| 1. In what situtation do I need People group as the group for | machines?
In the case where you use: nss_base_passwd ou=Users,dc=ab,dc=com?one
If you use: nss_base_passwd dc=ab,dc=com?sub
Would people please stop suggesting this without explaining the ramifications? If you do this, you are going to (theoretically)(1) severely harm the performance on your server. Setting the nss library to do a search on the 'entire' directory every time it needs to look up user information is asinine to put it in a word. It's like doing this in DNS terms... rather than looking for a machine named 'something.else.com' in the dns servers for else.com you go ask .com who then goes in and asks else.com by proxy. Doing the first example (the one searching with ?one) you are restricting searches to a respectable scope, doing the second you are searching all OUs which may be numerous and deep (in our LDAP tree we have 10 OUs, two of which are at least 3 levels deep).
You would be better served by defining ou=Computers and ou=People under something like ou=Accounts (which would give you DNs of
ou=Computers,ou=Accounts,dc=ab,dc=com and
ou=People,ou=Accounts,dc=ab,dc=com)
and then then set: nss_base_passwd ou=Accounts,dc=ab,dc=com?sub
Note that I'm not saying that doing a sub search is necessarily bad, just when you are searching your entire ldap DIT, especially for something that happens as often as passwd lookups.
(1) I say theoretically because I've never tried it, it's a Bad Idea(C) from the word go. There are a lot of other things that I haven't tried that are bad ideas but I can safely say they are also dangerous, such as sticking forks in my eyes and jumping off cliffs.
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc. Information Systems Consultant Fax: 701-281-1322
URL: www.ae-solutions.com mailto: [EMAIL PROTECTED]
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
