ldap filter gone and sambadomainnname not checked
idra at samba.org
Fri Mar 3 14:26:30 GMT 2006
On Fri, 2006-03-03 at 13:21 +0100, Pierre Filippone wrote:
> Volker Lendecke <vlendec at sernet.de> wrote on 03.03.2006 13:05:41:
> > On Fri, Mar 03, 2006 at 11:05:07AM +0100, Pierre Filippone wrote:
> > > We could do that, but this would break a lot of tools we use for LDAP
> > > management.
> > >
> > > I just tried to x-out the sambaSID attribute. That seems to work, the
> > > account is not listed any more. I hope that does not lead to smbd
> > >
> > > I think another simple approach would be to add an
> > > &(sambadomainname=domname) to the internal LDAP filters when accessing
> > > ldapsam. Maybe as an optional config parameter like "ldap check
> > > = yes/no". That would give a little of the flexibility back the people
> > > lost by the removal of the "ldap filter". I've seen some postings by
> > > people who complained about the loss of the filter parameter. Maybe
> > > could help them too.
> > >
> > > Just a thought.
> > Another thought: Replace "objectclass=sambasamaccount" with
> > "objectclass=sambadeadsamaccount", after having extended
> > your schema appropriately.
> > Volker
> Good idea.
> Which OID should I use to avoid conflicts with future schema extensions ?
I do not think there solutions are good ones.
Depending on your configuration you may instead build your own auxiliary
class (or find one appropriate) and deny access to an entire entry based
on the value of one of it's attributes.
All you need is to separate the samba ldap mnager from the real ldap
manager (which is a good thing anyway imho).
access to filter=(myStatus=DISABLED) by
by * none
access to * by
by * read
Don't forget exceptions for password attributes.
This way the ldapManager will always be able to see all entries, while
for all others including the user samba uses to manage the tree, the
DISABLED accounts just disappear.
Samba Team GPL Compliance Officer
email: idra at samba.org
More information about the samba-technical