option ldap filter remove in 3.0.20

Ingo Steuwer steuwer at univention.de
Tue Sep 20 05:28:51 GMT 2005

Am Montag, 19. September 2005 16:22 schrieb Gerald (Jerry) Carter:
> Ingo Steuwer wrote:
> > Hello
> >
> > we realized that the option "ldap filter" was removed in
> > 3.0.20. As we need  this option in one of our projects
> > to seperate Users on different  samba-instances/-servers
> > I'd like to know for what reason the option was removed?
> >
> > The SVN-Patch was small and changed only two files so we'd
> > like to reactivate  this option using it. Is there any chance
> > for this to get back into SVN?
> The option didn't work, and was not always applied consistently.
> We had too many configuration errors by users who had misconfigured
> or misunderstood the option.  It was simply historical baggage.
> You can present your case, but it will take a lot of convincing.
> Perhaps if you give some specific examples of what filter you use.

The option did a good job in several samba releases for us. We use it to 
define network- or location-based access for users using a ldap-attribute.

In an example:
Three locations A, B and C have each its own PDC (no common wins-server) based 
on the same ldap. Location A has no ldap filter, B has filter (&(uid=%u)
(location=B)) and C has filter (&(uid=%u)(location=C)). I can decide per user 
on which location he may work (he can always login at A), while I've got the 
complete address-book and other LDAP-stuff at each location.

This is far more easy to administrate than sambaUserWorkstations and can be 
used in other ldap-based tools also.

> Of course, it's a small change so you can always just keep it as
> a local change.

Sure, more work for us ;)

Ingo Steuwer

Ingo Steuwer       steuwer at univention.de         fon: +49 421 22 232- 0
Entwicklung        Linux for Your Business
Univention GmbH    http://www.univention.de/     fax: +49 421 22 232-99

More information about the samba-technical mailing list