On Wed, 2005-01-26 at 13:12 -0600, Tim Tyler wrote: > Samba experts, > Thanks to advice from this list, I am finally able to get smbpasswd to > change ldap passwords for the Samba LM/NT passwords. However, I had to > give write access to sambaPwdLastSet and sambaPwdCanChange attributes as > well. Other Samba attributes don't seem to need write access. I have > found plenty of examples with people assigning an ACL for sambaLMPassword > and sambaNTPassword, but I haven't found examples that included other > attributes such as sambaPwdLastSet and sambaPwdCanChange. > Can someone explain why these fields need write access while there is so > little documentation suggesting it (if any)? I guess I am not surprised > that they need write access as much as I am surprised there is so little > documentation suggesting it. ---- There's a lot of us 'in school' trying to use LDAP without fully understanding it and of course, there really isn't any standard way to do things.
ldap admin dn really needs full read/write access to all areas that dn is to manage and any restrictions are gonna cause trouble. Generally, ACL's that restrict attributes such as sambaLMPassword and sambaNTPassword aren't for restricting activity by the ldap admin dn in smb.conf but to restrict all other access attempts. I think the general consensus is that the samba developers have their hands full with samba and learning how to implement/secure/use LDAP is pretty much the end user responsibility. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
