[Samba] Scaleable LDAP Backends for Samba; Domain Controllers group access

Jim C. jcllings at javahop.com
Sun Oct 3 19:41:31 GMT 2004

OK, just went through the research on how to set up scalable LDAP 
backends.  By scaleable I mean without having Samba use the root dn to 
access ldap. This way, if you are going through the logs, you will be 
able to tell which domain controller is doing what.

As far as I know, it *HAS* to be done this way because the posixGroup 
schema is way out of date (it wont take a dn as a member).  This info 
according to the gurus on the OpenLDAP list. In effect we have to keep a 
duplicate set of group records for those that will have access to the 
database. For example, if you want to give group based access to a group 
like "Domain Controllers", you would have to keep a duplicate record 
using a different objectClass.

Oh, yes and if you know a better way, I am always looking for better 
ways to get things done. :-)

How I did it was like this:

1. I set up a new OU called "Access Groups".

2. I created a new groupOfNames object in that OU called "Domain 
Controllers"  For the "member" attribute, use the dn of the host record 
for your primary DC.

3. Using gq, I added simpleSecurityObject to the host record so that it 
would have a password.  Note: Probably can't use the machine account 
instead due to some rather complex password issues.

4. I set the password by pasting the results of the following command 
into the userPassword attribute:

[root at massive openldap]$  read -sp "Enter password to be used:" 
pw;echo;slappasswd -s $pw;unset pw
Enter password to be used:
[root at massive openldap]$

5. I verified that I had a proper set of ACLs by using "slapd -t" to 
test them. That way you don't have to restart to find out if they are 
bad. You also need a line like the following to each Access clause:

        by group="cn=Domain Controllers,ou=Access Groups,$2" write

6. Group access can now be had by placing the dn of the controller's 
host record (which must have a simpleSecurityObject) in the member 
attribute of the new groupOfNames group called "Domain Controllers".

To add more controllers, just create a new host record, add 
simpleSecurityObject to it, and add the dn of that host record as a 
member of the groupOfNames group called "Domain Controllers".

More details at:


Jim C.
| I can be reached on the following Instant Messenger services: |
| MSN: j_c_llings at hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
| Y!: j_c_llings               Jabber: jcllings at njs.netlab.cz	|

More information about the samba mailing list