[Samba] AD LDAP
Michal67M at seznam.cz
Michal67M at seznam.cz
Wed Jun 27 11:24:31 UTC 2018
> This is problem. We used to be able get "public" data from ldap
"> without authentification (password attributes can not be read without
> user bind, of course). Is there any way how to do it?
Yes, but before I tell you, why do you feel you need to do this, what
are you searching for ?
"
We use GroupOffice and it is configured to use LDAP; it is looking up for
users and emails in certain form fields (well, I do not know, if it queries
LDAP with or without authentication in this case).
We have another 3rd party app, which searches LDAP for user data and in
this case I am quite sure they do not use authentication, because they
update their user list "offline" once a day without user logged in and they
do not know "root" or any particular dn and password (AFAIK).
(And we have another apps with LDAP auth (bind) here, not sure whether
they need anonymous bind sometime or not.)
"
> > We have a lot of scripts based on "ldapsearch" (without
> > authentification) and "ldapmodify" (with ldap authentification). It
> > would be very unpleasant if we can not use the scripts with
> > SambaAD.
> >
>
> They should work, but you may not need all of them, Samba comes with
> 'samba-tool' and you can use this to maintain user & groups etc. "
>
> samba-tool can do queries like
> '(&(uidNumber>=5000)(!(uidNumber>=6000)))'
> or
> "-b "ou=people,dc=nspuh,dc=cz" "(!(mail=*))"
> or
> "createTimestamp>=201801310000Z"
>
> ?
To be honest, no.
To carry out such searches, you will need to authenticate, this is the
standard way of doing things on AD and is a lot more secure compared
with the way openldap does it. "
Authentication is not problem in case of my/our own scripts, but how can
create eg. user with readonly access to whole (without passwords attribs)
samba ldap db? And what is dn for authentication?
ldapsearch -D what? I was used to use "uid=user,ou=people,dc=domain,dc=cz",
but I do not know how it is to be in samba AD (and I can not look into LDAP
structure, because I would need to know the structure for administrator
bind for that).
Thanks, Michal
"
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
"
More information about the samba
mailing list