[Samba] AD LDAP

Rowland Penny rpenny at samba.org
Wed Jun 27 10:37:46 UTC 2018


On Wed, 27 Jun 2018 12:12:42 +0200 (CEST)
<Michal67M at seznam.cz> wrote:

> ---------- Původní e-mail ----------
> Od: Rowland Penny via samba <samba at lists.samba.org>
> Komu: samba at lists.samba.org
> Datum: 27. 6. 2018 11:49:38
> Předmět: Re: [Samba] AD LDAP 
> "On Wed, 27 Jun 2018 11:31:15 +0200 (CEST) 
> Michal via samba <samba at lists.samba.org> wrote: 
> 
> >   Hi, 
> >   
> >  it there  any way how to look into samba ldap in the same way I
> > can look into OpenLdap via LDAPAdmin, ldap tools etc, when I know 
> > OpenLDAP "root" dn and password? Is there such "root" user for
> > Samba AD LDAP? 
> 
> Samba AD uses its own version of ldap and most, if not all, standard 
> ldap tools will work with it. 
> The 'root' user for AD is called 'Administrator', but you are not 
> restricted to this user, you can use any user that is a member of 
> 'Domain Admins', for instance. 
> "
> 
> 
> 
> (on samba ad server)
> 
> 
> ldapsearch -x localhost
> # extended LDIF
> #
> # LDAPv3
> # base <dc=nspuh, dc=cz> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: localhost
> #
> 
> # search result
> search: 2
> result: 1 Operations error
> text: 00002020: Operation unavailable without authentication
> 
> 
> 
> 
> 
> This is problem. We used to be able get "public" data from ldap
> without authentification (password attributes can not be read without
> user bind, of course). Is there any way how to do it? 

Yes, but before I tell you, why do you feel you need to do this, what
are you searching for ?

> >  We have a lot of scripts based on "ldapsearch" (without 
> > authentification) and "ldapmodify" (with ldap authentification). It 
> > would be very unpleasant if we can not use the scripts with
> > SambaAD. 
> > 
> 
> They should work, but you may not need all of them, Samba comes with 
> 'samba-tool' and you can use this to maintain user & groups etc. "
> 
>  samba-tool can do queries like 
> '(&(uidNumber>=5000)(!(uidNumber>=6000)))' 
> or 
> "-b "ou=people,dc=nspuh,dc=cz" "(!(mail=*))" 
> or 
> "createTimestamp>=201801310000Z"
> 
> ?

To be honest, no.
To carry out such searches, you will need to authenticate, this is the
standard way of doing things on AD and is a lot more secure compared
with the way openldap does it.

Rowland
 




More information about the samba mailing list