Re: smbk5pwd: ldap_pvt_thread_pool_getkey fails, etc...

[Howard Chu <hyc@symas.com>]

Kris Maglione wrote:

> By the way, is there a way (I'm willing to write the code) to deny 
> write access to all kerberos/samba attributes and still have an 
> overlay change them? I want the module to be able to change the "must 
> change" time, etc, but not the user. I also don't want them to be able 
> to manually alter their own hashes.

I've added a flag (SLAP_MOD_INTERNAL) in CVS HEAD that can be used for 
internal requests to bypass the ACL check on a modify. So you could use 
this patch in your slapd source, and set the flag in smbk5pwd.c. Then 
you can set the ACLs you want on the hashes and the module will still 
work. But the same caveat about kadmin still applies - you'll need to 
grant privs to the ID that kadmin Binds with, otherwise its own attempts 
to set these attributes will fail.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support