[Samba] AD LDAP
Rowland Penny
rpenny at samba.org
Wed Jun 27 10:37:46 UTC 2018
On Wed, 27 Jun 2018 12:12:42 +0200 (CEST)
<Michal67M at seznam.cz> wrote:
> ---------- Původní e-mail ----------
> Od: Rowland Penny via samba <samba at lists.samba.org>
> Komu: samba at lists.samba.org
> Datum: 27. 6. 2018 11:49:38
> Předmět: Re: [Samba] AD LDAP
> "On Wed, 27 Jun 2018 11:31:15 +0200 (CEST)
> Michal via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> >
> > it there any way how to look into samba ldap in the same way I
> > can look into OpenLdap via LDAPAdmin, ldap tools etc, when I know
> > OpenLDAP "root" dn and password? Is there such "root" user for
> > Samba AD LDAP?
>
> Samba AD uses its own version of ldap and most, if not all, standard
> ldap tools will work with it.
> The 'root' user for AD is called 'Administrator', but you are not
> restricted to this user, you can use any user that is a member of
> 'Domain Admins', for instance.
> "
>
>
>
> (on samba ad server)
>
>
> ldapsearch -x localhost
> # extended LDIF
> #
> # LDAPv3
> # base <dc=nspuh, dc=cz> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: localhost
> #
>
> # search result
> search: 2
> result: 1 Operations error
> text: 00002020: Operation unavailable without authentication
>
>
>
>
>
> This is problem. We used to be able get "public" data from ldap
> without authentification (password attributes can not be read without
> user bind, of course). Is there any way how to do it?
Yes, but before I tell you, why do you feel you need to do this, what
are you searching for ?
> > We have a lot of scripts based on "ldapsearch" (without
> > authentification) and "ldapmodify" (with ldap authentification). It
> > would be very unpleasant if we can not use the scripts with
> > SambaAD.
> >
>
> They should work, but you may not need all of them, Samba comes with
> 'samba-tool' and you can use this to maintain user & groups etc. "
>
> samba-tool can do queries like
> '(&(uidNumber>=5000)(!(uidNumber>=6000)))'
> or
> "-b "ou=people,dc=nspuh,dc=cz" "(!(mail=*))"
> or
> "createTimestamp>=201801310000Z"
>
> ?
To be honest, no.
To carry out such searches, you will need to authenticate, this is the
standard way of doing things on AD and is a lot more secure compared
with the way openldap does it.
Rowland
More information about the samba
mailing list