Best practice for creating an RO LDAP User in AD...

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Best practice for creating an RO LDAP User in AD...

Samba - General mailing list

Caming from Samba in NT mode with OpenLDAP backend i've created a bunch
of ''things'' (apps, web tools, ...; but also printers and so on) that
rely on reading ''public'' data in LDAP.

With OpenLDAP ''public'' was a easy concept: anonymous access was
the default, and ACL protect more sensitive data (mostly, passwords).


Now i've to redo some of these things in AD. I don't need to enable
public access (if possible...), so i think the better path would be
creating a ''unprivileged user'' (with no POSIX data, eg GID/UID that
are not needed) with a complex password.


There's are some ''best practice'' for that?

I'm thinking about:

a) create the user in a specific OU

b) put it in 'Domain Guests' group (or it is better to create a
  specific group also?)

c) set the account 'never expire' ('X') flag.


Some other hint? For example, there's some way to disable logon for the
user, but have LDAP auth work as expected?


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
Hi Marco,

> Caming from Samba in NT mode with OpenLDAP backend i've created a bunch
> of ''things'' (apps, web tools, ...; but also printers and so on) that
> rely on reading ''public'' data in LDAP.
>
> With OpenLDAP ''public'' was a easy concept: anonymous access was
> the default, and ACL protect more sensitive data (mostly, passwords).
>
>
> Now i've to redo some of these things in AD. I don't need to enable
> public access (if possible...), so i think the better path would be
> creating a ''unprivileged user'' (with no POSIX data, eg GID/UID that
> are not needed) with a complex password.
>
>
> There's are some ''best practice'' for that?
>
> I'm thinking about:
>
> a) create the user in a specific OU
>
> b) put it in 'Domain Guests' group (or it is better to create a
>   specific group also?)
>
> c) set the account 'never expire' ('X') flag.
>
>
> Some other hint? For example, there's some way to disable logon for the
> user, but have LDAP auth work as expected?

You can put your service accounts in an OU and add a GPO that deny
logon/services/tasks locally.

If you are using those account on a windows computer, you could use
managed account [1] (I haven't tried it yet).

Cheers,

Denis

[1] https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx

>
>
> Thanks.
>

--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
Mandi! Denis Cardon via samba
  In chel di` si favelave...

Sorry, i came back on that a bit later...

> >Some other hint? For example, there's some way to disable logon for the
> >user, but have LDAP auth work as expected?

> You can put your service accounts in an OU and add a GPO that deny
> logon/services/tasks locally.

I've tried to google around a bit but i'm a bit confused. The thing
that seems to me what you are saying is:

        https://4sysops.com/archives/deny-and-allow-workstation-logons-with-group-policy/

right?


> If you are using those account on a windows computer, you could use managed
> account [1] (I haven't tried it yet).
> [1] https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx

I'll keep for a future read. Thanks!

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! Denis Cardon via samba
  In chel di` si favelave...

> You can put your service accounts in an OU and add a GPO that deny
> logon/services/tasks locally.

Shortly come back.

I've created a 'Restricted' OU, a 'Restricted' group (i'm short in
fantasy, today ;) and i've created an 'mta' user, both user and group
in 'Restricted' OU, of course.
And i've added 'mta' to 'Restricted' group.

Clearly, in an DC, a xID get assigned to group:

        root@vdcsv1:~# getent group Restricted
        LNFFVG\restricted:x:3000026:

but by the same way 'mta' user get by default the 'Domain Users' group
(and others, seems):

        root@vdcsv1:~# getent passwd mta
        LNFFVG\mta:*:3000025:10513:MTA Restricted:/home/mta:/bin/bash
        root@vdcsv1:~# id mta
        uid=3000025(LNFFVG\mta) gid=10513(LNFFVG\domain users) gruppi=10513(LNFFVG\domain users),3000025(LNFFVG\mta),3000026(LNFFVG\restricted),3000009(BUILTIN\users)

Ok, some question:

a) it make sense to modify the 'primaryGroupID: 513' so 'mta' are not
 member of 'Domain Users'? Or after that i've to re-set all ACLs on my
LDAP object to have a non-'Domain Users' member to read LDAP data?

b) if i modify 'primaryGroupID: 513', considering that user nor group
 have POSIX/rfc2307 data, could potentially brake something? On member
server?

c) there's some way, apart ldbmodify, to modify primaryGroupID:?


