---------- Původní e-mail ---------- Od: Rowland Penny via samba <samba at lists.samba.org> Komu: samba at lists.samba.org Datum: 27. 6. 2018 11:49:38 Předmět: Re: [Samba] AD LDAP "On Wed, 27 Jun 2018 11:31:15 +0200 (CEST) Michal via samba <samba at lists.samba.org> wrote:> Hi, > > it there any way how to look into samba ldap in the same way I can > look into OpenLdap via LDAPAdmin, ldap tools etc, when I know > OpenLDAP "root" dn and password? Is there such "root" user for Samba > AD LDAP?Samba AD uses its own version of ldap and most, if not all, standard ldap tools will work with it. The 'root' user for AD is called 'Administrator', but you are not restricted to this user, you can use any user that is a member of 'Domain Admins', for instance. " (on samba ad server) ldapsearch -x localhost # extended LDIF # # LDAPv3 # base <dc=nspuh, dc=cz> (default) with scope subtree # filter: (objectclass=*) # requesting: localhost # # search result search: 2 result: 1 Operations error text: 00002020: Operation unavailable without authentication This is problem. We used to be able get "public" data from ldap without authentification (password attributes can not be read without user bind, of course). Is there any way how to do it? "> We have a lot of scripts based on "ldapsearch" (without > authentification) and "ldapmodify" (with ldap authentification). It > would be very unpleasant if we can not use the scripts with SambaAD. >They should work, but you may not need all of them, Samba comes with 'samba-tool' and you can use this to maintain user & groups etc. " samba-tool can do queries like '(&(uidNumber>=5000)(!(uidNumber>=6000)))' or "-b "ou=people,dc=nspuh,dc=cz" "(!(mail=*))" or "createTimestamp>=201801310000Z" ? Michal " Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba "
On Wed, 27 Jun 2018 12:12:42 +0200 (CEST) <Michal67M at seznam.cz> wrote:> ---------- Původní e-mail ---------- > Od: Rowland Penny via samba <samba at lists.samba.org> > Komu: samba at lists.samba.org > Datum: 27. 6. 2018 11:49:38 > Předmět: Re: [Samba] AD LDAP > "On Wed, 27 Jun 2018 11:31:15 +0200 (CEST) > Michal via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > it there any way how to look into samba ldap in the same way I > > can look into OpenLdap via LDAPAdmin, ldap tools etc, when I know > > OpenLDAP "root" dn and password? Is there such "root" user for > > Samba AD LDAP? > > Samba AD uses its own version of ldap and most, if not all, standard > ldap tools will work with it. > The 'root' user for AD is called 'Administrator', but you are not > restricted to this user, you can use any user that is a member of > 'Domain Admins', for instance. > " > > > > (on samba ad server) > > > ldapsearch -x localhost > # extended LDIF > # > # LDAPv3 > # base <dc=nspuh, dc=cz> (default) with scope subtree > # filter: (objectclass=*) > # requesting: localhost > # > > # search result > search: 2 > result: 1 Operations error > text: 00002020: Operation unavailable without authentication > > > > > > This is problem. We used to be able get "public" data from ldap > without authentification (password attributes can not be read without > user bind, of course). Is there any way how to do it?Yes, but before I tell you, why do you feel you need to do this, what are you searching for ?> > We have a lot of scripts based on "ldapsearch" (without > > authentification) and "ldapmodify" (with ldap authentification). It > > would be very unpleasant if we can not use the scripts with > > SambaAD. > > > > They should work, but you may not need all of them, Samba comes with > 'samba-tool' and you can use this to maintain user & groups etc. " > > samba-tool can do queries like > '(&(uidNumber>=5000)(!(uidNumber>=6000)))' > or > "-b "ou=people,dc=nspuh,dc=cz" "(!(mail=*))" > or > "createTimestamp>=201801310000Z" > > ?To be honest, no. To carry out such searches, you will need to authenticate, this is the standard way of doing things on AD and is a lot more secure compared with the way openldap does it. Rowland
> This is problem. We used to be able get "public" data from ldap"> without authentification (password attributes can not be read without> user bind, of course). Is there any way how to do it?Yes, but before I tell you, why do you feel you need to do this, what are you searching for ? " We use GroupOffice and it is configured to use LDAP; it is looking up for users and emails in certain form fields (well, I do not know, if it queries LDAP with or without authentication in this case). We have another 3rd party app, which searches LDAP for user data and in this case I am quite sure they do not use authentication, because they update their user list "offline" once a day without user logged in and they do not know "root" or any particular dn and password (AFAIK). (And we have another apps with LDAP auth (bind) here, not sure whether they need anonymous bind sometime or not.) "> > We have a lot of scripts based on "ldapsearch" (without > > authentification) and "ldapmodify" (with ldap authentification). It > > would be very unpleasant if we can not use the scripts with > > SambaAD. > > > > They should work, but you may not need all of them, Samba comes with > 'samba-tool' and you can use this to maintain user & groups etc. " > > samba-tool can do queries like > '(&(uidNumber>=5000)(!(uidNumber>=6000)))' > or > "-b "ou=people,dc=nspuh,dc=cz" "(!(mail=*))" > or > "createTimestamp>=201801310000Z" > > ?To be honest, no. To carry out such searches, you will need to authenticate, this is the standard way of doing things on AD and is a lot more secure compared with the way openldap does it. " Authentication is not problem in case of my/our own scripts, but how can create eg. user with readonly access to whole (without passwords attribs) samba ldap db? And what is dn for authentication? ldapsearch -D what? I was used to use "uid=user,ou=people,dc=domain,dc=cz", but I do not know how it is to be in samba AD (and I can not look into LDAP structure, because I would need to know the structure for administrator bind for that). Thanks, Michal " Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba "