samba-technical@lists.samba.org
[Top] [All Lists]

Re: option ldap filter remove in 3.0.20

Subject: Re: option ldap filter remove in 3.0.20
From: Andrew Bartlett
Date: Tue, 20 Sep 2005 18:44:33 +1000
On Tue, 2005-09-20 at 10:41 +0200, Ingo Steuwer wrote:
> Am Dienstag, 20. September 2005 07:42 schrieb Andrew Bartlett:
> > On Tue, 2005-09-20 at 07:28 +0200, Ingo Steuwer wrote:
> > > Am Montag, 19. September 2005 16:22 schrieb Gerald (Jerry) Carter:
> > > > Ingo Steuwer wrote:
> > > > > Hello
> > > > >
> > > > > we realized that the option "ldap filter" was removed in
> > > > > 3.0.20. As we need  this option in one of our projects
> > > > > to seperate Users on different  samba-instances/-servers
> > > > > I'd like to know for what reason the option was removed?
> > > > >
> > > > > The SVN-Patch was small and changed only two files so we'd
> > > > > like to reactivate  this option using it. Is there any chance
> > > > > for this to get back into SVN?
> > > >
> > > > The option didn't work, and was not always applied consistently.
> > > > We had too many configuration errors by users who had misconfigured
> > > > or misunderstood the option.  It was simply historical baggage.
> > > >
> > > > You can present your case, but it will take a lot of convincing.
> > > > Perhaps if you give some specific examples of what filter you use.
> > >
> > > The option did a good job in several samba releases for us. We use it to
> > > define network- or location-based access for users using a
> > > ldap-attribute.
> > >
> > > In an example:
> > > Three locations A, B and C have each its own PDC (no common wins-server)
> > > based on the same ldap. Location A has no ldap filter, B has filter
> > > (&(uid=%u) (location=B)) and C has filter (&(uid=%u)(location=C)). I can
> > > decide per user on which location he may work (he can always login at A),
> > > while I've got the complete address-book and other LDAP-stuff at each
> > > location.
> > >
> > > This is far more easy to administrate than sambaUserWorkstations and can
> > > be used in other ldap-based tools also.
> >
> > So, what you really want is a custom auth module, at the top of the
> > stack that returns NO_SUCH_USER or INVALID_WORKSTATION for that user,
> > before consulting the rest of the auth stack.
> 
> Is there a plugin- or module-architecture for authentication in samba? Or do 
> you think of PAM?

You can do either.  Samba4 has it's own auth module interface (not
usually publicised, because most users shouldn't touch it, but quite
useful and flexible).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
<Prev in Thread] Current Thread [Next in Thread>