[Samba] "ldap passwd sync" not working
Guenther Deschner
gd at samba.org
Sat Feb 5 20:30:02 GMT 2005
Hi,
On Sat, Feb 05, 2005 at 03:09:42PM -0500, Adam Tauno Williams wrote:
> > You want to say that samba asks LDAP of its possibilities, it returns
> > nothing and samba think that it can not do nothing. Am I right?
>
> Seems to be the case, from very cursory inspection.
>
> Really an issue with the DSA, it should properly report its
> capabilities.
Absolutely correct. According to http://www.faqs.org/rfcs/rfc2251.html
LDAP v3 Servers MUST have a Root-DSE. The same document says that:
-----8<------------------snip--------------8<--------------
3.4. Server-specific Data Requirements
An LDAP server MUST provide information about itself and other
information that is specific to each server. This is represented as
a group of attributes located in the root DSE (DSA-Specific Entry),
which is named with the zero-length LDAPDN. These attributes are
retrievable if a client performs a base object search of the root
with filter "(objectClass=*)", however they are subject to access
control restrictions.
----->8------------------snap-------------->8--------------
In this sense, anonymous searches for the Root-DSE may be prevented
(although this is really rarely seen, e.g. ADS allows anonymous root-dse
queries). So in the end, we better point out the fact that at least the
"ldap admin dn" in smb.conf should be allowed to read the Root-DSE for
proper ldapsam-operation including password change.
Guenther
--
Guenther Deschner Samba Team
SerNet GmbH - Goettingen gd at samba,org
gd at sernet.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20050205/9a4c0e2f/attachment.bin
More information about the samba
mailing list