[Samba] Best practice for creating an RO LDAP User in AD...
dcardon at tranquil.it
Thu Oct 19 17:19:58 UTC 2017
> Caming from Samba in NT mode with OpenLDAP backend i've created a bunch
> of ''things'' (apps, web tools, ...; but also printers and so on) that
> rely on reading ''public'' data in LDAP.
> With OpenLDAP ''public'' was a easy concept: anonymous access was
> the default, and ACL protect more sensitive data (mostly, passwords).
> Now i've to redo some of these things in AD. I don't need to enable
> public access (if possible...), so i think the better path would be
> creating a ''unprivileged user'' (with no POSIX data, eg GID/UID that
> are not needed) with a complex password.
> There's are some ''best practice'' for that?
> I'm thinking about:
> a) create the user in a specific OU
> b) put it in 'Domain Guests' group (or it is better to create a
> specific group also?)
> c) set the account 'never expire' ('X') flag.
> Some other hint? For example, there's some way to disable logon for the
> user, but have LDAP auth work as expected?
You can put your service accounts in an OU and add a GPO that deny
If you are using those account on a windows computer, you could use
managed account  (I haven't tried it yet).
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 18.104.22.168.55
More information about the samba