Hi, it there any way how to look into samba ldap in the same way I can look into OpenLdap via LDAPAdmin, ldap tools etc, when I know OpenLDAP "root" dn and password? Is there such "root" user for Samba AD LDAP? We have a lot of scripts based on "ldapsearch" (without authentification) and "ldapmodify" (with ldap authentification). It would be very unpleasant if we can not use the scripts with SambaAD. Thanks, Michal
On Wed, 27 Jun 2018 11:31:15 +0200 (CEST) Michal via samba <samba at lists.samba.org> wrote:> Hi, > > it there any way how to look into samba ldap in the same way I can > look into OpenLdap via LDAPAdmin, ldap tools etc, when I know > OpenLDAP "root" dn and password? Is there such "root" user for Samba > AD LDAP?Samba AD uses its own version of ldap and most, if not all, standard ldap tools will work with it. The 'root' user for AD is called 'Administrator', but you are not restricted to this user, you can use any user that is a member of 'Domain Admins', for instance.> We have a lot of scripts based on "ldapsearch" (without > authentification) and "ldapmodify" (with ldap authentification). It > would be very unpleasant if we can not use the scripts with SambaAD. >They should work, but you may not need all of them, Samba comes with 'samba-tool' and you can use this to maintain user & groups etc. Rowland
---------- Původní e-mail ---------- Od: Rowland Penny via samba <samba at lists.samba.org> Komu: samba at lists.samba.org Datum: 27. 6. 2018 11:49:38 Předmět: Re: [Samba] AD LDAP "On Wed, 27 Jun 2018 11:31:15 +0200 (CEST) Michal via samba <samba at lists.samba.org> wrote:> Hi, > > it there any way how to look into samba ldap in the same way I can > look into OpenLdap via LDAPAdmin, ldap tools etc, when I know > OpenLDAP "root" dn and password? Is there such "root" user for Samba > AD LDAP?Samba AD uses its own version of ldap and most, if not all, standard ldap tools will work with it. The 'root' user for AD is called 'Administrator', but you are not restricted to this user, you can use any user that is a member of 'Domain Admins', for instance. " (on samba ad server) ldapsearch -x localhost # extended LDIF # # LDAPv3 # base <dc=nspuh, dc=cz> (default) with scope subtree # filter: (objectclass=*) # requesting: localhost # # search result search: 2 result: 1 Operations error text: 00002020: Operation unavailable without authentication This is problem. We used to be able get "public" data from ldap without authentification (password attributes can not be read without user bind, of course). Is there any way how to do it? "> We have a lot of scripts based on "ldapsearch" (without > authentification) and "ldapmodify" (with ldap authentification). It > would be very unpleasant if we can not use the scripts with SambaAD. >They should work, but you may not need all of them, Samba comes with 'samba-tool' and you can use this to maintain user & groups etc. " samba-tool can do queries like '(&(uidNumber>=5000)(!(uidNumber>=6000)))' or "-b "ou=people,dc=nspuh,dc=cz" "(!(mail=*))" or "createTimestamp>=201801310000Z" ? Michal " Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba "
Le 27/06/2018 à 11:45, Rowland Penny via samba a écrit :> On Wed, 27 Jun 2018 11:31:15 +0200 (CEST) > Michal via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> it there any way how to look into samba ldap in the same way I can >> look into OpenLdap via LDAPAdmin, ldap tools etc, when I know >> OpenLDAP "root" dn and password? Is there such "root" user for Samba >> AD LDAP? > Samba AD uses its own version of ldap and most, if not all, standard > ldap tools will work with it. > The 'root' user for AD is called 'Administrator', but you are not > restricted to this user, you can use any user that is a member of > 'Domain Admins', for instance. > >> We have a lot of scripts based on "ldapsearch" (without >> authentification) and "ldapmodify" (with ldap authentification). It >> would be very unpleasant if we can not use the scripts with SambaAD. >> > They should work, but you may not need all of them, Samba comes with > 'samba-tool' and you can use this to maintain user & groups etc.AD LDAP requires auth for search... so your ldapsearch calls should fail you can try to set auth info in .ldaprc (see man ldap.conf BINDDN)> > Rowland > > >