More LDAP info

Gerald (Jerry) Carter jerry at samba.org
Wed Oct 10 09:50:02 GMT 2001 

On 4 Oct 2001, Dana Canfield wrote:

> Attached is the patch to make pdb_ldap fall back to lp_* if the
> attributes aren't found in LDAP.  It's trivial, but at least it's tested
> and seems to do what it's supposed to.  Obviously you can yank out the
> DEBUG lines, or kick them up to a higher level if you like.

I'm going to look at this right now and apply it if everything is ok.

> 1) Although %m is expanded properly in these parameters, %u is expanded
> to nobody.  This seems to happen regardless of whether the parameter is
> defined in LDAP or is fallen through to the config file.  I'm guessing
> that the LDAP username doesn't get passed to the right places until
> after the ldap backend does it's expansion, so it's defaulting to
> nobody.  I tried moving all the username related stuff in pdb_ldap up
> before the scriptPath related stuff, and although it compiled, it didn't
> help.  Again, all of this gets above my head pretty quick, but I'm
> trying. ;-)

ok.  I'll look.


> 2) If an attribute is not defined in LDAP when a user logs in, it ends
> up being set somewhere along the line by the time they log out.  For
> example, we don't define a scriptPath in LDAP for our users because we
> want machine-specific batch files to execute, based on what lab they are
> in, so we use a %m.bat line in smb.conf.  Now, the scriptPath is being
> set to the machine-name.bat of whatever machine they first log into.
> Even worse, the homeDirectory attribute is being updated in ldap to
> point to the value of smbHome.
>
> I can't think of any time when it would be a good idea for samba to
> automatically update somebody's scriptPath, smbHome, and especially the
> homeDirectory.

Can you send me a level 10 debug log of this?  Doesn't sound right.

> 3) The pwdMustChange works properly in the LDAP backend, and if it's not
> defined, the user gets a warning that their password must be changed.
> That makes it inconsistent with the was the smbpasswd backend works
> (which appears to hard-wire an expiration about a week in the future).
> I figured you were already aware of that, though.

ok.  I'll look.









cheers, jerry
 ---------------------------------------------------------------------
 www.samba.org              SAMBA Team              jerry_at_samba.org
 www.plainjoe.org                                jerry_at_plainjoe.org
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

More information about the samba-technical mailing list