option ldap filter remove in 3.0.20

Ingo Steuwer steuwer at univention.de
Tue Sep 20 08:41:04 GMT 2005 

Am Dienstag, 20. September 2005 07:42 schrieb Andrew Bartlett:
> On Tue, 2005-09-20 at 07:28 +0200, Ingo Steuwer wrote:
> > Am Montag, 19. September 2005 16:22 schrieb Gerald (Jerry) Carter:
> > > Ingo Steuwer wrote:
> > > > Hello
> > > >
> > > > we realized that the option "ldap filter" was removed in
> > > > 3.0.20. As we need  this option in one of our projects
> > > > to seperate Users on different  samba-instances/-servers
> > > > I'd like to know for what reason the option was removed?
> > > >
> > > > The SVN-Patch was small and changed only two files so we'd
> > > > like to reactivate  this option using it. Is there any chance
> > > > for this to get back into SVN?
> > >
> > > The option didn't work, and was not always applied consistently.
> > > We had too many configuration errors by users who had misconfigured
> > > or misunderstood the option.  It was simply historical baggage.
> > >
> > > You can present your case, but it will take a lot of convincing.
> > > Perhaps if you give some specific examples of what filter you use.
> >
> > The option did a good job in several samba releases for us. We use it to
> > define network- or location-based access for users using a
> > ldap-attribute.
> >
> > In an example:
> > Three locations A, B and C have each its own PDC (no common wins-server)
> > based on the same ldap. Location A has no ldap filter, B has filter
> > (&(uid=%u) (location=B)) and C has filter (&(uid=%u)(location=C)). I can
> > decide per user on which location he may work (he can always login at A),
> > while I've got the complete address-book and other LDAP-stuff at each
> > location.
> >
> > This is far more easy to administrate than sambaUserWorkstations and can
> > be used in other ldap-based tools also.
>
> So, what you really want is a custom auth module, at the top of the
> stack that returns NO_SUCH_USER or INVALID_WORKSTATION for that user,
> before consulting the rest of the auth stack.

Is there a plugin- or module-architecture for authentication in samba? Or do 
you think of PAM?

> This way the users still appear in the user picker (for assigning ACLs)
> or other tools that use Samba's list of users.

That is excactly what we don't want here. Each location would see ~3000 Users, 
but only 50-250 of them are relevant, depending on the size of the location. 

I think we will patch samba here to be compatible with the behaviour of 3.0.14 
and try to change the concept in the future.

Ingo Steuwer

> Separate access control from what defines that list of users.
>
> Andrew Bartlett



-- 
Ingo Steuwer       steuwer at univention.de         fon: +49 421 22 232- 0
Entwicklung        Linux for Your Business
Univention GmbH    http://www.univention.de/     fax: +49 421 22 232-99

More information about the samba-technical mailing list