Hi Volker,
Thank you very much for responding to my question.
I understand that there must be a reason that samba doesn't read the
"ldap user suffix". However, it doesn't make sense to include the
parameters in the configure file because it's not true that this option
is going to work. It's confusing when reading or understanding the
settings. Also, it makes you feel that you are doing something wrong
with its settings so that why it doesn't work since the man page says
that it's the way it's going to work.
ldap user suffix (G)
This parameter specifies where users are added to the
tree. If
this parameter is unset, the value of ldap suffix will
be used
instead. The suffix string is pre-pended to the ldap
suffix
string so use a partial DN.
Default: ldap user suffix =
Example: ldap user suffix = ou=people
and the release notice says:
============
LDAP Changes
============
If "ldap user suffix" or "ldap machine suffix" are defined in
smb.conf, all user-accounts must reside below the user suffix,
and all machine and inter-domain trust-accounts must be located
below the machine suffix. Previous Samba releases would fall
back to searching the 'ldap suffix' in some cases.
So when you explain to the team that it's being ignored from the
configuration with "ldap_xx_suffix", others will think ... uhmmmm...
what is wrong here since the document says it's the option to set it to
work.
I see that it does reads "ldap group suffix" to get the groups
privilege. There must be a way to fix this bug. If not, it would be
better to remove it out from the configuration as well as the
documents. The old version didn't have it and only use 'ldap suffix'
which is make sense since it's true that is the only option to make it work.
-Tri.
Volker Lendecke wrote:
On Fri, Oct 13, 2006 at 02:30:23PM -0700, Tri Tu wrote:
Seems like there is a bug in samba configuration with the version 3.0.22
or later that it doesn't read the configuration variable within the
smb.conf for ldap settings
ldap user suffix =
We are not consistent here, true. In what sense does it
really cause a problem for you instead of being a bit
inconvenent in the log file?
My general idea with the ldap_xx_suffix parameters would in
general be to use them only when we create new objects and
when searching do subtree level searches starting from 'ldap
suffix' always. The inconsistent search behaviour has caused
quite a number of bugs already, in particular with idmap and
group mapping.
So would anybody object if we changed the use of the
ldap_xx_suffix parameters to be only used when creating
objects?
Thanks,
Volker
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
