ldap filter gone and sambadomainnname not checked

Pierre Filippone pierre.filippone at retail-sc.com
Mon Mar 6 10:09:18 GMT 2006

simo <idra at samba.org> wrote on 03.03.2006 17:33:06:

> On Fri, 2006-03-03 at 16:47 +0100, Pierre Filippone wrote:
> > It's not that simple for us, because we still need special access to 
> > certain attributes of disabled accounts for non-admins.
> Through samba ? I don't thinks so.

No, not through samba, through tools and user management applications.

> You can apply that acl only to the sambadmin (samba uses only this
> account), and let everybody else have the same rights as usual.

We would at least need something like this:

access to filter=(mystatus=disabled) 
        by dn="cn=ldapmanager,..." write
        (by dn="cn=sambamanager,..." none)

access to filter=(mystatus=disabled) 
        by dn="cn=ldapmanager,..." write
        by dn="cn=usera,..." write
        (by * none)

access to filter=(mystatus=disabled)
        by dn="cn=ldapmanager,..." write
        by dn="cn=userb,...." write
        by * read 

> > And we already 
> > have fairly complex ACLs. 
> That's another matter, but this way is the most cleanest possible, and
> does not involve inventing new private classes or playing with the
> entries samba controls on it's own.
> You can even use the description attribute to do that for what it
> matters.

IMHO the cleanest solution is the "ldap filter" option, samba used to 
have. There are no two openldap directories that look the same, talking 
about larger environments where LDAP is not only used as a samba backend. 
Therefore each app that uses LDAP should have a configurable filter to 
give the admin some flexibility. And this filter should be applied to all 
LDAP queries in my opinion. That would for example make it possible to 
place more than one domain in one directory. I know, this might not be 
useful for most samba admins, but I think it would be a pretty cool 
feature for some and if it was an optional configuration parameter it 
would not reduce performance and not confuse samba admins, where it is not 

Easy to say for me, because I don't have to do it ;-)


More information about the samba-technical mailing list