[Samba] Setting up LDAP Authentification - Tree design/search scope

Götz Reinicke - IT-Koordinator goetz.reinicke at filmakademie.de
Tue Mar 9 00:13:17 MST 2010


the ACLs are indeed one of the importent topics. Therefore I was hoping,
that samba searches sub-trees for the login and auth information.

Than I could set up LDAP ACLs so samba looks up all information in the
tree for all groups (we do have only one fileserver for all user groups
togehter) and other ACLs "handel" the access for phonebook lookups from
the mailclients.

That is what I was thinking off.

But if samba only browses one tree level and not the sub levels, than I
do have to think in an other direction.

Or what do you think?

Thanks and best regards,


Gaiseric Vandal schrieb:
> smb.conf will list where samba searches in ldap.
> e.g.
> ldap suffix=o=abc.com
> ldap user suffix=ou=employees,ou=people
> ldap group suffix = ou=groups
> ldap machine suffix=ou=machines,ou=people
> I think the main challenge will be configuring access control lists.  
> If you have a server you only want accessed by employees, you would set
> the "ldap user suffix" parameter in smb.conf appropriately.
> But in terms of an address book, if someone has an LDAP address book
> client (e.g. thunderbird) you can't prevent them from trying to
> recursively query "ou=people,....) vs "ou=students."    You can advise
> end users whether they should set  up two LDAP address books (students
> vs employees) rather than one top level "people" one.    From the end
> user pespective, a single LDAP directory will probably be simpler.
> So you would need to set ACL's to restrict access to "ou=other" OR to
> restrict access to "ou=people" and then grant it back to "ou=employees"
> and "ou=students."  You also want to make sure that certain fields
> (passwd) are restricted so that only "administrator" accounts can access
> them.  You can also configure whether anonymous users can access certain
> information or not (e.g. names and phone numbers.)
> I use Sun's directory server as an LDAP backend.   I suspect most samba
> users are using OpenLDAP.     I also suspect that LDAP attributes may
> not be restricted by default as much as they should be.
> On 03/08/2010 08:49 AM, Götz Reinicke - IT-Koordinator wrote:
>> Hi,
>> recently I started to evaluate and think about setting up a central LDAP
>> system for authentification and "phonebook". I'm also new to LDAP.
>> There is a lot of doc and well documented how tos, and I came across the
>> following question:
>> Where is the search scope for samba defiend? Or is the LDAP servers
>> setting defining the scope?
>> All docs "talk" about putting all people under one branche, e.g.
>> ou=People,dc=example,dc=com for the samba setting I'd have
>> "ldap user suffix = ou=People"
>> But with this setting I dont see how I may restrict the search for the
>> phonebook look up. (e.g. I do have students, empoyees and other.
>> Students may look up students and employees, but not the "other" group.)
>> For me it would make more sense to "subgroup" the people like this:
>> ou=students,ou=People,dc=example,dc=com
>> ou=employees,ou=People,dc=example,dc=com
>> ou=other,ou=People,dc=example,dc=com
>> May be I'm mistaken.
>> Thanks for any comment and best regards!
>>     Götz

Götz Reinicke

Tel. +49 7141 969 420
Fax  +49 7141 969 55 420
E-Mail goetz.reinicke at filmakademie.de

Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner
Staatsrätin für Demographischen Wandel und für Senioren im Staatsministerium

Prof. Thomas Schadt

More information about the samba mailing list