[Samba] Re: SAMBA3 + LDAP
paul kölle
paul at subsignal.org
Tue Dec 20 16:01:52 GMT 2005
mallapadi niranjan wrote:
> Hi
>
> Thanks for Replying me . In the ACL below
> #####################################################################
> #access to dn.base="dc=msdpl,dc=com"
>
>>access to attrs=sambaLMPassword,sambaNTP
>>
>>assword
>>
>>> by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
>>> by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read
>>> by * none
>>>access to attr=userPassword
>>> by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
>>> by self write
>>> by anonymous auth
>>> by * none
>>>access to *
>>> by * read
>
>
>
> #######################################################################
> in by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read if i keep read/write
> it's not affecting
>
> so i have changed my acl's
> #########################################################################
> access to dn.base="dc=msdpl,dc=com"
> attrs=sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,
> objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid,description,
> telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
> by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
> by dn="uid=.*,ou=Groups,dc=msdpl,dc=com" write
> by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" write
> by self write
> by anonymous auth
> by * none
that is write access to samba password hashes to everyone in the
ou=People container again. They are basically cleartext equivalent. ACLs
are evaluated "in order", first match rules. So to protect passwords you
could write something like (OTOH):
access to attrs=sambaLMPassword,sambaNTPassword,userPassword
by self write
by dn.regex="uid=[^,]+,ou=Domain Admins,dc=msdpl,dc=com" write
by anonymous auth
by * none
access to *
by self write
by dn.regex="uid=[^,]+,ou=Domain Admins,dc=msdpl,dc=com" write
by * read
Note that this is NOT suitable for your environment and only serves as
an example as you probably want to prevent users from messing with
attributes enforcing a particular policy (like pwdMustChange). As Craig
noted, the uid=.*,ou=Domain Admins,... part doesn't make sense. If you
want group based access control you need the <expand> syntax. Read the
manpage for access control (man slapd.access).
cheers
Paul
More information about the samba
mailing list