[Samba] Define a rootDN for ldap queries in Samba 4 AD

Andrew Bartlett abartlet at samba.org
Tue Dec 5 17:54:18 UTC 2017

On Tue, 2017-12-05 at 14:27 +0100, Sami Chibani via samba wrote:
> Hi Samba Team and users,

> My question could seem very simple and possibly answer is also simple 
> (if it's the case i'm sorry by advance), but i've found almost no doc 
> about this topic in the wiki.

> How (and where) to define a rootDN in order to  specify which account 
> has the right to make ldap queries against Samba 4 AD ldap database 
> (with ldapsearch), whether in read or write access.
> On a Samba PDC install running OpenLDAP backend, it was possible to 
> define this in slapd.conf by lines like that:
> access to *
>      by dn="uid=ldapadmin,ou=users,dc=domain,dc=lan" write
> or
> rootdn        "uid=ldapadmin,ou=users,dc=domain,dc=lan"
> Now that ldap is internal to Samba, i'm wondering where to put these 
> options...
> Right now, i can make successful ldap queries with ldapsearch (both ssl 
> and tls) like that:
> ldapsearch -H ldaps://srv-samba.domain.lan:636 -LLL -x -D "DOMAIN\user" 
> -W -b "CN=Users,DC=ensfea,DC=lan" "(&(objectClass=*)(sAMAccountName=*))"

> but i'm able to perform successfully those requests with  all users (i 
> can put any of the users, even non admin ones, in -D field) of my ldap 
> database, which is a bad/unwanted situation.

All users can read the DB, and write access is controlled by the
security descriptor on each object.

Typically admins can write anywhere, users can make some additions and

I hope this clarifies things.

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list