need clarification of the use of: ldap suffix ldap machine suffix ldap user suffix ldap idmap suffix smb.conf.5 indicates you should have a fully qualified suffix such as: ldap suffix = dc=blah,dc=com ldap machine suffix = ou=People,dc=blah,dc=com ldap user suffix = ou=People,dc=blah,dc=com ldap group suffix = ou=Groups,dc=blah,dc=com ldap idmap suffix = ou=Idmap,dc=blah,dc=dom as demonstrated by: Example: ldap idmap suffix = ou=Idmap,dc=samba,dc=org and Example: ldap group suffix ou=Groups,dc=samba,ou=Groups (which, btw, is a not a good example) However, it appears from a log level 5 that this happens: [2005/08/17 11:05:57, 5] lib/smbldap.c:smbldap_search_ext(980) smbldap_search_ext: base => [ou=Groups,dc=blah,dc=com,dc=blah,dc=com], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=-2))], scope => [2] It combines two suffixes. Which is the correct behavior? I see utils/net_rpc_samsync.c seems to think the prior is true. This behavior is consistent all the way back to 3.0.11. Cheers, Bill
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 William Jojo wrote:> > > need clarification of the use of: > > ldap suffix > ldap machine suffix > ldap user suffix > ldap idmap suffix > > smb.conf.5 indicates you should have a fully qualified suffix such as: > > ldap suffix = dc=blah,dc=com > ldap machine suffix = ou=People,dc=blah,dc=com > ldap user suffix = ou=People,dc=blah,dc=com > ldap group suffix = ou=Groups,dc=blah,dc=com > ldap idmap suffix = ou=Idmap,dc=blah,dc=domThe man page is wrong. You can use a fully DN only if 'ldap suffix' is an empty string. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDA1cHIR7qMdg1EfYRAsXyAKCq8GFqct+LEVBP3R+F0M7NzNOm1QCg8xZf 8WkxQg2zAzTtyEmyXdE/uDU=LOaG -----END PGP SIGNATURE-----
On Wed, 17 Aug 2005, John H Terpstra wrote:> On Wednesday 17 August 2005 09:15, William Jojo wrote: > > need clarification of the use of: > > > > ldap suffix > > ldap machine suffix > > ldap user suffix > > ldap idmap suffix > > > > smb.conf.5 indicates you should have a fully qualified suffix such as: > > > > ldap suffix = dc=blah,dc=com > > ldap machine suffix = ou=People,dc=blah,dc=com > > ldap user suffix = ou=People,dc=blah,dc=com > > ldap group suffix = ou=Groups,dc=blah,dc=com > > ldap idmap suffix = ou=Idmap,dc=blah,dc=dom > > It is sufficient to specify: > > ldap suffix = dc=foobar,dc=biz > ldap machine suffix = ou=Computers > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > > Samba will take care of the catenation. These will all be expanded correctly. > For example the 'ldap user suffix' will be expanded to: >Thanks, John. I failed to indicate that this is how I currently use it. I wanted to clear up the confusion as I know you like documentation to be very clear and concise. :-) :-) Cheers, Bill> ldap machine suffix = ou=Computers,dc=foobar,dc=biz > > - John T. > > > > > as demonstrated by: > > > > Example: ldap idmap suffix = ou=Idmap,dc=samba,dc=org > > > > and > > > > Example: ldap group suffix > > ou=Groups,dc=samba,ou=Groups > > > > (which, btw, is a not a good example) > > > > > > However, it appears from a log level 5 that this happens: > > > > [2005/08/17 11:05:57, 5] lib/smbldap.c:smbldap_search_ext(980) > > smbldap_search_ext: base => [ou=Groups,dc=blah,dc=com,dc=blah,dc=com], > > filter > > => [(&(objectClass=sambaGroupMapping)(gidNumber=-2))], scope => [2] > > > > It combines two suffixes. Which is the correct behavior? > > > > I see utils/net_rpc_samsync.c seems to think the prior is true. > > > > > > This behavior is consistent all the way back to 3.0.11. > > > > > > Cheers, > > > > > > Bill > > -- > John H Terpstra, CTO > PrimaStasys Inc. > Phone: +1 (650) 580-8668 > > Author: > The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 > Samba-3 by Example, ISBN: 0131472216 > Hardening Linux, ISBN: 0072254971 > Other books in production. >
On Wednesday 17 August 2005 09:15, William Jojo wrote:> need clarification of the use of: > > ldap suffix > ldap machine suffix > ldap user suffix > ldap idmap suffix > > smb.conf.5 indicates you should have a fully qualified suffix such as: > > ldap suffix = dc=blah,dc=com > ldap machine suffix = ou=People,dc=blah,dc=com > ldap user suffix = ou=People,dc=blah,dc=com > ldap group suffix = ou=Groups,dc=blah,dc=com > ldap idmap suffix = ou=Idmap,dc=blah,dc=domIt is sufficient to specify: ldap suffix = dc=foobar,dc=biz ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap Samba will take care of the catenation. These will all be expanded correctly. For example the 'ldap user suffix' will be expanded to: ldap machine suffix = ou=Computers,dc=foobar,dc=biz - John T.> > as demonstrated by: > > Example: ldap idmap suffix = ou=Idmap,dc=samba,dc=org > > and > > Example: ldap group suffix > ou=Groups,dc=samba,ou=Groups > > (which, btw, is a not a good example) > > > However, it appears from a log level 5 that this happens: > > [2005/08/17 11:05:57, 5] lib/smbldap.c:smbldap_search_ext(980) > smbldap_search_ext: base => [ou=Groups,dc=blah,dc=com,dc=blah,dc=com], > filter > => [(&(objectClass=sambaGroupMapping)(gidNumber=-2))], scope => [2] > > It combines two suffixes. Which is the correct behavior? > > I see utils/net_rpc_samsync.c seems to think the prior is true. > > > This behavior is consistent all the way back to 3.0.11. > > > Cheers, > > > Bill-- John H Terpstra, CTO PrimaStasys Inc. Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.
On Wed, Aug 17, 2005 at 09:30:31AM -0600, John H Terpstra wrote:> It is sufficient to specify: > > ldap suffix = dc=foobar,dc=biz > ldap machine suffix = ou=Computers > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > > Samba will take care of the catenation. These will all be expanded correctly. > For example the 'ldap user suffix' will be expanded to: > > ldap machine suffix = ou=Computers,dc=foobar,dc=biz >Over here I have a dead tree copy of Samba-3 by Example which says on in Chapter 6, paragraph 3.5 LDAP Initialization and Creation of User Group Accounts NOTE ... By placing all machine accounts in the People container, we were able to side-step this bug. So it seems the bug, that prevents samba from being able to search the LDAP database for computer accounts if they are placed in the Computers container, is gone. My questions: * the version with the bug, did they work with ldap suffix = dc=foobar,dc=biz ldap user suffix = ou=People ldap machine suffix = ou=Computers,ou=People in smb.conf succesfull? * In which version was the bug fixed? Cheers Geert Stappers -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.samba.org/archive/samba/attachments/20050817/4c68fca0/attachment.bin