[LDAP] ldap.c modifications

childern at gactr.uga.edu childern at gactr.uga.edu
Tue Dec 21 13:27:51 GMT 1999

I am using samba to control a small NT domain with all authentication coming
from an LDAP server.  While building my LDAP server I organized the users into
'ou=People, o=foo, c=us' , groups into 'ou=Groups, o=foo, c=us' and so on.

I installed and configured the nss_ldap and pam_ldap to provide unix services
and was in the process of implementing the LDAP code in samba.  Compilation
went fine, (Slackware 7.0 and openldap-1.2.8, samba-absolute-newest-cvs), and
the database would authenticate the PAM requests, but the samba server was
making a bad query.  While watching the verbose slapd logs i saw PAM doing a
query at 'scope=2' for 'uid=bar' and samba doing a query at 'scope=1' for
'uid=bar'.  I poked around in the passdb/ldap.c code and found the place where
the scope was set, found the corresponding variable in <ldap.h> and changed it
from LDAP_SCOPE_ONELEVEL to LDAP_SCOPE_SUBTREE.  <see diff -u below> ... and
it worked!

So, my question is this.  Is this a recommended change?  I know it's okay for
me, because it makes my system work, but what about Samba/LDAP?  I hope that
it is in that it allows for a 'better' organization of the ldap tree, but i
don't want to break my wonderful server in the name of better organization.

Nate Childers
nate at gactr.uga.edu

# diff -u ldap.c.orig ldap.c

--- ldap.c.orig Sun Dec 19 20:18:39 1999
+++ ldap.c      Sun Dec 19 20:18:51 1999
@@ -92,7 +92,7 @@

       DEBUG(2,("Searching in [%s] for [%s]n", lp_ldap_suffix(), filter));

-      err = ldap_search_s(ldap_struct, lp_ldap_suffix(), LDAP_SCOPE_ONELEVEL,
+      err = ldap_search_s(ldap_struct, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE,
                           filter, NULL, 0, &ldap_results);

       if(err != LDAP_SUCCESS) {

More information about the samba-ntdom mailing list