[Samba] One User, One Ldap, Multiple Domains

Andrew Bartlett abartlet at samba.org
Sun May 29 21:24:17 GMT 2005 

On Sun, 2005-05-29 at 16:52 +0100, David Barker wrote:
> Andrew Bartlett wrote:
> 
> > On Mon, 2005-05-23 at 16:23 +0100, David Barker wrote:
> > 
> > 
> >> Looking through the ldapsam stuff, it looks like in samba 3 a user
> >> can only be a member of one domain at a time in an ldap tree.
> >> 
> >> attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC
> >> 'Security ID' EQUALITY caseIgnoreIA5Match SYNTAX
> >> 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
> >> 
> >> Does anyone know if it's safe to drop SINGLE-VALUE from sambaSid,
> >> to allow one user to be in two domains at once?
> >> 
> >> 
> > 
> > The idea was (it didn't really work out as well as I would have
> > liked) to have sambaSID be the unique identifier for objects in the
> > ldap tree (for finding them when clients ask 'what is this sid'
> > questions).
> > 
> > 
> ahha :-)
> 
> > Why do you think you need multiple domains on one LDAP tree?
> > 
> > 
> 
> 	For what we currently use samba for, we don't need multiple domains. We 
> have created one domain using samba 2.2.x for the 22,000+ registered 
> users in the central LDAP, all of which are able to login to various 
> public PC's in places like our main library.
> 
> 	Departments & schools in the university would like to provide desktop 
> authentication, printing and shared filespace for windows desktops in 
> their areas. The traditional way of doing this would be trusted domains, 
> but our single big domain is too unwieldy for this - the PDC is simply 
> too slow at listing all users to a windows desktop for the purpose of 
> building up ACL's, etc.

> b) We are going to be missing out on fun things like 
> "ldapsam:trusted=yes" by staying with ldapsam_compat

I would suggest looking into speed improvements (such as the continuing
work on this) before breaking your ldap into tiny pieces.  One domain
really should be the way to do this. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050530/97954a50/attachment.bin

More information about the samba mailing list