[Samba] Setting up LDAP Authentification - Tree design/search scope
Adam Tauno Williams
awilliam at whitemice.org
Tue Mar 9 16:18:01 MST 2010
On Mon, 2010-03-08 at 11:04 -0500, Gaiseric Vandal wrote:
> smb.conf will list where samba searches in ldap.
> ldap suffix=o=abc.com
> ldap user suffix=ou=employees,ou=people
> ldap group suffix = ou=groups
> ldap machine suffix=ou=machines,ou=people
> I think the main challenge will be configuring access control lists.
> If you have a server you only want accessed by employees, you would set
> the "ldap user suffix" parameter in smb.conf appropriately.
We've parented all of Samba related 'stuff' under ou=SAM,$BASE, so we
Because very different ACLs typically apply to these three types of
objects (users, system accounts, and groups)
> But in terms of an address book, if someone has an LDAP address book
> client (e.g. thunderbird) you can't prevent them from trying to
> recursively query "ou=people,....) vs "ou=students." You can advise
> end users whether they should set up two LDAP address books (students
> vs employees) rather than one top level "people" one. From the end
> user pespective, a single LDAP directory will probably be simpler.
True; or all non-related entries can simply be hidden from the clients.
Or, the simplest solution, is it use a virtual root to 'glob' any
objects [and just the specific attributes] that an addressbook consumer
would want to see. OpenLDAP provides excellent support for
partitioning, federating, and creating virtual (remapped) partitions.
Aside: Although in the end I think you'll find LDAP makes a very crappy
> I also suspect that LDAP attributes may
> not be restricted by default as much as they should be.
Yep; you'll find most sites [in-my-experience] to have severely
neglected the confguration of their DSA once they reach got-it-working
More information about the samba