[Samba] Re: ldap filter and man page

Andrew Bartlett abartlet at samba.org
Fri Jan 23 07:02:41 GMT 2004

On Fri, 2004-01-23 at 15:27, Beast wrote:
> * "Gerald (Jerry) Carter" <jerry at samba.org> nulis:
> > Hash: SHA1
> > 
> > Andrew Bartlett wrote:
> > 
> > > Naturally, this just means you need to give nss_ldap the same ldap base
> > > DN to search under as samba is using.  Naturally, if nss_ldap only looks
> > > under ou=people, then it's not going to work, but I set my base dn to
> > > just 'dc=hawkerc,dc=net', and carry the minor cost of a possible search
> > > against other ou's that might not contain accounts.
> > 
> > Right.  And my only point is that for large directories this
> > cost can be non-zero.  So IMO we need to redisgn the LDAP suffix and 
> > searches in Samba altogether to be more localized and efficient.
> Thats correct, even I did not implement samba yet, but under high traffic 
> on my email system, it can easily killing my openldap.

This sounds like you are missing indexes, as much as any fatal flaw

> IMO nss_ldap ldap queries is unefficient, so I'm bypassing any pam call 
> whenever possible (not possible with samba I think).

posix is a beast, but the calls are easily indexed.  How large is your
site that is is causing problems?
> But putting machine account under same container as user account is 
> also umm..., not elegant :-)

Naturally, you have the option to say 'ou=people,ou=accounts... and
ou=computers,ou=accounts' if the rest of your tree is particularly
large, and you don't think the objectclass search restrictions will

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040123/7d82b71c/attachment.bin

More information about the samba mailing list