-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Paul Gienger wrote: | |> | 1. In what situtation do I need People group as the group for |> | machines? |> |> In the case where you use: |> nss_base_passwd ou=Users,dc=ab,dc=com?one |> |> If you use: |> nss_base_passwd dc=ab,dc=com?sub | | | | Would people please stop suggesting this without explaining the | ramifications?
When people stop giving the other reply (that it is impossible).
| If you do this, you are going to (theoretically)(1) | severely harm the performance on your server.
Yes, for only the LDAP clients which are samba servers.
| Setting the nss library | to do a search on the 'entire' directory every time it needs to look up | user information is asinine to put it in a word.
That really depends on the structure of your LDAP server.
And, you are also ignoring the fact that nss_ldap will use a search fileter for the specific user - and doing a search for "(&(objectclass=posixAccount)(uid=xxxx))" isn't going to be much slower for most small implentations. Then of course, there's always nscd ...
If you've tuned your LDAP server, it should be getting most of the entries out of cache anyway.
| It's like doing this | in DNS terms... rather than looking for a machine named | 'something.else.com' in the dns servers for else.com you go ask .com who | then goes in and asks else.com by proxy. Doing the first example (the | one searching with ?one) you are restricting searches to a respectable | scope, doing the second you are searching all OUs which may be numerous | and deep (in our LDAP tree we have 10 OUs, two of which are at least 3 | levels deep).
If your OUs are so deep, you should be able to have a deeper search filter. I suggested reducing the depth of the search by one level and increasing the scope. If there was already a huge and complex DIT, that still would not have made a big impact.
| You would be better served by defining ou=Computers and ou=People under | something like ou=Accounts (which would give you DNs of | ou=Computers,ou=Accounts,dc=ab,dc=com and | ou=People,ou=Accounts,dc=ab,dc=com) |
Sure, but the user *first* wanted to get something working ... he didn't ask on the generic LDAP list how to structure his directory for efficient searching (the samba list is the wrong place to ask these questions anyway).
| and then then set: | nss_base_passwd ou=Accounts,dc=ab,dc=com?sub | | | Note that I'm not saying that doing a sub search is necessarily bad, | just when you are searching your entire ldap DIT, especially for | something that happens as often as passwd lookups.
If your LDAP server is tuned and indexed well enough, queries that happen so often should cost nothing.
| (1) I say theoretically because I've never tried it, it's a Bad Idea(C) | from the word go. There are a lot of other things that I haven't tried | that are bad ideas but I can safely say they are also dangerous, such as | sticking forks in my eyes and jumping off cliffs.
Regards, Buchan
- -- Buchan Milne Senior Support Technician Obsidian Systems http://www.obsidian.co.za B.Eng RHCE (803004789010797) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBAP8orJK6UGDSBKcRAvOlAJwOXIGWe5YzmtVIO+AFJg5Vn37idQCgrDTG KqZ1ZXGDjLyPeN49b8CY2fw= =qvFj -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
