LDAP_EXOP_X_MODIFY_PASSWD macro was changed in OpenLDAP 2.1

Donny Davies djdavies at rogers.com
Mon May 12 01:17:52 GMT 2003


  Howard mentions in http://www.netsys.com/pamldap/2002/09/msg00050.html
that this macro was changed to LDAP_EXOP_MODIFY_PASSWD, which I checked
by grepping the openldap-2.1.9 source.  I'm sorry I havent recompiled
SAMBA and tested this but from Howard's message the fix looks like a no
brainer.  I stumbled onto this after trying to test, and getting error
in log, which led me to the samba source macro, which led me to openldap
source, which led me to google, which led me to the patch, hehe.

  Looks to me like passdb/pdb_ldap.c and param/loadparm.c need to be
updated to match this.  Not being too expert on this myself... so with
the `ldap password sync' I should be able to very easily keep the NT
and LDAP passwords in sync; a Windows client could use the Control
Panel change password  applet and be done with it then?  I look
forward to that if that's the case :)

  If you don't mind, I have a non-related question and being the little
sneak that I am, I'm going to slip it in here, since I came with a bug
report ;-)  I'm confused on the minimal entries that need to be
populated into the LDAP directory, in order for workstation accounts
to begin being allowed to be added.  In 2.2.x I'd normally add a `root'
user to the smbpasswd file, then at the workstation prompt for the
account with appropriate privelages, I'd use him and his password.
However using the ldapsam backend I'm just not sure what is needed.

  My /etc/passwd file has only 2 records; one for `root' and one for
`ldap' (because I start slapd as `ldap' of course ;-).  So the rest
of the users are in LDAP as posixAccounts (cron, apache, sshd, etc.)
Included in these is my user account, lets call him 'homer'.  Also
in the directory are my posixGroups (cron, apache, sshd, homer, etc)
including entries for `domadmin' `domguest' and `domusers', which
I've mapped using `net groupmap' (which by the way was a little
tricky as the docs have gone bad; it keeps changing).  So I mapped
the `domadmin' UNIX group to the NT `Domain Admins' group.  Or at
least I think I did anyway; this entry shows up with "...-512" SID
when I browse it, so I think that's correct.

  Finally I did an `smbpasswd -a homer' to get the sambaAccount
attributes in my user account entry.  So what am I trying to do?
Well, basically I'd like to know how I make that LDAP entry able
to do the workstation additions to the domain.  It seems to me,
that putting the user into the UNIX group `domadmin', mapping 
that group to the "Domain Admins" group, creating the first
machine account in UNIX and LDAP, should be all that's required,
shouldnt I now be able to walk to the box-to-be-joined-to-domain
and go through it?  Alas I tried adding an XP box but get
Access Denied.  I think it's because `homer' doesnt have privs
to do this, but I'm not sure, so I humble as for clarification.

  Is it because the uidNumber and gidNumber attributes are not 0?
They're both 56000 in this case.  I do not have a uid=root or
uidNumber=0 entry in my LDAP, because this account is in the
/etc/passwd, as I point out above.  So do I really need to make an
user called 'Administrator' in the directory?  An user called
'root'?  I figured I could just use -ANY- sambaAccount, so far
as he was flagged as being a "Domain Admin" no?

  I probably could have asked that in a simpler/clearer manner.
Essentially I know my way around somewhat, I've been over the
docs, the product keeps changing (hey thats cool, Im certainly
not opposed to that.  I can deal with the schema and other
changes, and am happy to follow).  I just would like to get
this settled in my mind, so that I can simply prepare a proper
skeleton amount of entries in the beginning, then proceed to
really build up the domain.

  Hopefully I've at least made it clear what I'm asking.


More information about the samba-technical mailing list