Define a rootDN for ldap queries in Samba 4 AD

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Define a rootDN for ldap queries in Samba 4 AD

Samba - General mailing list
Hi Samba Team and users,


My question could seem very simple and possibly answer is also simple
(if it's the case i'm sorry by advance), but i've found almost no doc
about this topic in the wiki.


I'm currently running Samba 4 AD in a test environment, preparing for
production. Everything is working quite fine, but i'm struggling about
some configuration;

How (and where) to define a rootDN in order to  specify which account
has the right to make ldap queries against Samba 4 AD ldap database
(with ldapsearch), whether in read or write access.


On a Samba PDC install running OpenLDAP backend, it was possible to
define this in slapd.conf by lines like that:

access to *
     by dn="uid=ldapadmin,ou=users,dc=domain,dc=lan" write

or

rootdn        "uid=ldapadmin,ou=users,dc=domain,dc=lan"


Now that ldap is internal to Samba, i'm wondering where to put these
options...

Right now, i can make successful ldap queries with ldapsearch (both ssl
and tls) like that:

ldapsearch -H ldaps://srv-samba.domain.lan:636 -LLL -x -D "DOMAIN\user"
-W -b "CN=Users,DC=ensfea,DC=lan" "(&(objectClass=*)(sAMAccountName=*))"

or

ldapsearch -H ldap://srv-samba.domain.lan:389 -ZZ -LLL -x -D
"cn=user,cn=users,dc=domain,dc=lan" -W -b "CN=Users,DC=domain,DC=lan"
"(&(objectClass=*)(sAMAccountName=*))"


but i'm able to perform successfully those requests with  all users (i
can put any of the users, even non admin ones, in -D field) of my ldap
database, which is a bad/unwanted situation.


My smb.conf:

[global]
         netbios name = SRV-SAMBA
         realm = DOMAIN.LAN
         workgroup = DOMAIN
         server role = active directory domain controller
         idmap_ldb:use rfc2307 = yes
         interfaces = lo,ens192
         bind interfaces only = yes

         tls enabled  = yes
         tls keyfile  = tls/key.pem
         tls certfile = tls/cert.pem
         tls cafile   = tls/ca.pem

[netlogon]
         path = /var/lib/samba/sysvol/domain.lan/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No



Cheers, Sam


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Define a rootDN for ldap queries in Samba 4 AD

Samba - General mailing list
On Tue, 2017-12-05 at 14:27 +0100, Sami Chibani via samba wrote:
> Hi Samba Team and users,

>
> My question could seem very simple and possibly answer is also simple
> (if it's the case i'm sorry by advance), but i've found almost no doc
> about this topic in the wiki.

> How (and where) to define a rootDN in order to  specify which account
> has the right to make ldap queries against Samba 4 AD ldap database
> (with ldapsearch), whether in read or write access.
>
>
> On a Samba PDC install running OpenLDAP backend, it was possible to
> define this in slapd.conf by lines like that:
>
> access to *
>      by dn="uid=ldapadmin,ou=users,dc=domain,dc=lan" write
>
> or
>
> rootdn        "uid=ldapadmin,ou=users,dc=domain,dc=lan"
>
>
> Now that ldap is internal to Samba, i'm wondering where to put these
> options...
>
> Right now, i can make successful ldap queries with ldapsearch (both ssl
> and tls) like that:
>
> ldapsearch -H ldaps://srv-samba.domain.lan:636 -LLL -x -D "DOMAIN\user"
> -W -b "CN=Users,DC=ensfea,DC=lan" "(&(objectClass=*)(sAMAccountName=*))"

> but i'm able to perform successfully those requests with  all users (i
> can put any of the users, even non admin ones, in -D field) of my ldap
> database, which is a bad/unwanted situation.

All users can read the DB, and write access is controlled by the
security descriptor on each object.

Typically admins can write anywhere, users can make some additions and
modifications.

I hope this clarifies things.

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba