mallapadi niranjan wrote: > Hi > > Thanks for Replying me . In the ACL below > ##################################################################### > #access to dn.base="dc=msdpl,dc=com" > >>access to attrs=sambaLMPassword,sambaNTP >> >>assword >> >>> by dn="uid=.*,ou=People,dc=msdpl,dc=com" write >>> by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read >>> by * none >>>access to attr=userPassword >>> by dn="uid=.*,ou=People,dc=msdpl,dc=com" write >>> by self write >>> by anonymous auth >>> by * none >>>access to * >>> by * read > > > > ####################################################################### > in by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read if i keep read/write > it's not affecting > > so i have changed my acl's > ######################################################################### > access to dn.base="dc=msdpl,dc=com" > attrs=sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange, > > objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid,description, > telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname > by dn="uid=.*,ou=People,dc=msdpl,dc=com" write > by dn="uid=.*,ou=Groups,dc=msdpl,dc=com" write > by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" write > by self write > by anonymous auth > by * none that is write access to samba password hashes to everyone in the ou=People container again. They are basically cleartext equivalent. ACLs are evaluated "in order", first match rules. So to protect passwords you could write something like (OTOH):
access to attrs=sambaLMPassword,sambaNTPassword,userPassword by self write by dn.regex="uid=[^,]+,ou=Domain Admins,dc=msdpl,dc=com" write by anonymous auth by * none access to * by self write by dn.regex="uid=[^,]+,ou=Domain Admins,dc=msdpl,dc=com" write by * read Note that this is NOT suitable for your environment and only serves as an example as you probably want to prevent users from messing with attributes enforcing a particular policy (like pwdMustChange). As Craig noted, the uid=.*,ou=Domain Admins,... part doesn't make sense. If you want group based access control you need the <expand> syntax. Read the manpage for access control (man slapd.access). cheers Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
