[Samba] Setting up LDAP Authentification - Tree design/search scope
Brother Railgun of Reason
alaric at caerllewys.net
Mon Mar 8 11:04:50 MST 2010
On Mon, Mar 08, 2010 at 11:04:42AM -0500, Gaiseric Vandal wrote:
> But in terms of an address book, if someone has an LDAP address book
> client (e.g. thunderbird) you can't prevent them from trying to
> recursively query "ou=people,....) vs "ou=students." You can advise
> end users whether they should set up two LDAP address books (students
> vs employees) rather than one top level "people" one. From the end
> user pespective, a single LDAP directory will probably be simpler.
>
>
> So you would need to set ACL's to restrict access to "ou=other" OR to
> restrict access to "ou=people" and then grant it back to "ou=employees"
> and "ou=students." You also want to make sure that certain fields
> (passwd) are restricted so that only "administrator" accounts can access
> them. You can also configure whether anonymous users can access certain
> information or not (e.g. names and phone numbers.)
>
> I use Sun's directory server as an LDAP backend. I suspect most samba
> users are using OpenLDAP. I also suspect that LDAP attributes may
> not be restricted by default as much as they should be.
I've never gotten around to actually setting up LDAP anywhere, though
I've looked at it several times. Each time I do, I come away from it
feeling that LDAP suffers badly from "The wonderful thing about
standards is that there's so many to choose from". It seems it's so
open-ended, and there are so many possible ways to set up a directory,
that it becomes difficult to find any two LDAP-aware applications that
actually use (and expect to see) the same LDAP schema.
How does one overcome this?
--
Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355
alaric at caerllewys.net alaric at metrocast.net phil at co.ordinate.org
Renaissance Man, Unix ronin, Perl hacker, Free Stater
It's not the years, it's the mileage.
More information about the samba
mailing list