[Samba] Re: ldap filter and man page

Andrew Bartlett abartlet at samba.org
Fri Jan 23 07:02:41 GMT 2004 

On Fri, 2004-01-23 at 15:27, Beast wrote:
> * "Gerald (Jerry) Carter" <jerry at samba.org> nulis:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Andrew Bartlett wrote:
> > 
> > > Naturally, this just means you need to give nss_ldap the same ldap base
> > > DN to search under as samba is using.  Naturally, if nss_ldap only looks
> > > under ou=people, then it's not going to work, but I set my base dn to
> > > just 'dc=hawkerc,dc=net', and carry the minor cost of a possible search
> > > against other ou's that might not contain accounts.
> > 
> > Right.  And my only point is that for large directories this
> > cost can be non-zero.  So IMO we need to redisgn the LDAP suffix and 
> > searches in Samba altogether to be more localized and efficient.
> 
> 
> Thats correct, even I did not implement samba yet, but under high traffic 
> on my email system, it can easily killing my openldap.

This sounds like you are missing indexes, as much as any fatal flaw
elsewhere.

> IMO nss_ldap ldap queries is unefficient, so I'm bypassing any pam call 
> whenever possible (not possible with samba I think).

posix is a beast, but the calls are easily indexed.  How large is your
site that is is causing problems?
   
> But putting machine account under same container as user account is 
> also umm..., not elegant :-)

Naturally, you have the option to say 'ou=people,ou=accounts... and
ou=computers,ou=accounts' if the rest of your tree is particularly
large, and you don't think the objectclass search restrictions will
help.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040123/7d82b71c/attachment.bin

More information about the samba mailing list