> I would like to have a DIT similar to this for my Samba server : > ou=People,dc=domain,dc=com: users accounts > ou=Group,dc=Domain,dc=com: groups > ou=Hosts,dc=domain,dc=com: machine accounts > ou=Samba,dc=domain,dc=com: Samba specific stuff, such as sambaDomain, > sambaUnixIdPool, etc > My understanding is that "ldap [user|group|machine] suffix" is relative > to "ldap suffix". Example : > ldap suffix = dc=domain,dc=com > ldap user suffix = ou=People > Thus, the effective "ldap user suffix" would be ou=People,dc=domain,dc=com. > This does not match the DIT I would like to achieve, as I would need to > specify "lateral" suffix for user, group, machine. I tried : > ldap suffix = ou=Samba,dc=domain,dc=com > ldap user suffix = ou=People,dc=domain,dc=com > ... > But it does not work. Any idea how to achieve that ? > The reason I would like to design my DIT in such a way is strictly > cosmetic, as I would prefer not to clutter the root with sambaDomain and > sambaUnixIdPool entry.
I'd recommend creating something like ou=SAM,dc=domain,dc=... ou=People,ou=SAM,dc=domain,dc=... ou=Groups,ou=SAM,dc=domain,dc=... ou=Hosts,ou=SAM,dc=domain,dc=... And keep everything Samba (or NSS) uses under the ou=SAM. This totally avoids (a) having to do root level sub searches, which are always bad, expecially as your Dit grows to contain other stuff, (b) lets your partition the PDC stuff off from the rest of your Dit, good if you want it to have its own server or Samba decides to implement their own LDAP server, you can just place it in your Dit without having to refactor anything and (c) makes it easier to delegate the permission peculiar to PDC operations. If you really want an ou=People at the root that is still possible, you simply use a subordinate proxy to place the contents of ou=People,ou=SAM,... at ou=People,dc=domain,... then mail clients can query what they expect to find and you can also drop out all the attributes and objectclasses they don't need to see. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba