[Samba] client specific debug log for ldap

Andrew Bartlett abartlet at samba.org
Wed Jan 11 19:56:05 UTC 2017

On Tue, 2017-01-10 at 15:05 +0100, lists via samba wrote:
> Hi,
> I am trying to debug an ldaps client that we would like use to change
> passwords for end-users. Currently this is failing with this:
> > [LDAP: error code 50 - error in module acl: insufficient access
> > rights during LDB_MODIFY (50)]; remaining name 'CN=ted t.
> > test,CN=Users,DC=samba,DC=company,DC=com'
>  From what we understand, there are two ways to change a password:
> A) as an admin-user with a replace operation
> B) as an end-user with a delete and an add operation
> To debug why my client application does not work, I configured
> loglevel
> 10 for that specific IP, according to the client specific logging on
> the 
> wiki.
> HOWEVER... that does not seem to work for ldap access! :-(

Correctly.  Sadly we ripped out the % macro support in Samba4's
earliest days, and it never got back in.  It is made harder by the fact
that we serve more than one client per process, so global variables are
not the solution any longer. 

> Is there a way to have debug level logs for ldap traffic coming from
> a
> specific ip, while keeping the rest a a normal level?
> Or perhaps set ldap logging to 10, while keeping the rest down?
> And as a side-question: do we need to configure anything special, to
> allow end-users to change their passwords?

No.  It is expected (and tested) to 'just work' as a modify on
unicodePwd (utf16 password in " chars), or if enabled userPassword as
utf8 (need to set the flag in dsHuristics just like Windows). 

Andrew Bartlett

More information about the samba mailing list