[Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Paul Kölle
pkoelle at gmail.com
Wed Sep 28 20:07:50 GMT 2005
Kristof Bruyninckx wrote:
> Entry in the /etc/samba/smb.conf
> snip "
> ldap ssl = no
> ldap admin dn = uid=samba,ou=Idmap,dc=thales,dc=be
> ldap idmap suffix = ou=idmap
> ldap suffix = dc=thales,dc=be
> idmap backend = ldap:ldap://127.0.0.1
> snip"
>
> Also fixed the ACL (I think...) :
>
> Changed the ACL part in the /etc/openldap/slapd.conf to the following
>
> access to attr=userPassword
> by self write
> by anonymous auth
> by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
> by * none
> access to *
> by self write
> by users read
> by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
ACLs are evaluated "in order", the first match wins (see man slapd.access).
here is an (simple) example:
# give everyone read access to the RootDSE and subschema
access to dn.base="" by * read
access to dn.base="cn=subschema" by * read
#protect passwords
access to attrs=userPassword
by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
by self write
by anonymous auth
by * none
# very permissive but this is no problem as long as there are
# not other sensible entries in the directory like user objects.
access to *
by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
by self write
by users read
by * none
hth
Paul
More information about the samba
mailing list