More LDAP info
Gerald (Jerry) Carter
jerry at samba.org
Wed Oct 10 09:50:02 GMT 2001
On 4 Oct 2001, Dana Canfield wrote:
> Attached is the patch to make pdb_ldap fall back to lp_* if the
> attributes aren't found in LDAP. It's trivial, but at least it's tested
> and seems to do what it's supposed to. Obviously you can yank out the
> DEBUG lines, or kick them up to a higher level if you like.
I'm going to look at this right now and apply it if everything is ok.
> 1) Although %m is expanded properly in these parameters, %u is expanded
> to nobody. This seems to happen regardless of whether the parameter is
> defined in LDAP or is fallen through to the config file. I'm guessing
> that the LDAP username doesn't get passed to the right places until
> after the ldap backend does it's expansion, so it's defaulting to
> nobody. I tried moving all the username related stuff in pdb_ldap up
> before the scriptPath related stuff, and although it compiled, it didn't
> help. Again, all of this gets above my head pretty quick, but I'm
> trying. ;-)
ok. I'll look.
> 2) If an attribute is not defined in LDAP when a user logs in, it ends
> up being set somewhere along the line by the time they log out. For
> example, we don't define a scriptPath in LDAP for our users because we
> want machine-specific batch files to execute, based on what lab they are
> in, so we use a %m.bat line in smb.conf. Now, the scriptPath is being
> set to the machine-name.bat of whatever machine they first log into.
> Even worse, the homeDirectory attribute is being updated in ldap to
> point to the value of smbHome.
>
> I can't think of any time when it would be a good idea for samba to
> automatically update somebody's scriptPath, smbHome, and especially the
> homeDirectory.
Can you send me a level 10 debug log of this? Doesn't sound right.
> 3) The pwdMustChange works properly in the LDAP backend, and if it's not
> defined, the user gets a warning that their password must be changed.
> That makes it inconsistent with the was the smbpasswd backend works
> (which appears to hard-wire an expiration about a week in the future).
> I figured you were already aware of that, though.
ok. I'll look.
cheers, jerry
---------------------------------------------------------------------
www.samba.org SAMBA Team jerry_at_samba.org
www.plainjoe.org jerry_at_plainjoe.org
--"I never saved anything for the swim back." Ethan Hawk in Gattaca--
More information about the samba-technical
mailing list