LDAP: seperated "ldap suffix" for machine accounts
Alan Knowles
alan_k at HK.Super.NET
Thu Jan 21 02:15:38 GMT 1999
Martin Hofbauer Bacher Systems EDV wrote:
>
> LDAP Servers User DB is normally used for many purposes,
> like mail,samba,...
>
> Users are worried, when they see machine accounts in an e.g. Netscape
> Mail addressbook query.I know you can select by using/not using special
> ldap attributes. Helps also a lot for admin. things.
>
> Is it possible to add an additional config entry like:
>
> ldap machine suffix = ( e.g: ou=Machine,o=...,c=AT)
> ldap user suffix = (e.g.: ou=Peoble,o=...,c=AT)
>
> I know there is the problem, that the uid must be unique ...
>
> But, if you do not add the uid into the DN than the problem exist already
> with LDAP !
If you need to protect the machine information, It would be better to
use Access control,
OpenLDAP example,
access to objectclass=????sambamachine????
by group="cn=Administrators, c=AT" write
by self write
by * none
As Samba (according to smb.conf) should bind as root, it will be able to
see and change info, but users will only be able to see and edit this
data (unless they are in the admin group.).
It's probably a little more complex than that ....
Hope this helps...
Alan
------------------// Alan's Signature //--------------------
If the answer's not at http://www.hk.super.net/~alan_k , then
let me know, 'CAUSE IT'S SUPPOSED TO BE!
-----------// Alan's Linux Infomation Center //-------------
More information about the samba-technical
mailing list