[Samba] Re: SAMBA3 + LDAP
Craig White
craigwhite at azapple.com
Tue Dec 20 13:02:17 GMT 2005
On Tue, 2005-12-20 at 11:11 +0530, mallapadi niranjan wrote:
> Hi craig
>
> i have stopped the ldap and checked the "slapindex" and it does not
> produce any output and
> my /var/lib/ldap is owned by ldap user and all the files created are
> created by user ldap only mode 600.
>
> i hope i am missing something in slapd.acl's
> The following is my slapd.conf file
> ##########################################################################
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/samba.schema
>
> pidfile /var/run/slapd.pid
> argsfile /var/run/slapd.args
> database bdb
> suffix "dc=msdpl,dc=com"
> rootdn "cn=manager,dc=msdpl,dc=com"
> rootpw secret
> directory /var/lib/ldap
>
> # Indices to maintain for this database
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index loginShell eq,pres
> index nisMapName,nisMapEntry eq,pres,sub
> index displayName eq,pres,sub
> index uidNumber eq
> index gidNumber eq
> index memberUID eq
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index default sub
>
> #access to dn.base="dc=msdpl,dc=com"
> access to attrs=sambaLMPassword,sambaNTPassword
> by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
> by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read
> by * none
> access to attr=userPassword
> by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
> by self write
> by anonymous auth
> by * none
> access to *
> by * read
> ###########################################################################
-----
RHEL 4.x = openldap-2.2.13-x
I think the ACL's may be a problem.
You can always test if ACL's are a problem by making the first ACL,
access to *
by * write
That would allow everybody to do everything so you can test.
Then, the ACL's as you have them above were suitable for 2.0.x but I'm
not so sure that they work with 2.2.x
Perhaps this would be better (I don't know if the Domain Admins thing
will work because I don't do it that way...don't you use a Groups
container?)
# allow everybody to try to bind
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by dn.exact,expand="uid=$1,ou=Domain Admins,dc=msdpl,dc=com"
write
by self writee
by anonymous auth
by * none
access to *
by * read
and finally, I generally use the statement
allow bind_v2 bind_anon_dn
to allow version 2 binds and anonymous binds
Craig
More information about the samba
mailing list