[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Samba-LDAP PDC
Eureka! It now works with but one exception.
I can't get it to add the machine automagically. It's the only doggone
thing that doesn't work. The "add user script" works fine from the
command line but will not function appropriately when passed through
smb.conf.
Anyway, here is my add user script and my acls. The only thing I can
figure is that my admin user (i.e. root) doesn't have the access to add
a new machine. This seems kinda wierd though because I don't have
trouble adding a user with directory-administrator.
ACLs are presented in order specified in the config files.
The names have been changed to protect my network's innocence. ;-)
From smb.conf:
add user script = /usr/share/samba/scripts/smbldap-useradd.pl -w -d
/dev/null -g machines -c 'Machine Account' -s /bin/false %u
slapd.access.conf looks like this:
> # This is a good place to put slapd access-control directives
> access to dn=".*,dc=microverse,dc=net" attr=userPassword
> by dn="cn=root,dc=example,dc=com" write
> by dn="cn=proxyuser,dc=example,dc=com" read
> by self write
> by * auth
>
> access to dn=".*,dc=example,dc=com" attr=mail
> by dn="cn=root,dc=example,dc=com" write
> by self write
> by * read
>
> access to dn=".*,ou=People,dc=example,dc=com"
> by * read
>
> access to dn=".*,dc=example,dc=com"
> by self write
> by * read
Below is where I think the problem might be. First off there is no user
"uid=root,ou=People,dc=example,dc=com" and ideally I would rather use a
group than a user anyway. Anybody got a clue on how I can specify all
users in such-and-such a group?
samba-slapd.include looks like this:
> # You should either include this file into your
> # /etc/openldap/slapd.conf, or add the contents (after editing), inside
> # the db definition your samba server will use.
>
>
> # Index the rid for samba:
> index rid eq
>
>
> # Basic samba acl:
> access to attrs=lmPassword,ntPassword
> by dn="cn=root,dc=microverse,dc=net" write
> by dn="uid=root,ou=People,dc=example,dc=com" write
> by * none