[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Administrator for groups OpenLDAP with Samba Admins

To: openldap-technical@openldap.org
Subject: Re: Administrator for groups OpenLDAP with Samba Admins
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 16 May 2011 09:08:05 +0200
Cc: Juan Diego Calle <juandiego.calle@soportelibre.com>
In-reply-to: <12562313.25971305328598131.JavaMail.root@zimbra.soportelibre.com>
References: <12562313.25971305328598131.JavaMail.root@zimbra.soportelibre.com>
User-agent: KMail/1.13.3 (Linux/2.6.33.7-desktop-2.1mnb; KDE/4.4.3; x86_64; ; )

On Saturday, 14 May 2011 01:16:38 Juan Diego Calle wrote:
> Hi,
> 
> For weeks I have being reading about openldap, in the mailing lists, etc.
> Basically I have Samba with ldap and I need a GUI to administrate the
> users(I can use smbldap-tools and a shell, but not some of the
> administrators). I installed phpldapadmin, and I can log in with the user
> "Administrator", but I can change, remove or add any user or anything.  I
> have read about people that have similar configurations to mine and solve
> this problem.  Besides the user interface everything seems to work fine,
> the machines are logged to the domain, the samba server is a PDC. As far
> as I understand I need to create an ACL in  /etc/openldap/slapd.conf for
> the group that is going to administrate, and the problem is because I am
> trying to grant permisions to the Group "Domain Admins", and domain admins
> is more like samba group.

In my opinion, the easiest solution for you is to ensure that your samba / 
smbldap-tools configuration is correct. In this case, your "Domain Admins" 
should be able to add users and groups etc. via 'User Manager for Domains' 
(usrmgr.exe)[1]. This will work by NT RPC calls to samba. Only samba's 'admin 
dn' should need access modify the entries for the user accounts.

Please discuss any issues between samba and "User Manager for Domains" on the 
samba list.

If you want to continue to pursue OpenLDAP ACLs, please read 'man 
slapd.access' carefully, should have noticed the problem in your ACLs.

> access to attrs=userpassword by self write by anonymous auth by * none
> 
> access to * by self write by users read by anonymous read by * none

The line above has already matched everything, so the next line has nothing to 
operate on ...

> access to * by uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec write

1. 
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c0011ab8-3178-4701-
a791-eafba0f42de2

Regards,
Buchan

References:
- Administrator for groups OpenLDAP with Samba Admins
  - From: Juan Diego Calle <juandiego.calle@soportelibre.com>

Prev by Date: Re: authentication problem
Next by Date: Re: authentication problem
Index(es):
- Chronological
- Thread