Andrew Reilly wrote:
Nope I sure don't, but that still doesn't make it a good idea. In our setup at present, I'm pretty sure that our servers are way overmatched (too much horsepower) for what they are doing, and our DIT isn't anywhere big enough to cause painful searches. I can see where it would very easily get out of hand with a growing environment that is designed badly from the start and then you just can't find a way to migrate it back to sanity without major pain. Or a sloppy admin could put a uid in a bad location and really start to make things messy. For these reasons it is preferrable to do it right the first time, as painful as it may seem on the front end.Maybe so, but this also incurs the extra overhead of searching the
entire DIT for account information. While it is true that you can most
likely tune your directory server to guard against performacnce issues,
widening your search scope is a Bad Thing (TM), especially if you store
much else than posix account information.
Would be interested if you have any metrics regarding
load differences on LDAP directories for the two types
of searches. Particularly if they also include the
size of the directory and the number of searches per
second.
I'm going to be testing (in the next couple days hopefully) a method of aliasing the People and Computers OUs into one to see if that works better than overly broadening the base search. Since we'll have a few things that check against the users tree, we don't like having the computer accounts in there either, but it would be easy enough to script out that if the last char is $ it should be excluded from any search.
Haven't done any hard performance testing myself, but we have not noticed a marked performance difference between the two configurations to date. We reasoned that this change only needs to be done for unix servers running samba, rather than all unix servers on the network. As a result a small sub set of searches are larger, but the majority of servers work with a reduced number of objects in the People OU and we have negated the possibility of those accounts being used for nefarious purposes on the vast majority of our unix server that do not use samba but do use NSS LDAP.
cheers,
andrew
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc. Information Systems Consultant Fax: 701-281-1322
URL: www.ae-solutions.com mailto: [EMAIL PROTECTED]
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
