[Samba] Setting up LDAP Authentification - Tree design/search scope

Adam Tauno Williams awilliam at whitemice.org
Wed Mar 10 05:11:02 MST 2010


On Wed, 2010-03-10 at 08:38 +0100, Götz Reinicke - IT-Koordinator wrote:
> Adam Tauno Williams schrieb:
> > On Mon, 2010-03-08 at 11:04 -0500, Gaiseric Vandal wrote:
> >> But in terms of an address book, if someone has an LDAP address book 
> >> client (e.g. thunderbird) you can't prevent them from trying to 
> >> recursively query "ou=people,....) vs "ou=students."    You can advise 
> >> end users whether they should set  up two LDAP address books (students 
> >> vs employees) rather than one top level "people" one.    From the end 
> >> user pespective, a single LDAP directory will probably be simpler.
> > True;  or all non-related entries can simply be hidden from the clients.
> > Or, the simplest solution, is it use a virtual root to 'glob' any
> > objects [and just the specific attributes] that an addressbook consumer
> > would want to see.  OpenLDAP provides excellent support for
> > partitioning, federating, and creating virtual (remapped) partitions.
> So I may have one branch with the DNs of users with there IDs,
> passwords, ... and one partition for the phonebook entries:
> dn: ou=People,dc=example,dc=com

I'd recommend sub-rooting everything Samba needs to see; and not using
the [dreadful IMO] ou=People,$ROOT, ou=Groups,$ROOT design.

> dn: ou=Phonebook,dc=example,dc=com

You certainly can do that.

> > Aside: Although in the end I think you'll find LDAP makes a very crappy
> > addressbook soluton.
> Why that? For us e.g the purpose of the addressbook is to have name and
> e-mail-address available; postal Address, phonenumber etc should not be
> in our directory.

(a) No client but Evolution supports write access.   This shortly equals
unhappy users.
(b) Clients blithely ignore schema rules [for example "mail" is
multi-valued]
(c) How clients map attributes to fields varies widely [and who ever
wrote the Mozilla addressbook's LDAP support was using hard-drugs at the
time]

If you really want nothing more than to expose e-mail addresses it works
reasonably well.  It is pretty terrible once you go beyond that.



More information about the samba mailing list