ldap filter gone and sambadomainnname not checked

Pierre Filippone pierre.filippone at retail-sc.com
Thu Mar 2 11:53:37 GMT 2006


we have a certain mechanism in our LDAP user management, which is called 
user "expiry". This means that most LDAP attributes stay in place, when an 
employee leaves the company, either temporarily or permanently. The user 
account is still there, but it is made unusable by "destroying" a few ldap 
attributes. This has proved to be very useful in the past.

With the upgrade of our domain controllers to 3.0.21c the "ldap filter" 
option has gone. I could live with that, if I would only need to prevent 
domain login for those expired users by using the nss_ldap filter. But the 
expired users still appear in the user list of the domain, for example in 
the Windows user manager, which is not, what I want. 

I would have no problem, if Samba checked the sambadomainname attribute 
for the right content before listing an entry as a user, because this is 
one of the attributes we change, when expiring a user. But obviously it 
does not.

My problem would also be solved, if you reintroduced "ldap filter", which 
you probably won't do.

Any suggestions, how I could prevent those users from appearing in the 
user list, without deleting all samba attributes ?

Thanks for any answer

Pierre Filippone

More information about the samba-technical mailing list