ldap filter gone and sambadomainnname not checked
Pierre Filippone
pierre.filippone at retail-sc.com
Fri Mar 3 15:47:52 GMT 2006
> > >
> > > Another thought: Replace "objectclass=sambasamaccount" with
> > > "objectclass=sambadeadsamaccount", after having extended
> > > your schema appropriately.
> > >
> > > Volker
> >
> > Good idea.
> > Which OID should I use to avoid conflicts with future schema
extensions ?
>
> I do not think there solutions are good ones.
> Depending on your configuration you may instead build your own auxiliary
> class (or find one appropriate) and deny access to an entire entry based
> on the value of one of it's attributes.
>
> All you need is to separate the samba ldap mnager from the real ldap
> manager (which is a good thing anyway imho).
>
> Ex:
> objectClass: myAccounts
> myStatus: ENABLED
>
> or
>
> myStatus: DISABLED
>
>
> access to filter=(myStatus=DISABLED) by
> dn="cn=ldapManager,dc=my,dc=domain" write
> by * none
>
> access to * by
> dn="cn=ldapManager,dc=my,dc=domain" write
> dn="cn=sambaManager,dc=my,dc=domain" write
> by * read
>
>
> Don't forget exceptions for password attributes.
>
>
> This way the ldapManager will always be able to see all entries, while
> for all others including the user samba uses to manage the tree, the
> DISABLED accounts just disappear.
>
> Simo.
>
It's not that simple for us, because we still need special access to
certain attributes of disabled accounts for non-admins. And we already
have fairly complex ACLs.
I think I'll try it with the additional object class. That's safer for us.
Thank you for your help, anyway
Pierre
More information about the samba-technical
mailing list