[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Samba auth on replicated LDAP: no admin user

Terje Trane wrote:

On 07.12.2015 10:22, Paul van der Vlis wrote:


It will be a only in cn=config.

This is the way I create a LDAP admin:
-----
cat <<EOF >slapd-database.ldif
dn: olcDatabase={1}hdb,cn=config
changeType: modify
replace: olcDbConfig
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
-
replace: olcRootPW
olcRootPW: ${LDAP_ADMIN_HASH}
EOF
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-database.ldif
-----


The rootdn (with accompanying password) is, at least the way I think it is
meant, a full-access-to-everything root account for use when setting up the
directory.  Only.
No, the rootdn is also used by various internal administrative functions. It is used continuously, not just for setup. 


Then, good practice is to make the account(s) you need to administer and run
the system in the LDAP tree, with appropriate ACLs, and disable the rootdn.
(In slapd.conf it can be done by just commenting out the rootdn/rootpw lines).
Comment out the rootpw, sure. That prevents external clients from using it. But always leave some rootdn defined. 


So, for your samba servers you should make an account, e.g. cn=sambaserver,
that is only for that use  (and is replicated), and with rights only to what
it really needs and not to the whole LDAP tree.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/