ldap filter gone and sambadomainnname not checked
Pierre Filippone
pierre.filippone at retail-sc.com
Fri Mar 3 10:05:07 GMT 2006
Volker Lendecke <vlendec at sernet.de> wrote on 02.03.2006 18:05:05:
> On Thu, Mar 02, 2006 at 12:53:37PM +0100, Pierre Filippone wrote:
> > Any suggestions, how I could prevent those users from appearing in the
> > user list, without deleting all samba attributes ?
>
> I'm looking for ways to move objects around in LDAP, but no
> success so far. My immediate suggestion would be to move it
> to a tree out of 'ldap suffix', but I don't know if LDAP is
> able to do so.
>
> Volker
We could do that, but this would break a lot of tools we use for LDAP
management.
I just tried to x-out the sambaSID attribute. That seems to work, the
account is not listed any more. I hope that does not lead to smbd crashes.
I think another simple approach would be to add an
&(sambadomainname=domname) to the internal LDAP filters when accessing the
ldapsam. Maybe as an optional config parameter like "ldap check domainname
= yes/no". That would give a little of the flexibility back the people
lost by the removal of the "ldap filter". I've seen some postings by
people who complained about the loss of the filter parameter. Maybe this
could help them too.
Just a thought.
Pierre
More information about the samba-technical
mailing list