Norbert Gomes
2006-Feb-08 11:47 UTC
[Samba] ldap authentication without 'ldap filter' parameter
Hello
I'm trying to update samba from 3.0.11 to 3.0.21 and I noticed that the
'ldap filter' paramater has been removed.
After some search, I read that I have to configure nss_ldap. But I don't
know how to configure it properly to operate with our LDAP database.
Let me explain :
We used the 'ldap filter' parameter like this :
ldap filter = (&(iufmLogin=%u)(gecos=#*))
Our authentication is based on the 'iufmLogin' attribute (we cannot use
the 'uid' attribute) and the gecos has to start with the '#'
character
for the user to be authenticated.
But my problem is that I can't parameter the /etc/ldap.conf file to use
these filters.
I tried to put this in the /etc/ldap.conf file :
pam_filter iufmLogin=%s
pam_login_attribute iufmLogin
But the system seems to ignore these filters and it only uses the 'uid'
attribute when I try the 'getent passwd' command.
Can someone explain me how to do this correctly ?
Thanks
Norbert Gomes
William Jojo
2006-Feb-08 12:12 UTC
[Samba] ldap authentication without 'ldap filter' parameter
----- Original Message ----- From: "Norbert Gomes" <norbert.gomes@orleans-tours.iufm.fr> To: "samba" <samba@lists.samba.org> Sent: Wednesday, February 08, 2006 5:46 AM Subject: [Samba] ldap authentication without 'ldap filter' parameter> Hello > > I'm trying to update samba from 3.0.11 to 3.0.21 and I noticed that the > 'ldap filter' paramater has been removed. > After some search, I read that I have to configure nss_ldap. But I don't > know how to configure it properly to operate with our LDAP database. > > Let me explain : > > We used the 'ldap filter' parameter like this : > > ldap filter = (&(iufmLogin=%u)(gecos=#*)) >Well, I understand your position. Tree management can be tough. What you could look at if you are using OpenLDAP is: http://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release This is the rewrite module. It allows you to remap attributes and create conditional changes to client searches and server replies. It works for updates as well, so it's not just smoke and mirrors. This *might* help you out of your jam. I looked at this for our installation (we have a single tree that's used among several DC's with trusts), but with the impending changes for enumerating group RIDs, our own use of group mappings, future AD (read Samba 4) implementation and other political considerations, I've decided to script a tree transform instead. Cheers, Bill> > Our authentication is based on the 'iufmLogin' attribute (we cannot use > the 'uid' attribute) and the gecos has to start with the '#' character > for the user to be authenticated. > > But my problem is that I can't parameter the /etc/ldap.conf file to use > these filters. > > I tried to put this in the /etc/ldap.conf file : > > pam_filter iufmLogin=%s > pam_login_attribute iufmLogin > > But the system seems to ignore these filters and it only uses the 'uid' > attribute when I try the 'getent passwd' command. > > Can someone explain me how to do this correctly ? > > Thanks > > > Norbert Gomes > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
Gordon Messmer
2006-Feb-08 16:10 UTC
[Samba] ldap authentication without 'ldap filter' parameter
Norbert Gomes wrote:> After some search, I read that I have to configure nss_ldap. But I > don't know how to configure it properly to operate with our LDAP > database. > > Let me explain : > > We used the 'ldap filter' parameter like this : > ldap filter = (&(iufmLogin=%u)(gecos=#*)) >I think you want to use these settings in ldap.conf: nss_base_passwd ou=People,dc=example,dc=com?one?gecos=#* nss_map_attribute uid iufmLogin pam_login_attribute iufmLogin I'm not sure whether or not pam_login_attribute is strictly required. I'd try with just the first two settings, and leave it at that if things work as you expect.