Re: [nssldap] some questions regarding Active Directory <--> NSS Ldap

[Jeffrey Watts <jeffrey.w.watts [at] gmail.com>]

Ah, I understand.  I don't see a way around your problem then.  If admins can simply add OUs willy-nilly, then you will always have problems (unless you specify the root of the domain as your search base).  We have that problem to a limited extent (executives are in their own container for some silly reason), but the list of exceptions is very small here.

Jeffrey.

2010/2/23 Илья Шипицин <chipitsine [at] gmail.com>

in multi-site AD there many OUs with users. and when proxy-user reads
AD, it cannot read userPassword attribute (which is possible in case
of OpenLDAP).
there no readable password-field in case of Active Directory, so proxy
user only can "find" where actually certain user  "lives", but after
that there must be second operation: bind with supplied credentials
(yes! we already found the full DN!), also, despite numerous
nss_base_* variables... administrators just add OU as they want to, I
cannot predict that. So, I cannot specify all the OUs.