[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?

Jim C. jcllings at javahop.com
Wed Sep 29 17:27:12 GMT 2004 

Whoops! Missed part of those acls that had scrolled off the top of my 
screen.  The full slapd.access.conf listing is as follows:

> # This is a good place to put slapd access-control directives
> 
> # The Administrator DIT should be accessible to all clients
> access to dn.exact=""
>         by * read
> 
> # Generic ACLs
> # These ACLs should work well for any domain-based (ie dc=,dc=) suffix,
> # but need adjustment and testing for any other suffix
> # Note that these ACLs allow anonymouse read access to most non-password
> # attributes, you may want to prevent leakage of this information by
> # removing the "by anonymous read" lines
> 
> # Protect passwords, using a regex so we can have generic accounts with
> # write access
> # Openldap will not authenticate against non-userPassword attributes
> # but we would have to duplicate most rules ...
> access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword
>         by self write
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain\ Controllers,ou=Group,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by anonymous auth
>         by * none
> 
> # ACL allowing samba domain controllers to add user accounts
> access to dn.regex="^([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=entry,children,posixAccount,sambaAccount,inetOrgperson,sambaSamAccount
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain\ Controllers,ou=Group,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read
>         by anonymous read
> 
> # allow users to modify their own "address book" entries:
> access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=inetOrgPerson,mail
>         by self write
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain\ Controllers,ou=Group,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read

> # Allow samba domain controllers to create groups and group mappings
> access to dn.regex="^([^,]+,)?ou=Group,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=entry,children,posixGroup,sambaGroupMapping
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain\ Controllers,ou=Group,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read
>         by anonymous read
> 
> # Allow samba domain controllers to create machine accounts
> access to dn.regex="^([^,]+,)?ou=Hosts,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain\ Controllers,ou=Group,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read
>         by anonymous read
> 
> # Allow samba to create idmap entries
> access to dn.regex="^([^,]+,)?ou=Idmap,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=entry,children,sambaIdmapEntry
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain\ Controllers,ou=Group,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read
>         by anonymous read
> 
> # Allow users in the domain to add entries to the "global address book":
> access to dn.regex="^([^,],)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$"
>        attrs=children,entry,inetOrgPerson
>         by dn="uid=[^,]+,ou=People,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read
>         by anonymous read

More information about the samba mailing list