Hi Samba Team and users, My question could seem very simple and possibly answer is also simple (if it's the case i'm sorry by advance), but i've found almost no doc about this topic in the wiki. I'm currently running Samba 4 AD in a test environment, preparing for production. Everything is working quite fine, but i'm struggling about some configuration; How (and where) to define a rootDN in order to specify which account has the right to make ldap queries against Samba 4 AD ldap database (with ldapsearch), whether in read or write access. On a Samba PDC install running OpenLDAP backend, it was possible to define this in slapd.conf by lines like that: access to * by dn="uid=ldapadmin,ou=users,dc=domain,dc=lan" write or rootdn "uid=ldapadmin,ou=users,dc=domain,dc=lan" Now that ldap is internal to Samba, i'm wondering where to put these options... Right now, i can make successful ldap queries with ldapsearch (both ssl and tls) like that: ldapsearch -H ldaps://srv-samba.domain.lan:636 -LLL -x -D "DOMAIN\user" -W -b "CN=Users,DC=ensfea,DC=lan" "(&(objectClass=*)(sAMAccountName=*))" or ldapsearch -H ldap://srv-samba.domain.lan:389 -ZZ -LLL -x -D "cn=user,cn=users,dc=domain,dc=lan" -W -b "CN=Users,DC=domain,DC=lan" "(&(objectClass=*)(sAMAccountName=*))" but i'm able to perform successfully those requests with all users (i can put any of the users, even non admin ones, in -D field) of my ldap database, which is a bad/unwanted situation. My smb.conf: [global] netbios name = SRV-SAMBA realm = DOMAIN.LAN workgroup = DOMAIN server role = active directory domain controller idmap_ldb:use rfc2307 = yes interfaces = lo,ens192 bind interfaces only = yes tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem [netlogon] path = /var/lib/samba/sysvol/domain.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Cheers, Sam
Andrew Bartlett
2017-Dec-05 17:54 UTC
[Samba] Define a rootDN for ldap queries in Samba 4 AD
On Tue, 2017-12-05 at 14:27 +0100, Sami Chibani via samba wrote:> Hi Samba Team and users,> > My question could seem very simple and possibly answer is also simple > (if it's the case i'm sorry by advance), but i've found almost no doc > about this topic in the wiki.> How (and where) to define a rootDN in order to specify which account > has the right to make ldap queries against Samba 4 AD ldap database > (with ldapsearch), whether in read or write access. > > > On a Samba PDC install running OpenLDAP backend, it was possible to > define this in slapd.conf by lines like that: > > access to * > by dn="uid=ldapadmin,ou=users,dc=domain,dc=lan" write > > or > > rootdn "uid=ldapadmin,ou=users,dc=domain,dc=lan" > > > Now that ldap is internal to Samba, i'm wondering where to put these > options... > > Right now, i can make successful ldap queries with ldapsearch (both ssl > and tls) like that: > > ldapsearch -H ldaps://srv-samba.domain.lan:636 -LLL -x -D "DOMAIN\user" > -W -b "CN=Users,DC=ensfea,DC=lan" "(&(objectClass=*)(sAMAccountName=*))"> but i'm able to perform successfully those requests with all users (i > can put any of the users, even non admin ones, in -D field) of my ldap > database, which is a bad/unwanted situation.All users can read the DB, and write access is controlled by the security descriptor on each object. Typically admins can write anywhere, users can make some additions and modifications. I hope this clarifies things. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba