Re: [Samba] ldap machine suffix fixed?
> >>> Did ldap machine suffix ever get fixed so that it can be in a sperate > >>> container from ldap user suffix? > >> Is there any problem to be fix on samba side? I've been using separate > >> container for machine without any problem ( almost 8 months now) > > Yes, there was a problem, and maybe still is. > > You are using separate containers for users and machines, because you > > probably search for them in the whole LDAP tree. > Yes. I did not specify filter on pam/nss_ldap. However the limitation is > coming from nss_ldap not samba. Ah, I can see that. We met this limitation a long time ago (NSS only supports a single search base per object type, which actually seems reasonable. We simply structured the Dit in a different way - dc.. dc..,ou=SAM dc..,ou=SAM,ou=Groups dc..,ou=SAM,ou=Entities dc..,ou=SAM,ou=Entities,ou=People dc..,ou=SAM,ou=Entities,ou=System Accounts dc..,ou=SAM,ou=ipServices etc... NSS's account search base can be set to "dc..,ou=SAM,ou=Entities" for account objects and will see both; applications like Samba can be split. There is no need to search the 'whole LDAP tree', as that would be bad since it also contains things like - dc..,ou=Customers dc..,ou=Access Control etc... - and may be huge. If you insist on having a traditional dc..,ou=People that is simple enough with a subordinate back-ldap backend that rewrites ou=SAM,ou=Entities,ou=People to ou=People DN's. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap machine suffix fixed?
> > Did ldap machine suffix ever get fixed so that it can be in a sperate > > container from ldap user suffix? > Is there any problem to be fix on samba side? I've been using separate > container for machine without any problem ( almost 8 months now) Same, always have, never had this problem. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap machine suffix fixed?
Tomasz Chmielewski wrote: Beast wrote: Jim C. wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Did ldap machine suffix ever get fixed so that it can be in a sperate container from ldap user suffix? Is there any problem to be fix on samba side? I've been using separate container for machine without any problem ( almost 8 months now) Yes, there was a problem, and maybe still is. You are using separate containers for users and machines, because you probably search for them in the whole LDAP tree. Yes. I did not specify filter on pam/nss_ldap. However the limitation is coming from nss_ldap not samba. On systems with lots of machines and users this can lead to a bottleneck (searching for machines first in users, then in machines etc., instead of in machines only, and in users only if looking for users). You can still use 1 dedicated (slave) ldap server for each samba server as I do on my setup or using nscd to cache passwd, group etc. Tomek -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap machine suffix fixed?
Beast wrote: Jim C. wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Did ldap machine suffix ever get fixed so that it can be in a sperate container from ldap user suffix? Is there any problem to be fix on samba side? I've been using separate container for machine without any problem ( almost 8 months now) Yes, there was a problem, and maybe still is. You are using separate containers for users and machines, because you probably search for them in the whole LDAP tree. On systems with lots of machines and users this can lead to a bottleneck (searching for machines first in users, then in machines etc., instead of in machines only, and in users only if looking for users). Tomek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap machine suffix fixed?
Jim C. wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Did ldap machine suffix ever get fixed so that it can be in a sperate container from ldap user suffix? Is there any problem to be fix on samba side? I've been using separate container for machine without any problem ( almost 8 months now) -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ldap machine suffix fixed?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Did ldap machine suffix ever get fixed so that it can be in a sperate container from ldap user suffix? Jim C. - -- - - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz| - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBwTUA57L0B7uXm9oRApk/AJ4jli1ZX+T93+4L8LSg61HAN33+gACfXZJX TomDrFYSkmJPsYzL8fHVbHo= =btwE -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba