[Samba] Setting up LDAP Authentification - Tree design/search scope
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Mar 8 09:04:42 MST 2010
smb.conf will list where samba searches in ldap.
e.g.
ldap suffix=o=abc.com
ldap user suffix=ou=employees,ou=people
ldap group suffix = ou=groups
ldap machine suffix=ou=machines,ou=people
I think the main challenge will be configuring access control lists.
If you have a server you only want accessed by employees, you would set
the "ldap user suffix" parameter in smb.conf appropriately.
But in terms of an address book, if someone has an LDAP address book
client (e.g. thunderbird) you can't prevent them from trying to
recursively query "ou=people,....) vs "ou=students." You can advise
end users whether they should set up two LDAP address books (students
vs employees) rather than one top level "people" one. From the end
user pespective, a single LDAP directory will probably be simpler.
So you would need to set ACL's to restrict access to "ou=other" OR to
restrict access to "ou=people" and then grant it back to "ou=employees"
and "ou=students." You also want to make sure that certain fields
(passwd) are restricted so that only "administrator" accounts can access
them. You can also configure whether anonymous users can access certain
information or not (e.g. names and phone numbers.)
I use Sun's directory server as an LDAP backend. I suspect most samba
users are using OpenLDAP. I also suspect that LDAP attributes may
not be restricted by default as much as they should be.
On 03/08/2010 08:49 AM, Götz Reinicke - IT-Koordinator wrote:
> Hi,
>
> recently I started to evaluate and think about setting up a central LDAP
> system for authentification and "phonebook". I'm also new to LDAP.
>
> There is a lot of doc and well documented how tos, and I came across the
> following question:
>
> Where is the search scope for samba defiend? Or is the LDAP servers
> setting defining the scope?
>
> All docs "talk" about putting all people under one branche, e.g.
>
> ou=People,dc=example,dc=com for the samba setting I'd have
>
> "ldap user suffix = ou=People"
>
> But with this setting I dont see how I may restrict the search for the
> phonebook look up. (e.g. I do have students, empoyees and other.
> Students may look up students and employees, but not the "other" group.)
>
> For me it would make more sense to "subgroup" the people like this:
>
> ou=students,ou=People,dc=example,dc=com
> ou=employees,ou=People,dc=example,dc=com
> ou=other,ou=People,dc=example,dc=com
>
> May be I'm mistaken.
>
> Thanks for any comment and best regards!
>
> Götz
>
More information about the samba
mailing list