[Samba] Best practice for creating an RO LDAP User in AD...
Jonathan Hunter
jmhunter1 at gmail.com
Thu Nov 9 08:27:56 UTC 2017
Hi Marco,
On 8 November 2017 at 08:49, Marco Gaiarin via samba <samba at lists.samba.org>
wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
> > Not sure what you are proposing is going to work, AD expects every user
> > to be a member of Domain Users, even though there is nothing in AD to
> > show membership.
>
> [...]
> I simply need to have a/some LDAP access to do LDAP queries; this 'mta'
> examples, need to me to do email/aliases procesing in exim.
>
For what it's worth, I have done exactly this for an account I use in
Apache for LDAP authentication, it sounds similar to your use case here.
In my Apache config I have:
AuthLDAPBindDN cn=apacheuser,cn=Users,dc=mydomain,dc=uk
and I have just checked in AD, this user is a member of 'Domain Guests' and
not 'Domain Users'.
I think, if you are only doing LDAP searches and not using any "Windows
style" functionality, then this will work just fine.
Try it, and see? Worst case, you just need to change the membership back
again :)
--
"If we knew what it was we were doing, it would not be called research,
would it?"
- Albert Einstein
More information about the samba
mailing list