (if any) permit it.

The proper general term your looking for is "container", but most
newbies won't know what you mean.  A "container" is 'a non-leaf object
within a Dit', where a "leaf" object is 'an object within a Dit which
has no subordinates'.  Delightfully recursive!

> That's the crux of what I was 
> getting at, saying that the terminology "OU" is unnecessarily  
> restrictive.  Feel free to point me towards enlightenment if I'm wrong.