[Samba] Setting up LDAP Authentification - Tree design/search scope

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Mar 8 09:04:42 MST 2010

smb.conf will list where samba searches in ldap.


ldap suffix=o=abc.com
ldap user suffix=ou=employees,ou=people
ldap group suffix = ou=groups
ldap machine suffix=ou=machines,ou=people

I think the main challenge will be configuring access control lists.   
If you have a server you only want accessed by employees, you would set 
the "ldap user suffix" parameter in smb.conf appropriately.

But in terms of an address book, if someone has an LDAP address book 
client (e.g. thunderbird) you can't prevent them from trying to 
recursively query "ou=people,....) vs "ou=students."    You can advise 
end users whether they should set  up two LDAP address books (students 
vs employees) rather than one top level "people" one.    From the end 
user pespective, a single LDAP directory will probably be simpler.

So you would need to set ACL's to restrict access to "ou=other" OR to 
restrict access to "ou=people" and then grant it back to "ou=employees" 
and "ou=students."  You also want to make sure that certain fields 
(passwd) are restricted so that only "administrator" accounts can access 
them.  You can also configure whether anonymous users can access certain 
information or not (e.g. names and phone numbers.)

I use Sun's directory server as an LDAP backend.   I suspect most samba 
users are using OpenLDAP.     I also suspect that LDAP attributes may 
not be restricted by default as much as they should be.

On 03/08/2010 08:49 AM, Götz Reinicke - IT-Koordinator wrote:
> Hi,
> recently I started to evaluate and think about setting up a central LDAP
> system for authentification and "phonebook". I'm also new to LDAP.
> There is a lot of doc and well documented how tos, and I came across the
> following question:
> Where is the search scope for samba defiend? Or is the LDAP servers
> setting defining the scope?
> All docs "talk" about putting all people under one branche, e.g.
> ou=People,dc=example,dc=com for the samba setting I'd have
> "ldap user suffix = ou=People"
> But with this setting I dont see how I may restrict the search for the
> phonebook look up. (e.g. I do have students, empoyees and other.
> Students may look up students and employees, but not the "other" group.)
> For me it would make more sense to "subgroup" the people like this:
> ou=students,ou=People,dc=example,dc=com
> ou=employees,ou=People,dc=example,dc=com
> ou=other,ou=People,dc=example,dc=com
> May be I'm mistaken.
> Thanks for any comment and best regards!
> 	Götz

More information about the samba mailing list