[Samba] Best practice for creating an RO LDAP User in AD...
Marco Gaiarin
gaio at sv.lnf.it
Thu Nov 9 10:08:26 UTC 2017
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> I dont beleave it.
Eh. «De gustibus non disputandum est». ;-)
> The setup for the Ad in the link below is the same but if you want access without auth,
> Have you tried to query the GC ports. ( 3268 or 3269 )
No, but now yes and does not work:
gaio at albus:~$ ldapsearch -x -H ldap://vdcsv1:3268/ -b DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)"
# extended LDIF
#
# LDAPv3
# base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree
# filter: (uid=gaio)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 00002020: Operation unavailable without authentication
# numResponses: 1
gaio at albus:~$ ldapsearch -x -H ldaps://vdcsv1:3269/ -b DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)"
# extended LDIF
#
# LDAPv3
# base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree
# filter: (uid=gaio)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 00002020: Operation unavailable without authentication
# numResponses: 1
> And read :
> https://technet.microsoft.com/en-us/library/cc961563.aspx
> That should work, havent tried it myself to be honist, dont use it..
Interesting. But scare me a bit. In this way i can put in anonymous
access also the password hashes?
Really, AFAI've understoow well, the ACL in AD are a complex beast, and
broke things, or make some restricted info available to all by
mistakes, seems too easy...
So, if i open ACL to 'Everyone', i've to set other ACL to restrict, eg,
passwords?
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list