On Mon, 2010-03-08 at 11:04 -0500, Gaiseric Vandal wrote: > smb.conf will list where samba searches in ldap. > ldap suffix=o=abc.com > ldap user suffix=ou=employees,ou=people > ldap group suffix = ou=groups > ldap machine suffix=ou=machines,ou=people > I think the main challenge will be configuring access control lists. > If you have a server you only want accessed by employees, you would set > the "ldap user suffix" parameter in smb.conf appropriately.
We've parented all of Samba related 'stuff' under ou=SAM,$BASE, so we have ou=SAM,$BASE ou=Entities,ou=SAM,$BASE ou=People,ou=Entities,ou=SAM,$BASE ou=System Account,ou=Entities,ou=SAM,$BASE ou=Groups,ou=SAM,$BASE Because very different ACLs typically apply to these three types of objects (users, system accounts, and groups) > But in terms of an address book, if someone has an LDAP address book > client (e.g. thunderbird) you can't prevent them from trying to > recursively query "ou=people,....) vs "ou=students." You can advise > end users whether they should set up two LDAP address books (students > vs employees) rather than one top level "people" one. From the end > user pespective, a single LDAP directory will probably be simpler. True; or all non-related entries can simply be hidden from the clients. Or, the simplest solution, is it use a virtual root to 'glob' any objects [and just the specific attributes] that an addressbook consumer would want to see. OpenLDAP provides excellent support for partitioning, federating, and creating virtual (remapped) partitions. Aside: Although in the end I think you'll find LDAP makes a very crappy addressbook soluton. > I also suspect that LDAP attributes may > not be restricted by default as much as they should be. Yep; you'll find most sites [in-my-experience] to have severely neglected the confguration of their DSA once they reach got-it-working status. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
