[Samba] Best practice for creating an RO LDAP User in AD...
Denis Cardon
dcardon at tranquil.it
Thu Oct 19 17:19:58 UTC 2017
Hi Marco,
> Caming from Samba in NT mode with OpenLDAP backend i've created a bunch
> of ''things'' (apps, web tools, ...; but also printers and so on) that
> rely on reading ''public'' data in LDAP.
>
> With OpenLDAP ''public'' was a easy concept: anonymous access was
> the default, and ACL protect more sensitive data (mostly, passwords).
>
>
> Now i've to redo some of these things in AD. I don't need to enable
> public access (if possible...), so i think the better path would be
> creating a ''unprivileged user'' (with no POSIX data, eg GID/UID that
> are not needed) with a complex password.
>
>
> There's are some ''best practice'' for that?
>
> I'm thinking about:
>
> a) create the user in a specific OU
>
> b) put it in 'Domain Guests' group (or it is better to create a
> specific group also?)
>
> c) set the account 'never expire' ('X') flag.
>
>
> Some other hint? For example, there's some way to disable logon for the
> user, but have LDAP auth work as expected?
You can put your service accounts in an OU and add a GPO that deny
logon/services/tasks locally.
If you are using those account on a windows computer, you could use
managed account [1] (I haven't tried it yet).
Cheers,
Denis
[1] https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx
>
>
> Thanks.
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list