[Samba] Samba4 and Linux/ldap_default_bind_dn

[Steve Thompson]

Samba4 4.0.0beta4, CentOS 6.3

I have a 3*DC Samba4 domain in which everything tested so far appears to 
be working OK: ldap, kerberos, dns, windows client joins, replication, 
etc.

My question concerns binding Linux clients (CentOS 6) to the Samba4 LDAP 
server using sssd. If in /etc/sssd/sssd.conf I have several test boxes
that use:

 	[domain/SAMBA4]
 		.....
 		ldap_default_bind_dn = CN=Administrator,CN=users,...
 		ldap_default_authtok = secret
 		ldap_default_authtok_type = password
 		...

and this works perfectly well. However, I would like to avoid embedding 
the domain administrator password in my clients for obvious reasons.

If I was using OpenLDAP (as I am on the non-Samba4 systems), I would
create a suitable bind DN in the database:

 	dn: cn=<hostname>,ou=Binddn,dc=...
 	cn: <hostname>
 	objectClass: top
 	objectClass: organizationalRole
 	objectClass: simpleSecurityObject
 	userPassword:: <base64-password>

and use this binddn on the clients; this works thanks to the ACL's that I 
have in the slapd configuration. However, this technique does not work 
with the Samba4 LDAP server presumably because the dn does not have 
suitable access rights to the database (no user accounts are visible).

What is the recommended way to set up the ldap_default_bind_dn?

Steve