[Samba] Best practice OU and policy structure.

Rowland penny rpenny at samba.org
Wed Nov 4 10:26:18 UTC 2020

On 04/11/2020 09:28, Peter Boos via samba wrote:
> Hi,
> I'm in an organization where we're thinking of deploying a department and role based OU structure.
> So depending on people's responsibilities one has limitations on their PC, or Account.
> However I notice that applications who use Ldap to verify credentials against Samba,
> have problems when people get moved around as logically their Ldap referral "cn= ou = ou- .. " changes.
> So the 'list of users' under ..\users\ gets split and scattered, over a new OU structure.
> Several applications have problems with this, as i noted with some test users.
> Applications like GLPI /NeXT cloud/ Kopano/ password tools/ inhouse db's/ etc
> So I wonder what is the common used practice here ?.
> 1- Simply don't use multiple OU's, if its not that well supported.
>     Just use a common single domain policy only (only use \users and \computers).
> 2- Use some kind of wildcard Ldap url (possible?).
>     Not sure if its a "common practice" method for application to use such a solution.
> 3- Try to solve it for each application independent, (contact vendors /  dig up old DB code etc).
> 4- something else i might be missing ?

The problem with using OU's, is that a user can only be in one OU, so 
what if the user needs to be in more than one ?

I would rely on group membership instead.


More information about the samba mailing list