[Samba] Setting up LDAP Authentification - Tree design/search scope
Brother Railgun of Reason
alaric at caerllewys.net
Mon Mar 8 11:04:50 MST 2010
On Mon, Mar 08, 2010 at 11:04:42AM -0500, Gaiseric Vandal wrote:
> But in terms of an address book, if someone has an LDAP address book
> client (e.g. thunderbird) you can't prevent them from trying to
> recursively query "ou=people,....) vs "ou=students." You can advise
> end users whether they should set up two LDAP address books (students
> vs employees) rather than one top level "people" one. From the end
> user pespective, a single LDAP directory will probably be simpler.
> So you would need to set ACL's to restrict access to "ou=other" OR to
> restrict access to "ou=people" and then grant it back to "ou=employees"
> and "ou=students." You also want to make sure that certain fields
> (passwd) are restricted so that only "administrator" accounts can access
> them. You can also configure whether anonymous users can access certain
> information or not (e.g. names and phone numbers.)
> I use Sun's directory server as an LDAP backend. I suspect most samba
> users are using OpenLDAP. I also suspect that LDAP attributes may
> not be restricted by default as much as they should be.
I've never gotten around to actually setting up LDAP anywhere, though
I've looked at it several times. Each time I do, I come away from it
feeling that LDAP suffers badly from "The wonderful thing about
standards is that there's so many to choose from". It seems it's so
open-ended, and there are so many possible ways to set up a directory,
that it becomes difficult to find any two LDAP-aware applications that
actually use (and expect to see) the same LDAP schema.
How does one overcome this?
Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355
alaric at caerllewys.net alaric at metrocast.net phil at co.ordinate.org
Renaissance Man, Unix ronin, Perl hacker, Free Stater
It's not the years, it's the mileage.
More information about the samba