samba - Mar 2010 - Setting up LDAP Authentification - Tree design/search scope

Hi,

recently I started to evaluate and think about setting up a central LDAP
system for authentification and "phonebook". I'm also new to LDAP.

There is a lot of doc and well documented how tos, and I came across the
following question:

Where is the search scope for samba defiend? Or is the LDAP servers
setting defining the scope?

All docs "talk" about putting all people under one branche, e.g.

ou=People,dc=example,dc=com for the samba setting I'd have

"ldap user suffix = ou=People"

But with this setting I dont see how I may restrict the search for the
phonebook look up. (e.g. I do have students, empoyees and other.
Students may look up students and employees, but not the "other"
group.)

For me it would make more sense to "subgroup" the people like this:

ou=students,ou=People,dc=example,dc=com
ou=employees,ou=People,dc=example,dc=com
ou=other,ou=People,dc=example,dc=com

May be I'm mistaken.

Thanks for any comment and best regards!

	G?tz
-- 
G?tz Reinicke
IT-Koordinator

Tel. +49 7141 969 420
Fax  +49 7141 969 55 420
E-Mail goetz.reinicke at filmakademie.de

Filmakademie Baden-W?rttemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia H?bner
Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium

Gesch?ftsf?hrer:
Prof. Thomas Schadt

smb.conf will list where samba searches in ldap.

e.g.

ldap suffix=o=abc.com
ldap user suffix=ou=employees,ou=people
ldap group suffix = ou=groups
ldap machine suffix=ou=machines,ou=people


I think the main challenge will be configuring access control lists.   
If you have a server you only want accessed by employees, you would set 
the "ldap user suffix" parameter in smb.conf appropriately.


But in terms of an address book, if someone has an LDAP address book 
client (e.g. thunderbird) you can't prevent them from trying to 
recursively query "ou=people,....) vs "ou=students."    You can
advise
end users whether they should set  up two LDAP address books (students 
vs employees) rather than one top level "people" one.    From the end 
user pespective, a single LDAP directory will probably be simpler.


So you would need to set ACL's to restrict access to "ou=other" OR
to
restrict access to "ou=people" and then grant it back to
"ou=employees"
and "ou=students."  You also want to make sure that certain fields 
(passwd) are restricted so that only "administrator" accounts can
access
them.  You can also configure whether anonymous users can access certain 
information or not (e.g. names and phone numbers.)

I use Sun's directory server as an LDAP backend.   I suspect most samba 
users are using OpenLDAP.     I also suspect that LDAP attributes may 
not be restricted by default as much as they should be.













On 03/08/2010 08:49 AM, G?tz Reinicke - IT-Koordinator
wrote:
> Hi,
>
> recently I started to evaluate and think about setting up a central LDAP
> system for authentification and "phonebook". I'm also new to
LDAP.
>
> There is a lot of doc and well documented how tos, and I came across the
> following question:
>
> Where is the search scope for samba defiend? Or is the LDAP servers
> setting defining the scope?
>
> All docs "talk" about putting all people under one branche, e.g.
>
> ou=People,dc=example,dc=com for the samba setting I'd have
>
> "ldap user suffix = ou=People"
>
> But with this setting I dont see how I may restrict the search for the
> phonebook look up. (e.g. I do have students, empoyees and other.
> Students may look up students and employees, but not the "other"
group.)
>
> For me it would make more sense to "subgroup" the people like
this:
>
> ou=students,ou=People,dc=example,dc=com
> ou=employees,ou=People,dc=example,dc=com
> ou=other,ou=People,dc=example,dc=com
>
> May be I'm mistaken.
>
> Thanks for any comment and best regards!
>
> 	G?tz
>

On Wed, 2010-03-10 at 08:38 +0100, G?tz Reinicke - IT-Koordinator
wrote:
> Adam Tauno Williams schrieb:
> > On Mon, 2010-03-08 at 11:04 -0500, Gaiseric Vandal wrote:
> >> But in terms of an address book, if someone has an LDAP address
book
> >> client (e.g. thunderbird) you can't prevent them from trying
to
> >> recursively query "ou=people,....) vs
"ou=students."    You can advise
> >> end users whether they should set  up two LDAP address books
(students
> >> vs employees) rather than one top level "people" one.   
From the end
> >> user pespective, a single LDAP directory will probably be simpler.
> > True;  or all non-related entries can simply be hidden from the
clients.
> > Or, the simplest solution, is it use a virtual root to 'glob'
any
> > objects [and just the specific attributes] that an addressbook
consumer
> > would want to see.  OpenLDAP provides excellent support for
> > partitioning, federating, and creating virtual (remapped) partitions.
> So I may have one branch with the DNs of users with there IDs,
> passwords, ... and one partition for the phonebook entries:
> dn: ou=People,dc=example,dc=com
I'd recommend sub-rooting everything Samba needs to see; and not using
the [dreadful IMO] ou=People,$ROOT, ou=Groups,$ROOT design.
> dn: ou=Phonebook,dc=example,dc=com
You certainly can do that.
> > Aside: Although in the end I think you'll find LDAP makes a very
crappy
> > addressbook soluton.
> Why that? For us e.g the purpose of the addressbook is to have name and
> e-mail-address available; postal Address, phonenumber etc should not be
> in our directory.
(a) No client but Evolution supports write access.   This shortly equals
unhappy users.
(b) Clients blithely ignore schema rules [for example "mail" is
multi-valued]
(c) How clients map attributes to fields varies widely [and who ever
wrote the Mozilla addressbook's LDAP support was using hard-drugs at the
time]

If you really want nothing more than to expose e-mail addresses it works
reasonably well.  It is pretty terrible once you go beyond that.