[Samba] use of pam_filter with LDAP

samba at piven.org samba at piven.org
Tue Nov 6 23:11:11 GMT 2007

Norbert Gomes wrote:
> I would like to use pam filters to authenticate users on LDAP 2.3 with 
> Samba-3.0.26a on a Fedora Core 7
> For information,samba is compiled with the --with-ldapsam option (2.0 
> LDAP schema)
> Basic LDAP authentication works well, when I type 'getent passwd', all 
> my users are displayed.
> Now I want to use the pam_filter option in the /etc/ldap.conf file, but 
> I can't make it work :
> For example, with pam_filter objectclass=supannPerson, getent passwd 
> returns the same list as when I don't use the filters

That's because "getent" doesn't use PAM; it uses NSS and thus nss_ldap.
Just because nss_ldap and pam_ldap use the same configuration file 
doesn't necessarily mean they recognize all the settings -- in 
particular, nss_ldap's man page mentions nothing about a pam_filter 
setting in ldap.conf.

You can still use pam_filter in your PAM config files as part of your 
authentication protocol; just remember that pam_filter is pam_specific :-)

Don Piven

More information about the samba mailing list