[Samba] AD LDAP

Michal67M at seznam.cz Michal67M at seznam.cz
Wed Jun 27 11:24:31 UTC 2018

> This is problem. We used to be able get "public" data from ldap 
"> without authentification (password attributes can not be read without 
> user bind, of course). Is there any way how to do it? 

Yes, but before I tell you, why do you feel you need to do this, what 
are you searching for ? 

  We use GroupOffice and it is configured to use LDAP; it is looking up for 
users and emails in certain form fields (well, I do not know, if it queries 
LDAP with or without authentication in this case).

  We have another 3rd party app, which searches LDAP for user data and in 
this case I am quite sure they do not use authentication, because they 
update their user list "offline" once a day without user logged in and they 
do not know "root" or any particular dn and password (AFAIK).

   (And we have another apps with LDAP auth (bind) here, not sure whether 
they need anonymous bind sometime or not.)

> >  We have a lot of scripts based on "ldapsearch" (without 
> > authentification) and "ldapmodify" (with ldap authentification). It 
> > would be very unpleasant if we can not use the scripts with 
> > SambaAD. 
> > 
> They should work, but you may not need all of them, Samba comes with 
> 'samba-tool' and you can use this to maintain user & groups etc. " 
>  samba-tool can do queries like 
> '(&(uidNumber>=5000)(!(uidNumber>=6000)))' 
> or 
> "-b "ou=people,dc=nspuh,dc=cz" "(!(mail=*))" 
> or 
> "createTimestamp>=201801310000Z" 
> ? 

To be honest, no. 
To carry out such searches, you will need to authenticate, this is the 
standard way of doing things on AD and is a lot more secure compared 
with the way openldap does it. "

  Authentication is not problem in case of my/our own scripts, but how can 
create eg. user with readonly access to whole (without passwords attribs) 
samba ldap db? And what is dn for authentication? 

ldapsearch -D what? I was used to use "uid=user,ou=people,dc=domain,dc=cz", 
but I do not know how it is to be in samba AD (and I can not look into LDAP 
structure, because I would need to know the structure  for administrator 
bind for that).

  Thanks, Michal


To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 

More information about the samba mailing list