Samba should support dereferencing aliased objects in LDAP (most LDAP based applications support this). This allows one to do interesting things like maintaining Samba in a separate base ou (ou=Samba,dc=example,dc=net), but still allowing Samba to see the posixAccounts under (ou=People,dc=example,dc=net) using alias objects for groups and/or accounts. If you use ldap deref = searching, Samba will see the posixAccounts that you have created aliases for under the separate base ou, but will attach the Samba account to the aliased object itself instead of the posixAccount object. This makes it possible to have one posixAccount belong to separate domains.
Created attachment 966 [details] LDAP Deref Support Adds LDAP alias dereferencing support. Applies cleanly against Samba 3.0.(9,10,11). I've been using this in production for a number of months now just fine. Adds smb.conf option: ldap deref = (never | searching | finding | always) These are LDAP standard options.
Thank you very much. A slightly modified version is in master now. The default of ldap deref is "default", which means the settings from the global ldap.conf are being used.
Will be included in Samba 3.5.0pre2 and higher.