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
On Tue, 7 Nov 2017 19:24:10 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Denis Cardon via samba
>   In chel di` si favelave...
>
> > You can put your service accounts in an OU and add a GPO that deny
> > logon/services/tasks locally.
>
> Shortly come back.
>
> I've created a 'Restricted' OU, a 'Restricted' group (i'm short in
> fantasy, today ;) and i've created an 'mta' user, both user and group
> in 'Restricted' OU, of course.
> And i've added 'mta' to 'Restricted' group.
>
> Clearly, in an DC, a xID get assigned to group:
>
> root@vdcsv1:~# getent group Restricted
> LNFFVG\restricted:x:3000026:
>
> but by the same way 'mta' user get by default the 'Domain Users' group
> (and others, seems):
>
> root@vdcsv1:~# getent passwd mta
> LNFFVG\mta:*:3000025:10513:MTA Restricted:/home/mta:/bin/bash
> root@vdcsv1:~# id mta
> uid=3000025(LNFFVG\mta) gid=10513(LNFFVG\domain users)
> gruppi=10513(LNFFVG\domain
> users),3000025(LNFFVG\mta),3000026(LNFFVG\restricted),3000009(BUILTIN\users)
>
> Ok, some question:
>
> a) it make sense to modify the 'primaryGroupID: 513' so 'mta' are not
>  member of 'Domain Users'? Or after that i've to re-set all ACLs on my
> LDAP object to have a non-'Domain Users' member to read LDAP data?
>
> b) if i modify 'primaryGroupID: 513', considering that user nor group
>  have POSIX/rfc2307 data, could potentially brake something? On member
> server?
>
> c) there's some way, apart ldbmodify, to modify primaryGroupID:?
>
>
> Thanks.
>

Not sure what you are proposing is going to work, AD expects every user
to be a member of Domain Users, even though there is nothing in AD to
show membership.
Do you require this user to visible on all domain machines ?
If windows works like winbind, then it probably won't be.

You can remove the 'mta' group easily by opening idmap.ldb in ldbedit,
find the object for 'mta' and then change the 'type' attribute from
'ID_TYPE_BOTH' to 'ID_TYPE_UID'

It might help if you could explain how you are going to use your new
user 'mta'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> Not sure what you are proposing is going to work, AD expects every user
> to be a member of Domain Users, even though there is nothing in AD to
> show membership.

Ah.

> Do you require this user to visible on all domain machines ?
[...]
> It might help if you could explain how you are going to use your new
> user 'mta'

No. Probably quoting a message of a month ago does not help...

I simply need to have a/some LDAP access to do LDAP queries; this 'mta'
examples, need to me to do email/aliases procesing in exim.


Practically, users in 'Restricted' group does not need to logon nor to
do anything on the domain, apart logging into the LDAP and do some
''generic'' queries.
I set to users in that group a random/complex password and forgot about
it, but i'm thinking of doing the 'right' things, lowering the account
privileges to the minimum.

Probably is a generic 'Active Directory' question, not a specific Samba
one, but... i've not found relevant info out there...


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
On Wed, 8 Nov 2017 09:49:42 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > Not sure what you are proposing is going to work, AD expects every
> > user to be a member of Domain Users, even though there is nothing
> > in AD to show membership.
>
> Ah.
>
> > Do you require this user to visible on all domain machines ?
> [...]
> > It might help if you could explain how you are going to use your new
> > user 'mta'
>
> No. Probably quoting a message of a month ago does not help...
>
> I simply need to have a/some LDAP access to do LDAP queries; this
> 'mta' examples, need to me to do email/aliases procesing in exim.
>
>
> Practically, users in 'Restricted' group does not need to logon nor to
> do anything on the domain, apart logging into the LDAP and do some
> ''generic'' queries.
> I set to users in that group a random/complex password and forgot
> about it, but i'm thinking of doing the 'right' things, lowering the
> account privileges to the minimum.
>
> Probably is a generic 'Active Directory' question, not a specific
> Samba one, but... i've not found relevant info out there...
>
>
> Thanks.
>

