ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=sambaSamAccount)(uid=bilbo))"
and ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=sambaSAMAccount)(uid=bilbo))" and ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=sambasamaccount)(uid=bilbo))" all give me a result, indicating case is not important. From: Rich Megginson <rmegg...@redhat.com> To: freeipa-users@redhat.com Date: 20.07.2015 16:24 Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet Sent by: freeipa-users-boun...@redhat.com On 07/20/2015 07:56 AM, Christopher Lamb wrote: > Hi Rob > > The users do have the sambaSamAccount ObjectClass. > > Or to be more precise, some have sambasamaccount (all lower case), and some > have sambaSAMAccount (mixed case) > > Are objectclasses case sensitive? No, unless there is a bug in the objectclass matching/comparison code. > > Chris > > > > From: Rob Crittenden <rcrit...@redhat.com> > To: Christopher Lamb/Switzerland/IBM@IBMCH, Alexander Bokovoy > <aboko...@redhat.com> > Cc: freeipa-users@redhat.com > Date: 20.07.2015 15:47 > Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet > > > > Christopher Lamb wrote: >> Hi Alexander >> >> This issue got overtaken by others, and slipped off my radar for a bit... >> >> While the solution suggested earlier in this thread at >> > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> sounds interesting (and we are running the correct versions of OEL 7.1 > and >> SSSD), it seems to require the Windows clients to be members of an Active >> Diretory trusted by IPA. >> >> Unfortunately there is no AD in our architecture - our Windows and OSX >> clients are effectively islands. That would seem to leave us stuck with >> sambaPwdLastSet. >> >> After a user has had his password reset via the IPA WebUi to a temporary >> value, the user then logs on using the temporary password, and is asked > to >> enter a new password. At his point sambaPwdLastSet should be set to a >> positive value. However our testing indicates that it is not. We have > tried >> 3 techniques: >> >> 1) User connects to LDAP server via remote ssh. >> >> 2) kinit <user> >> >> 3) su - <user> over an existing ssh session with another user (e.g. mine) >> >> In all three cases the user is able to set their password, but >> sambaPwdLastSet remains set to 0. >> >> As a workaround we use Apache Directory Studio to manually set >> sambaPwdLastSet once the user has changed his password. >> >> Chris > AFAICT the user needs the sambaSamAccount objectclass in order for this > to work. Is that the case? > > rob > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project