option ldap filter remove in 3.0.20

Andrew Bartlett abartlet at samba.org
Tue Sep 20 05:42:34 GMT 2005

On Tue, 2005-09-20 at 07:28 +0200, Ingo Steuwer wrote:
> Am Montag, 19. September 2005 16:22 schrieb Gerald (Jerry) Carter:
> > Ingo Steuwer wrote:
> > > Hello
> > >
> > > we realized that the option "ldap filter" was removed in
> > > 3.0.20. As we need  this option in one of our projects
> > > to seperate Users on different  samba-instances/-servers
> > > I'd like to know for what reason the option was removed?
> > >
> > > The SVN-Patch was small and changed only two files so we'd
> > > like to reactivate  this option using it. Is there any chance
> > > for this to get back into SVN?
> >
> > The option didn't work, and was not always applied consistently.
> > We had too many configuration errors by users who had misconfigured
> > or misunderstood the option.  It was simply historical baggage.
> >
> > You can present your case, but it will take a lot of convincing.
> > Perhaps if you give some specific examples of what filter you use.
> The option did a good job in several samba releases for us. We use it to 
> define network- or location-based access for users using a ldap-attribute.
> In an example:
> Three locations A, B and C have each its own PDC (no common wins-server) based 
> on the same ldap. Location A has no ldap filter, B has filter (&(uid=%u)
> (location=B)) and C has filter (&(uid=%u)(location=C)). I can decide per user 
> on which location he may work (he can always login at A), while I've got the 
> complete address-book and other LDAP-stuff at each location.
> This is far more easy to administrate than sambaUserWorkstations and can be 
> used in other ldap-based tools also.

So, what you really want is a custom auth module, at the top of the
stack that returns NO_SUCH_USER or INVALID_WORKSTATION for that user,
before consulting the rest of the auth stack.

This way the users still appear in the user picker (for assigning ACLs)
or other tools that use Samba's list of users. 

Separate access control from what defines that list of users.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050920/7c927255/attachment.bin

More information about the samba-technical mailing list