[Samba] Define a rootDN for ldap queries in Samba 4 AD
Andrew Bartlett
abartlet at samba.org
Tue Dec 5 17:54:18 UTC 2017
On Tue, 2017-12-05 at 14:27 +0100, Sami Chibani via samba wrote:
> Hi Samba Team and users,
>
> My question could seem very simple and possibly answer is also simple
> (if it's the case i'm sorry by advance), but i've found almost no doc
> about this topic in the wiki.
> How (and where) to define a rootDN in order to specify which account
> has the right to make ldap queries against Samba 4 AD ldap database
> (with ldapsearch), whether in read or write access.
>
>
> On a Samba PDC install running OpenLDAP backend, it was possible to
> define this in slapd.conf by lines like that:
>
> access to *
> by dn="uid=ldapadmin,ou=users,dc=domain,dc=lan" write
>
> or
>
> rootdn "uid=ldapadmin,ou=users,dc=domain,dc=lan"
>
>
> Now that ldap is internal to Samba, i'm wondering where to put these
> options...
>
> Right now, i can make successful ldap queries with ldapsearch (both ssl
> and tls) like that:
>
> ldapsearch -H ldaps://srv-samba.domain.lan:636 -LLL -x -D "DOMAIN\user"
> -W -b "CN=Users,DC=ensfea,DC=lan" "(&(objectClass=*)(sAMAccountName=*))"
> but i'm able to perform successfully those requests with all users (i
> can put any of the users, even non admin ones, in -D field) of my ldap
> database, which is a bad/unwanted situation.
All users can read the DB, and write access is controlled by the
security descriptor on each object.
Typically admins can write anywhere, users can make some additions and
modifications.
I hope this clarifies things.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list