Why don't you do what most people do, use kerberos. Create the user
with a random password, set password to never expire, set the users
shell to /bin/false. Now set exim to use kerberos (don't ask me how, I
don't use exim)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> Why don't you do what most people do, use kerberos. Create the user
> with a random password, set password to never expire, set the users
> shell to /bin/false. Now set exim to use kerberos (don't ask me how, I
> don't use exim)

Seems not possible:

        https://lists.exim.org/lurker/message/20120918.093204.bb65a97f.en.html

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
On Wed, 8 Nov 2017 16:14:20 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > Why don't you do what most people do, use kerberos. Create the user
> > with a random password, set password to never expire, set the users
> > shell to /bin/false. Now set exim to use kerberos (don't ask me
> > how, I don't use exim)
>
> Seems not possible:
>
> https://lists.exim.org/lurker/message/20120918.093204.bb65a97f.en.html
>

It seems there is the heimdal_gssapi authenticator:

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_heimdalgssapi_authenticator.html

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
In reply to this post by Samba - General mailing list
I dont beleave it.

That 5 years old now, normaly i'll dig into it, but exim...  I dropped exim about 15 years ago..
First thing i do on debian...
apt-get install --purge postfix
That installs postfix and removes exim and purges exims config..  ;-)

The setup for the Ad in the link below is the same but if you want access without auth,
Have you tried to query the GC ports. ( 3268 or 3269 )
And read :
https://technet.microsoft.com/en-us/library/cc961563.aspx 

That should work, havent tried it myself to be honist, dont use it..


Greetz,
Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Marco Gaiarin via samba
> Verzonden: woensdag 8 november 2017 16:14
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Best practice for creating an RO LDAP
> User in AD...
>
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > Why don't you do what most people do, use kerberos. Create the user
> > with a random password, set password to never expire, set the users
> > shell to /bin/false. Now set exim to use kerberos (don't
> ask me how, I
> > don't use exim)
>
> Seems not possible:
>
>
> https://lists.exim.org/lurker/message/20120918.093204.bb65a97f.en.html
>
> --
> dott. Marco Gaiarin        GNUPG
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711  
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> It seems there is the heimdal_gssapi authenticator:
> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_heimdalgssapi_authenticator.html

...to auth against exim, not to have exim auth against an LDAP...

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 8 Nov 2017 17:07:15 +0100
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> I dont beleave it.
>
> That 5 years old now, normaly i'll dig into it, but exim...  I
> dropped exim about 15 years ago.. First thing i do on debian...
> apt-get install --purge postfix
> That installs postfix and removes exim and purges exims config..  ;-)
>
> The setup for the Ad in the link below is the same but if you want
> access without auth, Have you tried to query the GC ports. ( 3268 or
> 3269 ) And read :
> https://technet.microsoft.com/en-us/library/cc961563.aspx 
>
> That should work, havent tried it myself to be honist, dont use it..
>
>

To be honest, I would go with Postfix if I had to, but it has been
sometime since I had to set up a mailserver. You can use Dovecot with
Postfix and that definitely will work with kerberos.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Marco,

On 8 November 2017 at 08:49, Marco Gaiarin via samba <[hidden email]>
wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > Not sure what you are proposing is going to work, AD expects every user
> > to be a member of Domain Users, even though there is nothing in AD to
> > show membership.
>
> [...]
> I simply need to have a/some LDAP access to do LDAP queries; this 'mta'
> examples, need to me to do email/aliases procesing in exim.
>

For what it's worth, I have done exactly this for an account I use in
Apache for LDAP authentication, it sounds similar to your use case here.

In my Apache config I have:
    AuthLDAPBindDN cn=apacheuser,cn=Users,dc=mydomain,dc=uk
and I have just checked in AD, this user is a member of 'Domain Guests' and
not 'Domain Users'.

I think, if you are only doing LDAP searches and not using any "Windows
style" functionality, then this will work just fine.

Try it, and see? Worst case, you just need to change the membership back
again :)

--
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> I dont beleave it.

