[Samba] Best practice for creating an RO LDAP User in AD...
Marco Gaiarin
gaio at sv.lnf.it
Thu Oct 19 13:45:14 UTC 2017
Caming from Samba in NT mode with OpenLDAP backend i've created a bunch
of ''things'' (apps, web tools, ...; but also printers and so on) that
rely on reading ''public'' data in LDAP.
With OpenLDAP ''public'' was a easy concept: anonymous access was
the default, and ACL protect more sensitive data (mostly, passwords).
Now i've to redo some of these things in AD. I don't need to enable
public access (if possible...), so i think the better path would be
creating a ''unprivileged user'' (with no POSIX data, eg GID/UID that
are not needed) with a complex password.
There's are some ''best practice'' for that?
I'm thinking about:
a) create the user in a specific OU
b) put it in 'Domain Guests' group (or it is better to create a
specific group also?)
c) set the account 'never expire' ('X') flag.
Some other hint? For example, there's some way to disable logon for the
user, but have LDAP auth work as expected?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list