[Samba] Setting up LDAP Authentification - Tree design/search scope

[Adam Tauno Williams]

On Mon, 2010-03-08 at 11:04 -0500, Gaiseric Vandal wrote:
> smb.conf will list where samba searches in ldap.
> ldap suffix=o=abc.com
> ldap user suffix=ou=employees,ou=people
> ldap group suffix = ou=groups
> ldap machine suffix=ou=machines,ou=people
> I think the main challenge will be configuring access control lists.   
> If you have a server you only want accessed by employees, you would set 
> the "ldap user suffix" parameter in smb.conf appropriately.

We've parented all of Samba related 'stuff' under ou=SAM,$BASE, so we
have

ou=SAM,$BASE
ou=Entities,ou=SAM,$BASE
ou=People,ou=Entities,ou=SAM,$BASE
ou=System Account,ou=Entities,ou=SAM,$BASE
ou=Groups,ou=SAM,$BASE

Because very different ACLs typically apply to these three types of
objects (users, system accounts, and groups)

> But in terms of an address book, if someone has an LDAP address book 
> client (e.g. thunderbird) you can't prevent them from trying to 
> recursively query "ou=people,....) vs "ou=students."    You can advise 
> end users whether they should set  up two LDAP address books (students 
> vs employees) rather than one top level "people" one.    From the end 
> user pespective, a single LDAP directory will probably be simpler.

True;  or all non-related entries can simply be hidden from the clients.
Or, the simplest solution, is it use a virtual root to 'glob' any
objects [and just the specific attributes] that an addressbook consumer
would want to see.  OpenLDAP provides excellent support for
partitioning, federating, and creating virtual (remapped) partitions.

Aside: Although in the end I think you'll find LDAP makes a very crappy
addressbook soluton.

> I also suspect that LDAP attributes may 
> not be restricted by default as much as they should be.

Yep;  you'll find most sites [in-my-experience] to have severely
neglected the confguration of their DSA once they reach got-it-working
status.