[Samba] Best practice for creating an RO LDAP User in AD...

Denis Cardon dcardon at tranquil.it
Thu Oct 19 17:19:58 UTC 2017

Hi Marco,

> Caming from Samba in NT mode with OpenLDAP backend i've created a bunch
> of ''things'' (apps, web tools, ...; but also printers and so on) that
> rely on reading ''public'' data in LDAP.
> With OpenLDAP ''public'' was a easy concept: anonymous access was
> the default, and ACL protect more sensitive data (mostly, passwords).
> Now i've to redo some of these things in AD. I don't need to enable
> public access (if possible...), so i think the better path would be
> creating a ''unprivileged user'' (with no POSIX data, eg GID/UID that
> are not needed) with a complex password.
> There's are some ''best practice'' for that?
> I'm thinking about:
> a) create the user in a specific OU
> b) put it in 'Domain Guests' group (or it is better to create a
>   specific group also?)
> c) set the account 'never expire' ('X') flag.
> Some other hint? For example, there's some way to disable logon for the
> user, but have LDAP auth work as expected?

You can put your service accounts in an OU and add a GPO that deny 
logon/services/tasks locally.

If you are using those account on a windows computer, you could use 
managed account [1] (I haven't tried it yet).



[1] https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx

> Thanks.

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0)

More information about the samba mailing list