Extended request in kludge acl

Andrew Bartlett abartlet at samba.org
Wed Jul 7 16:29:47 MDT 2010

On Wed, 2010-07-07 at 02:53 +0300, Nadezhda Ivanova wrote:
> Hi Andrew,
> I was wandering what is the kludge_acl extended op for. Currently its the
> only thing that is being used of this module. I suppose if it is needed I
> could transfer it to acl and we remove the kludge altogether...

Yes, we do need to do ACLs on extended requests.  Some could do
sensitive things, and we have to determine what kind of user is allowed
to do what kind of thing.  (currently the check is very simple).

For example, we may in future decide to change again the password change
logic to remove the 'password already checked' control for SAMR password
changes, and make it instead do an extended request with the full
password change, and have password_hash validate it.  (There is a
similar extended operation I also want to support for OpenLDAP clients).

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100708/a3a34b2c/attachment.pgp>

More information about the samba-technical mailing list