[Samba] Re: SAMBA3 + LDAP

paul kölle paul at subsignal.org
Tue Dec 20 16:01:52 GMT 2005 

mallapadi niranjan wrote:
> Hi
> 
> Thanks for Replying me . In the ACL below
> #####################################################################
> #access to dn.base="dc=msdpl,dc=com"
> 
>>access to attrs=sambaLMPassword,sambaNTP
>>
>>assword
>>
>>>        by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
>>>        by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read
>>>        by * none
>>>access to attr=userPassword
>>>        by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
>>>        by self write
>>>        by anonymous auth
>>>        by * none
>>>access to *
>>>        by * read
> 
> 
> 
> #######################################################################
> in by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read if i keep read/write
> it's not affecting
> 
> so i have changed my acl's
> #########################################################################
> access to dn.base="dc=msdpl,dc=com"
>  attrs=sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,
>  objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid,description,
>  telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
>  by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
>  by dn="uid=.*,ou=Groups,dc=msdpl,dc=com" write
>  by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" write
>  by self write
>  by anonymous auth
>  by * none
that is write access to samba password hashes to everyone in the
ou=People container again. They are basically cleartext equivalent. ACLs
are evaluated "in order", first match rules. So to protect passwords you
could write something like (OTOH):

access to attrs=sambaLMPassword,sambaNTPassword,userPassword
 by self write
 by dn.regex="uid=[^,]+,ou=Domain Admins,dc=msdpl,dc=com" write
 by anonymous auth
 by * none

access to *
 by self write
 by dn.regex="uid=[^,]+,ou=Domain Admins,dc=msdpl,dc=com" write
 by * read

Note that this is NOT suitable for your environment and only serves as
an example as you probably want to prevent users from messing with
attributes enforcing a particular policy (like pwdMustChange). As Craig
noted, the uid=.*,ou=Domain Admins,... part doesn't make sense. If you
want group based access control you need the <expand> syntax. Read the
manpage for access control (man slapd.access).

cheers
 Paul

More information about the samba mailing list