ldap filter gone and sambadomainnname not checked

simo idra at samba.org
Fri Mar 3 14:26:30 GMT 2006 

On Fri, 2006-03-03 at 13:21 +0100, Pierre Filippone wrote:
> Volker Lendecke <vlendec at sernet.de> wrote on 03.03.2006 13:05:41:
> 
> > On Fri, Mar 03, 2006 at 11:05:07AM +0100, Pierre Filippone wrote:
> > > We could do that, but this would break a lot of tools we use for LDAP 
> > > management.
> > > 
> > > I just tried to x-out the sambaSID attribute. That seems to work, the 
> > > account is not listed any more. I hope that does not lead to smbd 
> crashes.
> > > 
> > > I think another simple approach would be to add an 
> > > &(sambadomainname=domname) to the internal LDAP filters when accessing 
> the 
> > > ldapsam. Maybe as an optional config parameter like "ldap check 
> domainname 
> > > = yes/no". That would give a little of the flexibility back the people 
> 
> > > lost by the removal of the "ldap filter". I've seen some postings by 
> > > people who complained about the loss of the filter parameter. Maybe 
> this 
> > > could help them too.
> > > 
> > > Just a thought.
> > 
> > Another thought: Replace "objectclass=sambasamaccount" with
> > "objectclass=sambadeadsamaccount", after having extended
> > your schema appropriately.
> > 
> > Volker
> 
> Good idea. 
> Which OID should I use to avoid conflicts with future schema extensions ? 

I do  not think there solutions are good ones.
Depending on your configuration you may instead build your own auxiliary
class (or find one appropriate) and deny access to an entire entry based
on the value of one of it's attributes.

All you need is to separate the samba ldap mnager from the real ldap
manager (which is a good thing anyway imho).

Ex:
objectClass: myAccounts
myStatus: ENABLED

or

myStatus: DISABLED


access to filter=(myStatus=DISABLED) by
	dn="cn=ldapManager,dc=my,dc=domain" write
	by * none

access to * by
	dn="cn=ldapManager,dc=my,dc=domain" write
	dn="cn=sambaManager,dc=my,dc=domain" write
	by * read


Don't forget exceptions for password attributes.


This way the ldapManager will always be able to see all entries, while
for all others including the user samba uses to manage the tree, the
DISABLED accounts just disappear.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org

More information about the samba-technical mailing list