[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd: ldap_pvt_thread_pool_getkey fails, etc...

Kris Maglione wrote:

By the way, is there a way (I'm willing to write the code) to deny write access to all kerberos/samba attributes and still have an overlay change them? I want the module to be able to change the "must change" time, etc, but not the user. I also don't want them to be able to manually alter their own hashes.

I've added a flag (SLAP_MOD_INTERNAL) in CVS HEAD that can be used for internal requests to bypass the ACL check on a modify. So you could use this patch in your slapd source, and set the flag in smbk5pwd.c. Then you can set the ACLs you want on the hashes and the module will still work. But the same caveat about kadmin still applies - you'll need to grant privs to the ID that kadmin Binds with, otherwise its own attempts to set these attributes will fail.

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support