[Samba] Best practice OU and policy structure.

Peter Boos peter.boos at quest-innovations.com
Wed Nov 4 09:28:43 UTC 2020


I'm in an organization where we're thinking of deploying a department and role based OU structure.
So depending on people's responsibilities one has limitations on their PC, or Account.

However I notice that applications who use Ldap to verify credentials against Samba,
have problems when people get moved around as logically their Ldap referral "cn= ou = ou- .. " changes.
So the 'list of users' under ..\users\ gets split and scattered, over a new OU structure.

Several applications have problems with this, as i noted with some test users.
Applications like GLPI /NeXT cloud/ Kopano/ password tools/ inhouse db's/ etc
So I wonder what is the common used practice here ?.

1- Simply don't use multiple OU's, if its not that well supported.
   Just use a common single domain policy only (only use \users and \computers).
2- Use some kind of wildcard Ldap url (possible?).
   Not sure if its a "common practice" method for application to use such a solution.
3- Try to solve it for each application independent, (contact vendors /  dig up old DB code etc).
4- something else i might be missing ?

More information about the samba mailing list