Re: Samba auth on replicated LDAP: no admin user

[Paul van der Vlis <paul@vandervlis.nl>]

Hello list,

Thanks for your help!

Op 07-12-15 om 11:28 schreef Terje Trane:
> On 07.12.2015 10:22, Paul van der Vlis wrote:
>>
>> It will be a only in cn=config.
>>
>> This is the way I create a LDAP admin:
>> -----
>> cat <<EOF >slapd-database.ldif
>> dn: olcDatabase={1}hdb,cn=config
>> changeType: modify
>> replace: olcDbConfig
>> olcDbConfig: {0}set_cachesize 0 2097152 0
>> olcDbConfig: {1}set_lk_max_objects 1500
>> olcDbConfig: {2}set_lk_max_locks 1500
>> olcDbConfig: {3}set_lk_max_lockers 1500
>> olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
>> -
>> replace: olcRootPW
>> olcRootPW: ${LDAP_ADMIN_HASH}
>> EOF
>> ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-database.ldif
>> -----
> 
> The rootdn (with accompanying password) is, at least the way I think it
> is meant, a full-access-to-everything root account for use when setting
> up the directory.  Only.
>
> Then, good practice is to make the account(s) you need to administer and
> run the system in the LDAP tree, with appropriate ACLs, and disable the
> rootdn.  (In slapd.conf it can be done by just commenting out the
> rootdn/rootpw lines).
>
> So, for your samba servers you should make an account, e.g.
> cn=sambaserver,  that is only for that use  (and is replicated), and
> with rights only to what it really needs and not to the whole LDAP tree.

I have created such an user account, and I see the user on the
replicated server as "cn=samba,dc=domain,dc=nl" (so without ou=user like
normal users).

Point is that it does not work for authentication Samba, the ACL's will
be not good. I will have to study ACL's again to give it full read access.

With regards,
Paul van der Vlis.



-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/