Web lists-archives.com

Re: [Samba] Best practice for creating an RO LDAP User in AD...




Hi Marco,

Caming from Samba in NT mode with OpenLDAP backend i've created a bunch
of ''things'' (apps, web tools, ...; but also printers and so on) that
rely on reading ''public'' data in LDAP.

With OpenLDAP ''public'' was a easy concept: anonymous access was
the default, and ACL protect more sensitive data (mostly, passwords).


Now i've to redo some of these things in AD. I don't need to enable
public access (if possible...), so i think the better path would be
creating a ''unprivileged user'' (with no POSIX data, eg GID/UID that
are not needed) with a complex password.


There's are some ''best practice'' for that?

I'm thinking about:

a) create the user in a specific OU

b) put it in 'Domain Guests' group (or it is better to create a
  specific group also?)

c) set the account 'never expire' ('X') flag.


Some other hint? For example, there's some way to disable logon for the
user, but have LDAP auth work as expected?

You can put your service accounts in an OU and add a GPO that deny logon/services/tasks locally.

If you are using those account on a windows computer, you could use managed account [1] (I haven't tried it yet).

Cheers,

Denis

[1] https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx



Thanks.


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba