[Samba] Setting up LDAP Authentification - Tree design/search scope
Adam Tauno Williams
awilliam at whitemice.org
Wed Mar 10 05:11:02 MST 2010
On Wed, 2010-03-10 at 08:38 +0100, Götz Reinicke - IT-Koordinator wrote:
> Adam Tauno Williams schrieb:
> > On Mon, 2010-03-08 at 11:04 -0500, Gaiseric Vandal wrote:
> >> But in terms of an address book, if someone has an LDAP address book
> >> client (e.g. thunderbird) you can't prevent them from trying to
> >> recursively query "ou=people,....) vs "ou=students." You can advise
> >> end users whether they should set up two LDAP address books (students
> >> vs employees) rather than one top level "people" one. From the end
> >> user pespective, a single LDAP directory will probably be simpler.
> > True; or all non-related entries can simply be hidden from the clients.
> > Or, the simplest solution, is it use a virtual root to 'glob' any
> > objects [and just the specific attributes] that an addressbook consumer
> > would want to see. OpenLDAP provides excellent support for
> > partitioning, federating, and creating virtual (remapped) partitions.
> So I may have one branch with the DNs of users with there IDs,
> passwords, ... and one partition for the phonebook entries:
> dn: ou=People,dc=example,dc=com
I'd recommend sub-rooting everything Samba needs to see; and not using
the [dreadful IMO] ou=People,$ROOT, ou=Groups,$ROOT design.
> dn: ou=Phonebook,dc=example,dc=com
You certainly can do that.
> > Aside: Although in the end I think you'll find LDAP makes a very crappy
> > addressbook soluton.
> Why that? For us e.g the purpose of the addressbook is to have name and
> e-mail-address available; postal Address, phonenumber etc should not be
> in our directory.
(a) No client but Evolution supports write access. This shortly equals
unhappy users.
(b) Clients blithely ignore schema rules [for example "mail" is
multi-valued]
(c) How clients map attributes to fields varies widely [and who ever
wrote the Mozilla addressbook's LDAP support was using hard-drugs at the
time]
If you really want nothing more than to expose e-mail addresses it works
reasonably well. It is pretty terrible once you go beyond that.
More information about the samba
mailing list