On Wed, 2010-03-10 at 08:38 +0100, Götz Reinicke - IT-Koordinator wrote: > Adam Tauno Williams schrieb: > > On Mon, 2010-03-08 at 11:04 -0500, Gaiseric Vandal wrote: > >> But in terms of an address book, if someone has an LDAP address book > >> client (e.g. thunderbird) you can't prevent them from trying to > >> recursively query "ou=people,....) vs "ou=students." You can advise > >> end users whether they should set up two LDAP address books (students > >> vs employees) rather than one top level "people" one. From the end > >> user pespective, a single LDAP directory will probably be simpler. > > True; or all non-related entries can simply be hidden from the clients. > > Or, the simplest solution, is it use a virtual root to 'glob' any > > objects [and just the specific attributes] that an addressbook consumer > > would want to see. OpenLDAP provides excellent support for > > partitioning, federating, and creating virtual (remapped) partitions. > So I may have one branch with the DNs of users with there IDs, > passwords, ... and one partition for the phonebook entries: > dn: ou=People,dc=example,dc=com
I'd recommend sub-rooting everything Samba needs to see; and not using the [dreadful IMO] ou=People,$ROOT, ou=Groups,$ROOT design. > dn: ou=Phonebook,dc=example,dc=com You certainly can do that. > > Aside: Although in the end I think you'll find LDAP makes a very crappy > > addressbook soluton. > Why that? For us e.g the purpose of the addressbook is to have name and > e-mail-address available; postal Address, phonenumber etc should not be > in our directory. (a) No client but Evolution supports write access. This shortly equals unhappy users. (b) Clients blithely ignore schema rules [for example "mail" is multi-valued] (c) How clients map attributes to fields varies widely [and who ever wrote the Mozilla addressbook's LDAP support was using hard-drugs at the time] If you really want nothing more than to expose e-mail addresses it works reasonably well. It is pretty terrible once you go beyond that. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
