Re: Fwd: [Samba] Changing LDAP password from Windows XP

Tue, 06 Mar 2007 00:38:50 -0800 

Daniel Müller escribió:


OOps! fat fingers come again! The ACL's were bad (exactly the 2nd and 3rd ACL)

This are the correct ACLS (I don't use the 'smbldap-tools' user)

 > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Added 'shadowLastChange' to avoid some warnings with libpam-unix2
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,shadowLastChange
       by dn="cn=samba,ou=DSA,dc=example,dc=org" write
       by dn="cn=nssldap,ou=DSA,dc=example,dc=org" write
       by self write
       by anonymous auth
       by * none

# some attributes need to be readable anonymously so that 'id user' can answer 
correctly
access to 
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
     by dn="cn=samba,ou=DSA,dc=example,dc=org" write
     by * read

# Users can change some attributes of their profile
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname,mail
       by dn="cn=samba,ou=DSA,dc=example,dc=org" write
       by self write
       by users read
       by * none

# some attributes need to be writable for samba
access to
attrs=cn,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
       by dn="cn=samba,ou=DSA,dc=example,dc=org" write
       by self read
       by * none

# samba gestiona:
#     -> Cuentas de dominio
#     -> Nuevos usuarios
#     -> Nuevos grupos
#     -> Máquinas en el dominio
access to dn.base="dc=example,dc=org"
       by dn="cn=samba,ou=DSA,dc=example,dc=org" write
       by * none
access to dn="ou=Users,dc=example,dc=org"
       by dn="cn=samba,ou=DSA,dc=example,dc=org" write
       by * none
access to dn="ou=Groups,dc=example,dc=org"
       by dn="cn=samba,ou=DSA,dc=example,dc=org" write
       by * none
access to dn="ou=Computers,dc=example,dc=org"
       by dn="cn=samba,ou=DSA,dc=example,dc=org" write
       by * none

access to *
       by * read
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to