On Sat, 2004-03-06 at 06:07, M. Vancl wrote: > I have the same experience. > IMHO problem is in access rights to password attributes on ldap (slapd).
I doubt that. > Recomended access to userPassword for anonymous is only auth (it's right > policy). Recommended configuration of nss_ldap is to use anonymous bind for > non-root processes (and it is also right policy). Then when getpwnam() is > called by unprivileged process and nss_ldap try to read attribute > userPassword among others from posixAccount, this must be unsuccessfull > attempt (and it is right but wrong to me). > What to do ? I think, it is mistake in nss_ldap behaviour. It must omit > userPassword attribute from readed attributes when called by nonprivileged > process. > My solution is simple, but wrong - weaken of access restrictions to password > attribute or bind to ldap as "manager" for all users. This is indeed the wrong solution, and unless your nss_ldap is much buggier than the one used at every other site, I don't think this is the issue. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
