AW: [Samba] ldapsam ignores "ldap user suffix" when doing username lookup

Haas Florian Florian.Haas at
Thu Jul 27 10:58:44 GMT 2006


> -----Ursprüngliche Nachricht-----
> Von: Michael Gasch [mailto:gasch at] 
> Gesendet: Donnerstag, 27. Juli 2006 12:19
> what about using ACLs to restrict uid-searches in the base 
> for samba admin?

Thanks. Just to see if I got your point correctly, you mean to disallow searches
involving the uid attribute in the base context for the Samba admin proxy DN,
and then re-allowing it a few levels below? I haven't tried, but I'm almost
certain that after initial smbldap_search failure this would cause, Samba
wouldn't descend into the OUs below and repeat the search (indeed, why should
it?). So I'm afraid this would break domain logons altogether.

I'm still trying to find out what's the rationale behind Samba not honoring the
"ldap user suffix" param on initial user authentication. Could someone help me
out on this?


Mag.(FH) Florian G. Haas
Kapsch BusinessCom AG, Wienerbergstrasse 53, A-1121 Wien

The information contained in this e-mail message is privileged and
confidential and is for the exclusive use of the addressee. The person
who receives this message and who is not the addressee, one of his
employees or an agent entitled to hand it over to the addressee, is
informed that he may not use, disclose or reproduce the contents thereof.

More information about the samba mailing list