[Samba] "ldap passwd sync" not working

Guenther Deschner gd at samba.org
Sat Feb 5 20:30:02 GMT 2005


Hi,

On Sat, Feb 05, 2005 at 03:09:42PM -0500, Adam Tauno Williams wrote:
> > You want to say that samba asks LDAP of its possibilities, it returns 
> > nothing and samba think that it can not do nothing. Am I right?
> 
> Seems to be the case, from very cursory inspection.
> 
> Really an issue with the DSA, it should properly report its
> capabilities.

Absolutely correct. According to http://www.faqs.org/rfcs/rfc2251.html
LDAP v3 Servers MUST have a Root-DSE. The same document says that:

-----8<------------------snip--------------8<--------------
3.4. Server-specific Data Requirements

   An LDAP server MUST provide information about itself and other
   information that is specific to each server.  This is represented as
   a group of attributes located in the root DSE (DSA-Specific Entry),
   which is named with the zero-length LDAPDN.  These attributes are
   retrievable if a client performs a base object search of the root
   with filter "(objectClass=*)", however they are subject to access
   control restrictions.
----->8------------------snap-------------->8--------------

In this sense, anonymous searches for the Root-DSE may be prevented
(although this is really rarely seen, e.g. ADS allows anonymous root-dse
queries). So in the end, we better point out the fact that at least the
"ldap admin dn" in smb.conf should be allowed to read the Root-DSE for
proper ldapsam-operation including password change.

Guenther

-- 
Guenther Deschner                                               Samba Team
SerNet GmbH - Goettingen                                      gd at samba,org
gd at sernet.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20050205/9a4c0e2f/attachment.bin


More information about the samba mailing list