Samba4 4.0.0beta4, CentOS 6.3
I have a 3*DC Samba4 domain in which everything tested so far appears to
be working OK: ldap, kerberos, dns, windows client joins, replication,
etc.
My question concerns binding Linux clients (CentOS 6) to the Samba4 LDAP
server using sssd. If in /etc/sssd/sssd.conf I have several test boxes
that use:
[domain/SAMBA4]
.....
ldap_default_bind_dn = CN=Administrator,CN=users,...
ldap_default_authtok = secret
ldap_default_authtok_type = password
...
and this works perfectly well. However, I would like to avoid embedding
the domain administrator password in my clients for obvious reasons.
If I was using OpenLDAP (as I am on the non-Samba4 systems), I would
create a suitable bind DN in the database:
dn: cn=<hostname>,ou=Binddn,dc=...
cn: <hostname>
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: <base64-password>
and use this binddn on the clients; this works thanks to the ACL's that I
have in the slapd configuration. However, this technique does not work
with the Samba4 LDAP server presumably because the dn does not have
suitable access rights to the database (no user accounts are visible).
What is the recommended way to set up the ldap_default_bind_dn?
Steve
