blob: 2e4e1dbd7cb4de816b833d7824d32525bdcd9507 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
<samba:parameter name="ldapsam:trusted"
context="G"
type="string"
advanced="1" developer="0"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to
access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group
this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he
is member of. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS
counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that
are used to deal with user and group attributes lack such optimization.
</para>
<para>
To make Samba scale well in large environments, the <smbconfoption name="ldapsam:trusted">yes</smbconfoption>
option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the
standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are
stored together with the POSIX data in the same LDAP object. If these assumptions are met,
<smbconfoption name="ldapsam:trusted">yes</smbconfoption> can be activated and Samba can bypass the
NSS system to query user group memberships. Optimized LDAP queries can greatly speed up domain logon and
administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries
is easily achieved.
</para>
</description>
<value type="default">no</value>
</samba:parameter>
|