[Samba] samba + slave OpenLdap (read-only)

[Charlie]

On Thu, Jul 3, 2008 at 2:54 PM, Charlie <medievalist at gmail.com> wrote:
>
> The most common problem I see with busted referrals is when someone
> sets up a program (such as samba) to use the local replica's
> rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing
> ACLs and whatnot) but does not define that dn and password to have
> appropriate access on the master server.  If the admindn that samba is
> using does not have the ability to write the master slapd, it won't
> matter if it has unrestricted access to the slave.

Whoops, replying to myself here.  I have been privately warned that
allowing multiple samba servers unlimited write access to one's LDAP
database can cause creation of duplicate entries for single entities
(such as machine trust accounts).  Which leads to the dreaded
"multiple LDAP objects returned" error in the logs if you have samba
BDCs.

I do not recommend that any daemon have totally unrestricted write
access to one's LDAP directory.  I do not recommend that any entity
(other than a trusted human being) use the master slapd's
rootdn/rootpw for anything.

http://www.openldap.org/faq/index.cgi?_highlightWords=rootdn&file=761

In my systems, the samba rootdn has the ability to write all
samba-only LDAP attributes but does not have the ability to create
POSIX accounts or anything else unrelated to samba.  Machine trust
accounts have the ability to modify their own passwords, because I am
not sure when they bind as the samba admindn and when they bind with
their own credentials.

I use samba to integrate proprietary desktops into standards-based
networks, and sometimes I forget that other  people are doing the
opposite.  Our POSIX accounts, including machine trusts, are created
and deleted by human beings in accordance with the US federal
regulations that apply to my employer.  I hope no-one misinterpreted
my previous post.

--Charlie