[Samba] LDAP suffix question

[Adam Tauno Williams]

> I would like to have a DIT similar to this for my Samba server :
> ou=People,dc=domain,dc=com: users accounts
> ou=Group,dc=Domain,dc=com: groups
> ou=Hosts,dc=domain,dc=com: machine accounts
> ou=Samba,dc=domain,dc=com: Samba specific stuff, such as sambaDomain, 
> sambaUnixIdPool, etc
> My understanding is that "ldap [user|group|machine] suffix" is relative 
> to "ldap suffix".  Example :
> ldap suffix = dc=domain,dc=com
> ldap user suffix = ou=People
> Thus, the effective "ldap user suffix" would be ou=People,dc=domain,dc=com.
> This does not match the DIT I would like to achieve, as I would need to 
> specify "lateral" suffix for user, group, machine.  I tried :
> ldap suffix = ou=Samba,dc=domain,dc=com
> ldap user suffix = ou=People,dc=domain,dc=com
> ...
> But it does not work. Any idea how to achieve that ?
> The reason I would like to design my DIT in such a way is strictly 
> cosmetic, as I would prefer not to clutter the root with sambaDomain and 
> sambaUnixIdPool entry.

I'd recommend creating something like 

ou=SAM,dc=domain,dc=...
ou=People,ou=SAM,dc=domain,dc=...
ou=Groups,ou=SAM,dc=domain,dc=...
ou=Hosts,ou=SAM,dc=domain,dc=...

And keep everything Samba (or NSS) uses under the ou=SAM.  This totally
avoids (a) having to do root level sub searches, which are always bad,
expecially as your Dit grows to contain other stuff, (b) lets your
partition the PDC stuff off from the rest of your Dit, good if you want
it to have its own server or Samba decides to implement their own LDAP
server, you can just place it in your Dit without having to refactor
anything and (c) makes it easier to delegate the permission peculiar to
PDC operations.

If you really want an ou=People at the root that is still possible, you
simply use a subordinate proxy to place the contents of
ou=People,ou=SAM,... at ou=People,dc=domain,...  then mail clients can
query what they expect to find and you can also drop out all the
attributes and objectclasses they don't need to see.