Eh. «De gustibus non disputandum est». ;-)


> The setup for the Ad in the link below is the same but if you want access without auth,
> Have you tried to query the GC ports. ( 3268 or 3269 )

No, but now yes and does not work:

 gaio@albus:~$ ldapsearch -x -H ldap://vdcsv1:3268/ -b DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)"
 # extended LDIF
 #
 # LDAPv3
 # base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree
 # filter: (uid=gaio)
 # requesting: ALL
 #
 
 # search result
 search: 2
 result: 1 Operations error
 text: 00002020: Operation unavailable without authentication
 
 # numResponses: 1
 gaio@albus:~$ ldapsearch -x -H ldaps://vdcsv1:3269/ -b DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)"
 # extended LDIF
 #
 # LDAPv3
 # base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree
 # filter: (uid=gaio)
 # requesting: ALL
 #
 
 # search result
 search: 2
 result: 1 Operations error
 text: 00002020: Operation unavailable without authentication
 
 # numResponses: 1


> And read :
> https://technet.microsoft.com/en-us/library/cc961563.aspx 
> That should work, havent tried it myself to be honist, dont use it..

Interesting. But scare me a bit. In this way i can put in anonymous
access also the password hashes?

Really, AFAI've understoow well, the ACL in AD are a complex beast, and
broke things, or make some restricted info available to all by
mistakes, seems too easy...


So, if i open ACL to 'Everyone', i've to set other ACL to restrict, eg,
passwords?

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! Jonathan Hunter via samba
  In chel di` si favelave...

> and I have just checked in AD, this user is a member of 'Domain Guests' and
> not 'Domain Users'.

Oh, good point!

Never mind about 'Domain Guests'... but because i prefere su have that
user in a specific group, probabli i can set that users member of my
group, and my group member of 'Domain Guests'.

I'll give id a try...

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 9 Nov 2017 11:08:26 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
>
> > I dont beleave it.
>
> Eh. «De gustibus non disputandum est». ;-)
>
>
> > The setup for the Ad in the link below is the same but if you want
> > access without auth, Have you tried to query the GC ports. ( 3268
> > or 3269 )
>
> No, but now yes and does not work:
>
>  gaio@albus:~$ ldapsearch -x -H ldap://vdcsv1:3268/ -b
> DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)"

Try:

ldbsearch -H ldap://vdcsv1:3268 -P -b DC=ad,DC=fvg,DC=lnf,DC=it
'(uid=gaio)'

You will have to do this as root.

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> >  gaio@albus:~$ ldapsearch -x -H ldap://vdcsv1:3268/ -b DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)"

> Try:
> ldbsearch -H ldap://vdcsv1:3268 -P -b DC=ad,DC=fvg,DC=lnf,DC=it '(uid=gaio)'

Ahem, i need to access with LDAP, eg libldap-linked apps (think about
the php-ldap module), not with ldbsearch/console....

(i was simply using ldapsearch because is the simplieast libldap apps
 available...)

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
On Fri, 10 Nov 2017 14:43:08 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > >  gaio@albus:~$ ldapsearch -x -H ldap://vdcsv1:3268/ -b
> > > DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)"
>
> > Try:
> > ldbsearch -H ldap://vdcsv1:3268 -P -b DC=ad,DC=fvg,DC=lnf,DC=it
> > '(uid=gaio)'
>
> Ahem, i need to access with LDAP, eg libldap-linked apps (think about
> the php-ldap module), not with ldbsearch/console....
>
> (i was simply using ldapsearch because is the simplieast libldap apps
>  available...)
>

I think you need to explain just what you are trying to script with
PHP ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> I think you need to explain just what you are trying to script with
> PHP ?

It was only an example, Rowland.

I need some ''generic access'' to LDAP data, and in ''pre auth'' phase,
eg i need to access LDAP data before a real user auth.


Short answer: Because. ;-)

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Best practice for creating an RO LDAP User in AD...

Samba - General mailing list
On Fri, 10 Nov 2017 17:17:43 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > I think you need to explain just what you are trying to script with
> > PHP ?
>
> It was only an example, Rowland.
>
> I need some ''generic access'' to LDAP data, and in ''pre auth''
> phase, eg i need to access LDAP data before a real user auth.
>
>
> Short answer: Because. ;-)
>

In which case, use ldbsearch with -P (machine kerberos password).

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12