[Samba] Recommended LDAP access settings for a Samba admin DN
Andrey Voitenkov
mccloud at gyrus.kiev.ua
Mon Dec 19 12:27:40 GMT 2005
Marek Szuba wrote:
> At the moment everything works fine, but I'd like Samba to use a
> dedicated LDAP access DN instead of the global directory admin one.
> Could you give me any recommendations as to how access rules should be
> set for this DN so that it both can work without problems and have no
> unnecessary privileges?
I use following settings:
--- cut ---
access to dn.subtree="dc=GYRUS,dc=office,dc=local"
attrs=sambaLMPassword,sambaNTPassword
by dn="uid=ssamba,ou=Shadow,dc=office,dc=local" write
by dn="uid=radiusd,ou=Shadow,dc=office,dc=local" read
by * none
access to attr=userPassword
by dn="uid=ssamba,ou=Shadow,dc=office,dc=local" write
by self write
by anonymous auth
by * none
access to dn.subtree="dc=GYRUS,dc=office,dc=local"
by dn="uid=ssamba,ou=Shadow,dc=office,dc=local" write
by * read
access to *
by * read
--- cut ---
Samba domain stored under dc=GYRUS,dc=office,dc=local node,
samba uses posixAccount record uid=ssamba,ou=Shadow,dc=office,dc=local
to access LDAP-server. May be it is not the best way, but it works for me.
--
mccloud@
More information about the samba
mailing list