[Samba] Setting up LDAP Authentification - Tree design/search scope

Brother Railgun of Reason alaric at caerllewys.net
Mon Mar 8 11:04:50 MST 2010

On Mon, Mar 08, 2010 at 11:04:42AM -0500, Gaiseric Vandal wrote:
> But in terms of an address book, if someone has an LDAP address book 
> client (e.g. thunderbird) you can't prevent them from trying to 
> recursively query "ou=people,....) vs "ou=students."    You can advise 
> end users whether they should set  up two LDAP address books (students 
> vs employees) rather than one top level "people" one.    From the end 
> user pespective, a single LDAP directory will probably be simpler.
> So you would need to set ACL's to restrict access to "ou=other" OR to 
> restrict access to "ou=people" and then grant it back to "ou=employees" 
> and "ou=students."  You also want to make sure that certain fields 
> (passwd) are restricted so that only "administrator" accounts can access 
> them.  You can also configure whether anonymous users can access certain 
> information or not (e.g. names and phone numbers.)
> I use Sun's directory server as an LDAP backend.   I suspect most samba 
> users are using OpenLDAP.     I also suspect that LDAP attributes may 
> not be restricted by default as much as they should be.

I've never gotten around to actually setting up LDAP anywhere, though 
I've looked at it several times.  Each time I do, I come away from it 
feeling that LDAP suffers badly from "The wonderful thing about 
standards is that there's so many to choose from".  It seems it's so 
open-ended, and there are so many possible ways to set up a directory, 
that it becomes difficult to find any two LDAP-aware applications that 
actually use (and expect to see) the same LDAP schema.

How does one overcome this?

  Phil Stracchino, CDK#2     DoD#299792458     ICBM: 43.5607, -71.355
  alaric at caerllewys.net   alaric at metrocast.net   phil at co.ordinate.org
         Renaissance Man, Unix ronin, Perl hacker, Free Stater
                 It's not the years, it's the mileage.

More information about the samba mailing list