[Samba] search in ldap

IOhannes zmoelnig zmoelnig at iem.kug.ac.at
Mon Aug 26 00:28:00 GMT 2002


Bradley W. Langhorst wrote:
> On Fri, 2002-08-23 at 09:26, Camus Moire wrote:
> 
>>Can someone point me to some documentation about
>>how privileges had to be with security in mind.
>>(root in ldap == distorted stomach)

i had these too...(note the past tense)



> I don't think it is a serious problem to have root in ldap
> since you have ldap set up restrict access to the passwords...
true

> 
> If you're really worried about it you could leave root local 
> and set up a different account to be the samba admin (i've not done that
> but I think it is possible)

that i do not think.
i couldn't make it work but with the name "root".
however, the ldap-entry for "root" for samba-sake need only be of 
sambaAccount (no posixAccount). [now writing this i do not think, that 
this was the solution to my problem. however read on:]

i have put all the administrative accounts in a separate ldap-subtree, 
which cannot (or only restricted) be read by the pam_ldap-operator. 
Since the samba-"root"-account lives in this sub-tree, it cannot be 
accessed for logging into a unix-machine and therefore the real "root"s 
are kept local.

mfg.ds.ar
IOhanne

> 
> brad
> 






More information about the samba mailing list