[Date Prev][Date Next]
Re: smbk5pwd: ldap_pvt_thread_pool_getkey fails, etc...
Kris Maglione wrote:
By the way, is there a way (I'm willing to write the code) to deny
write access to all kerberos/samba attributes and still have an
overlay change them? I want the module to be able to change the "must
change" time, etc, but not the user. I also don't want them to be able
to manually alter their own hashes.
I've added a flag (SLAP_MOD_INTERNAL) in CVS HEAD that can be used for
internal requests to bypass the ACL check on a modify. So you could use
this patch in your slapd source, and set the flag in smbk5pwd.c. Then
you can set the ACLs you want on the hashes and the module will still
work. But the same caveat about kadmin still applies - you'll need to
grant privs to the ID that kadmin Binds with, otherwise its own attempts
to set these attributes will fail.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support