> >>>>It appears that > >>>>you have users stored in one OU and Computers stored in another OU. I > >>>>don't believe this is supported right now. (I believe this is because > >>>>PAM will only search one OU for a UNIX user instead of multiples.) > >>>NSS will only search one OU for account type objects; and both machines > >>>and user are accounts. > >>While quite correct in most instances, it somewhat confuses the issue to > >>state this. > >>NSS will search one SCOPE for whatever it is you're looking > >The term "scope" in LDAP refers only to the depth of the search > >performed: base, one, or sub. A search has four compnents: root, > >filter, scope, and context (the security credentials of the users, their > >source IP address, etc...). It is entirely correct to refer to the, > >albiet subordinate, contents of an OU as contents of that OU. > Ok, I'll accept bashing on that one... I was searching for a generalized > term to apply. AFAIK, there's no reason you have to limit your search to > an OU object class, unless the documentation is hiding that fact > somewhere that I've not run across.
Assuming you mean: do containers have to be "organizationalUnit" objects? No. In fact, many times it seems wrong, but it is a very well entrenched standard practice. You may use any objectclass as a container so long as your local content rules/policies (if any) permit it. The proper general term your looking for is "container", but most newbies won't know what you mean. A "container" is 'a non-leaf object within a Dit', where a "leaf" object is 'an object within a Dit which has no subordinates'. Delightfully recursive! > That's the crux of what I was > getting at, saying that the terminology "OU" is unnecessarily > restrictive. Feel free to point me towards enlightenment if I'm wrong. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba