| Filters on not disabled account. Sometimes this needs to be preceded with a <code>!</code> to negate the filter.
| Filters on not disabled account. Sometimes this needs to be preceded with a <code>!</code> to negate the filter.
+
|-
+
| Account Suffix
+
| @PS1
+
| When attempting to check password, the sAMAccountName needs the suffix appeneded to it.
|-
|-
| mail
| mail
| mail
| mail
| ldap field that stores the user's email address
| ldap field that stores the user's email address
+
| Minimum password length
+
| 1
+
| AD lets users bind to ldap with 0 length passwords. It's fscked up, but accepted.
|}
|}
Line 64:
Line 71:
* You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong.
* You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong.
* Start without the filter field, add it later.
* Start without the filter field, add it later.
+
* When a service checks a password, it usually attempts to bind to samba as that user. To bind successfully, it needs to bind as user@PS1
+
* If you try and bind to ldap with a 0 length password, it "works", sort of. There is no error, but you can't access anything substantial. This is enough to fool services into thinking that the password was correct.