[Samba] Questions about ldap organizational units

Christ Schlacta lists at aarcane.org
Thu Dec 30 02:10:06 MST 2010

I'm kinda new to this too, but I'll share what knowledge I've acquired 

On 12/29/2010 23:01, Taso Hatzi wrote:
> Environment is Samba as a PDC, OpenLDAP backend, with
> smbldap-tools providing the scripts to manipulate the data.
> What are the recommended/mandated organizational units (OU=)
> for user, computer, group info.
Whatever suits your needs
> I'm pretty sure that groups go in ou=Groups, but I am confused
> about where user and computer data goes.
Groups go wherever you need them
> I have seen ou=People, ou=Computers, and ou=Users in various places.
> Which is it and why?
You can have 0 or more OUs to store data.  you can put everything 
directly in your root dn, or you can use "Organizational Units" to 
organize them.  for example, you can store users, groups, etc. by 
department instead of by users, groups, machines.  but the smbldaptools 
use users, groups, machines (or similarly named OUs) to place these 
objects in.  If you wanted, you could have users stored by department, 
or by zip code, or any arbitrary scheme you like (ou=PeopleILike,dc=.., 
ou=PeopleIDontLike,dc=.., etc..).  for ldap in general there's no real 
rhyme or reason to where they need to be.  Samba seems to like them 
sorted into users, groups, machines, and idmaps in one branch of your 
directory.  the thinking seems to be each organizational unit of your 
organization should represent a domain with it's own users, groups, 
idmaps, etc.  I believe it's possible to configure samba to handle 
whatever you need, but I can't find any entries in the smb.conf manpage 
about ldap search depth.

the long and short of it is call them whatever you want, but keep 'em 
together and remember what you called them

More information about the samba mailing list