ldap filter gone and sambadomainnname not checked

Pierre Filippone pierre.filippone at retail-sc.com
Fri Mar 3 10:05:07 GMT 2006

Volker Lendecke <vlendec at sernet.de> wrote on 02.03.2006 18:05:05:

> On Thu, Mar 02, 2006 at 12:53:37PM +0100, Pierre Filippone wrote:
> > Any suggestions, how I could prevent those users from appearing in the 

> > user list, without deleting all samba attributes ?
> I'm looking for ways to move objects around in LDAP, but no
> success so far. My immediate suggestion would be to move it
> to a tree out of 'ldap suffix', but I don't know if LDAP is
> able to do so.
> Volker

We could do that, but this would break a lot of tools we use for LDAP 

I just tried to x-out the sambaSID attribute. That seems to work, the 
account is not listed any more. I hope that does not lead to smbd crashes.

I think another simple approach would be to add an 
&(sambadomainname=domname) to the internal LDAP filters when accessing the 
ldapsam. Maybe as an optional config parameter like "ldap check domainname 
= yes/no". That would give a little of the flexibility back the people 
lost by the removal of the "ldap filter". I've seen some postings by 
people who complained about the loss of the filter parameter. Maybe this 
could help them too.

Just a thought.


More information about the samba-technical mailing list