[Samba] Re: SAMBA3 + LDAP

Craig White craigwhite at azapple.com
Tue Dec 20 13:02:17 GMT 2005 

On Tue, 2005-12-20 at 11:11 +0530, mallapadi niranjan wrote:
> Hi craig
> 
> i have stopped the ldap and checked the "slapindex" and it does not
> produce any output  and 
> my /var/lib/ldap is owned by ldap user and all the files created are
> created by user ldap only mode 600.
> 
> i hope i am missing something in slapd.acl's 
> The following is my slapd.conf file
> ##########################################################################
> include        /etc/openldap/schema/core.schema
> include        /etc/openldap/schema/cosine.schema
> include        /etc/openldap/schema/inetorgperson.schema
> include        /etc/openldap/schema/nis.schema
> include        /etc/openldap/schema/samba.schema
> 
> pidfile        /var/run/slapd.pid
> argsfile    /var/run/slapd.args
> database    bdb
> suffix        "dc=msdpl,dc=com"
> rootdn        "cn=manager,dc=msdpl,dc=com"
> rootpw        secret
> directory    /var/lib/ldap
> 
> # Indices to maintain for this database
> index objectClass                       eq,pres
> index ou,cn,mail,surname,givenname      eq,pres,sub
> index loginShell             eq,pres
> index nisMapName,nisMapEntry            eq,pres,sub
> index displayName            eq,pres,sub
> index uidNumber                eq
> index gidNumber                eq
> index memberUID                eq
> index sambaSID                eq
> index sambaPrimaryGroupSID        eq
> index default                sub
> 
> #access to dn.base="dc=msdpl,dc=com" 
> access to attrs=sambaLMPassword,sambaNTPassword
>         by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
>         by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read
>         by * none
> access to attr=userPassword
>         by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
>         by self write
>         by anonymous auth
>         by * none
> access to *
>         by * read
> ###########################################################################
-----
RHEL 4.x = openldap-2.2.13-x

I think the ACL's may be a problem.

You can always test if ACL's are a problem by making the first ACL,

access to *
        by * write

That would allow everybody to do everything so you can test.

Then, the ACL's as you have them above were suitable for 2.0.x but I'm
not so sure that they work with 2.2.x

Perhaps this would be better (I don't know if the Domain Admins thing
will work because I don't do it that way...don't you use a Groups
container?)

# allow everybody to try to bind
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
        by dn.exact,expand="uid=$1,ou=Domain Admins,dc=msdpl,dc=com"
write
        by self writee
        by anonymous auth
        by * none

access to *
        by * read

and finally, I generally use the statement

allow           bind_v2 bind_anon_dn

to allow version 2 binds and anonymous binds

Craig

More information about the samba mailing list