[Samba] AD LDAP

Rowland Penny rpenny at samba.org
Thu Jun 28 05:42:29 UTC 2018 

On Thu, 28 Jun 2018 01:18:29 +0200 (CEST)
Michal via samba <samba at lists.samba.org> wrote:

> ---------- Původní e-mail ----------
> Od: Harry Jede <walk2sun at arcor.de>
> Komu: Michal67M at seznam.cz
> Datum: 28. 6. 2018 0:17:29
> Předmět: Re: [Samba] AD LDAP 
> "
> 
> Am Mittwoch, 27. Juni 2018, 11:31:15 CEST schrieb Michal via samba:
> 
> >   Hi,
> >  it there  any way how to look into samba ldap in the same way I can
> > look into OpenLdap via LDAPAdmin, ldap tools etc, when I know
> > OpenLDAP "root" dn and password?
> 
> Surely no. Sure yes.
> 
> AD does not know anything you want. "root dn" is a term from ldap
> rfc's or x.509. But, have you ever seen any commercial program that
> follow rfc's?
> 
>   I do not care about any commercial programs.
>  
> In AD the "root" user is called "administrator".
> 
>   Thanks.
> 
> > Is there such "root" user for Samba
> 
> > AD LDAP?
> 
> Yes.
> 
>  
>  
> >  We have a lot of scripts based on "ldapsearch" (without
> 
> > authentification)
> 
> Realy? You use ldap protocol 2 clients against an ldap v3 server and
> you are asking why it is not working??? You are kiddy, aren't you?
> 
>  I am quite happy with my current  OpenLDAP settings and
> functionality. But it seems I will have to move to AD and this means
> using something what samba calls "internal LDAP server". So I do not
> see anything strange on expecting that standard LDAP tools will work
> with it.  You want to say they should not be working? Why?
> 
>  
> > and "ldapmodify" (with ldap authentification). It
> 
> > would be very unpleasant if we can not use the scripts with SambaAD.
> 
> I want understand this! Ldap connections with authentification are
> possible. So, where is your problem! But, you are asking this, so you
> have some problems. Please, tell us more details.
> 
> When using OpenLDAP, I have full control over it. I know and I can
> define who may read  and what can be read, who may write and what may
> be written. All set in one config file, no uncertainty. Do you want
> to say I am not able to find out the same in samba ldap? Annoying.
> 
> I can store any data I want in my OpenLDAP.  Not only one samba
> domain/AD data. Am I able to do that with samba LDAP? 
> 
>  
> Forget the times where you could ask a directory server to give you
> all user names anonymously, so you could simplify your bad scripts to
> hack the directory server user accounts.
> 
>   I believe I did write I can authenticate in my scripts - if samba
> LDAP server worked like standard OpenLDAP.  (And no, the possibility
> of anonymous bind does not mean that anybody can read any data from
> anywhere.)
> 
>   In a whole, samba LDAP seems to me to be a black box (so far). I
> can not find out what is stored, how it is stored, who can access
> what data, standard tools do not work. Compare this to clear, flat
> OpenLDAP config and ability to easily see and check all data with
> standard tools. I really hope I will understand samba LDAP better
> soon, because I really do not like blackboxes at all. (If I wanted
> blackboxes I could use your commercial programs. )
> 

The standard ldap tools WILL work against Active directory, you just
have to authenticate. If you stop and think about this, it is much more
secure.

You can extend the active directory schema, it is just slightly
different to openldap.

As for control over active directory, you do this mostly via group
membership.

Yes, it sounds like you fully understand openldap, you just need to
learn active directory.

Rowland

More information about the samba mailing list