[Samba] ldap authentication without 'ldap filter' parameter

Norbert Gomes norbert.gomes at orleans-tours.iufm.fr
Wed Feb 8 12:31:51 GMT 2006 

Thank you for your reply Bill.
This module don't seems to be implemented on openLDAP 2.2 Release and I 
can't modify our existent LDAP database. But I'll think of it if we 
decide to change the openLDAP release.

What I would like to know is if it's possible to redefine the 'ldap 
filter' parameter in an other place than in the smb.conf file ?

Thanks

Norbert


William Jojo a écrit :
> ----- Original Message ----- 
> From: "Norbert Gomes" <norbert.gomes at orleans-tours.iufm.fr>
> To: "samba" <samba at lists.samba.org>
> Sent: Wednesday, February 08, 2006 5:46 AM
> Subject: [Samba] ldap authentication without 'ldap filter' parameter
>
>
>   
>> Hello
>>
>> I'm trying to update samba from 3.0.11 to 3.0.21 and I noticed that the
>> 'ldap filter' paramater has been removed.
>> After some search, I read that I have to configure nss_ldap. But I don't
>> know how to configure it properly to operate with our LDAP database.
>>
>> Let me explain :
>>
>> We used the 'ldap filter' parameter like this :
>>
>>     ldap filter = (&(iufmLogin=%u)(gecos=#*))
>>
>>     
>
> Well, I understand your position. Tree management can be tough.
>
> What you could look at if you are using OpenLDAP is:
>
> http://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release
>
> This is the rewrite module. It allows you to remap attributes and create
> conditional changes to client searches and server replies. It works for
> updates as well, so it's not just smoke and mirrors. This *might* help you
> out of your jam.
>
> I looked at this for our installation (we have a single tree that's used
> among several DC's with trusts), but with the impending changes for
> enumerating group RIDs, our own use of group mappings, future AD (read Samba
> 4) implementation and other political considerations, I've decided to script
> a tree transform instead.
>
>
> Cheers,
>
> Bill
>
>
>   
>> Our authentication is based on the 'iufmLogin' attribute (we cannot use
>> the 'uid' attribute) and the gecos has to start with the '#' character
>> for the user to be authenticated.
>>
>> But my problem is that I can't parameter the /etc/ldap.conf file to use
>> these filters.
>>
>> I tried to put this in the /etc/ldap.conf file :
>>
>> pam_filter iufmLogin=%s
>> pam_login_attribute iufmLogin
>>
>> But the system seems to ignore these filters and it only uses the 'uid'
>> attribute when I try the 'getent passwd' command.
>>
>> Can someone explain me how to do this correctly ?
>>
>> Thanks
>>
>>
>> Norbert Gomes
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>>     
>
>

More information about the samba mailing list