[Samba] Copy *just* user accounts from LDAP?

Marc Muehlfeld Marc.Muehlfeld at medizinische-genetik.de
Mon Jun 22 13:32:25 GMT 2009

johnh at primebuchholz.com schrieb:
> What I'd like to do is set up a new Samba domain on the off-site server so 
> users can log into it for disaster recovery purposes - and I'd like to 
> keep the user account information synchronized with the main server so 
> user's passwords are the same, etc. - while leaving behind workstation 
> accounts, etc.

Why you don't want to sync the machine accounts? The workstations wouldn't be 
allowed to logon to the domain, if the machine account passwort differs. And 
doesn't you require the ldap groups too for managing access?

> Does anyone have any ideas on how best to approach this?  I guess what I'm 
> asking is, I'm OK with slapcat/slapadd'ing periodically from the main 
> server to the off-site server, but does anyone have ideas for how to 
> filter just the user accounts into the LDIF?

Instead of export/transfer/delete-ldap/import, I would use the openldap 
replication functions. If you really don't want to have access to 
groups/machine account OU, you can define a ACL in your slave server, that 
denies access to that branches.

More information about the samba mailing list