On Fri, 2004-01-23 at 15:27, Beast wrote: > * "Gerald (Jerry) Carter" <[EMAIL PROTECTED]> nulis: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Andrew Bartlett wrote: > > > > > Naturally, this just means you need to give nss_ldap the same ldap base > > > DN to search under as samba is using. Naturally, if nss_ldap only looks > > > under ou=people, then it's not going to work, but I set my base dn to > > > just 'dc=hawkerc,dc=net', and carry the minor cost of a possible search > > > against other ou's that might not contain accounts. > > > > Right. And my only point is that for large directories this > > cost can be non-zero. So IMO we need to redisgn the LDAP suffix and > > searches in Samba altogether to be more localized and efficient. > > > Thats correct, even I did not implement samba yet, but under high traffic > on my email system, it can easily killing my openldap.
This sounds like you are missing indexes, as much as any fatal flaw elsewhere. > IMO nss_ldap ldap queries is unefficient, so I'm bypassing any pam call > whenever possible (not possible with samba I think). posix is a beast, but the calls are easily indexed. How large is your site that is is causing problems? > But putting machine account under same container as user account is > also umm..., not elegant :-) Naturally, you have the option to say 'ou=people,ou=accounts... and ou=computers,ou=accounts' if the rest of your tree is particularly large, and you don't think the objectclass search restrictions will help. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
