[Samba] Define a rootDN for ldap queries in Samba 4 AD
Sami Chibani
sami.chibani at educagri.fr
Tue Dec 5 13:27:27 UTC 2017
Hi Samba Team and users,
My question could seem very simple and possibly answer is also simple
(if it's the case i'm sorry by advance), but i've found almost no doc
about this topic in the wiki.
I'm currently running Samba 4 AD in a test environment, preparing for
production. Everything is working quite fine, but i'm struggling about
some configuration;
How (and where) to define a rootDN in order to specify which account
has the right to make ldap queries against Samba 4 AD ldap database
(with ldapsearch), whether in read or write access.
On a Samba PDC install running OpenLDAP backend, it was possible to
define this in slapd.conf by lines like that:
access to *
by dn="uid=ldapadmin,ou=users,dc=domain,dc=lan" write
or
rootdn "uid=ldapadmin,ou=users,dc=domain,dc=lan"
Now that ldap is internal to Samba, i'm wondering where to put these
options...
Right now, i can make successful ldap queries with ldapsearch (both ssl
and tls) like that:
ldapsearch -H ldaps://srv-samba.domain.lan:636 -LLL -x -D "DOMAIN\user"
-W -b "CN=Users,DC=ensfea,DC=lan" "(&(objectClass=*)(sAMAccountName=*))"
or
ldapsearch -H ldap://srv-samba.domain.lan:389 -ZZ -LLL -x -D
"cn=user,cn=users,dc=domain,dc=lan" -W -b "CN=Users,DC=domain,DC=lan"
"(&(objectClass=*)(sAMAccountName=*))"
but i'm able to perform successfully those requests with all users (i
can put any of the users, even non admin ones, in -D field) of my ldap
database, which is a bad/unwanted situation.
My smb.conf:
[global]
netbios name = SRV-SAMBA
realm = DOMAIN.LAN
workgroup = DOMAIN
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
interfaces = lo,ens192
bind interfaces only = yes
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
[netlogon]
path = /var/lib/samba/sysvol/domain.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Cheers, Sam
More information about the samba
mailing list