[Samba] Openldap + Samba 3 PDC

Adam Tauno Williams adam at morrison-ind.com
Thu Dec 30 16:16:54 GMT 2004

> I'm new to ldap.  What should I set my DC's DN to, admin?  

There is no answer to this question.  You create an object in the Dit
for the DC to bind to, and make sure it has sufficient privilages.  You
shouldn't use the OpenLDAP manager dn;  that DN has the access to trash
the entire Dit.

We for example have a -
dn: uid=CIFSDC,ou=System Accounts,o=Morrison Industries,c=US
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
l: Grand Rapids
o: Morrison Industries
ou: Grand Rapids
- object[1]

[1] userPassword attribute is hidden by ACL

> dn: cn=admin,ou=People,dc=strozllc,dc=com
> cn: admin
> objectClass: top
> objectClass: organizationalRole
> objectClass: simpleSecurityObject
> userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Don't ever expose userPassword.  No application ever needs read access
to this attribute; the value is used internally by the DSA for
authentication purposes,  this value egressing the DSA is a security
problem.  The CIFDC needs write access, everyone else needs auth access;
you may have to grant "self" write access as well depending on your
password change routines/policies.

More information about the samba mailing list