Web lists-archives.com

[Samba] Define a rootDN for ldap queries in Samba 4 AD




Hi Samba Team and users,


My question could seem very simple and possibly answer is also simple (if it's the case i'm sorry by advance), but i've found almost no doc about this topic in the wiki.


I'm currently running Samba 4 AD in a test environment, preparing for production. Everything is working quite fine, but i'm struggling about some configuration;

How (and where) to define a rootDN in order to  specify which account has the right to make ldap queries against Samba 4 AD ldap database (with ldapsearch), whether in read or write access.


On a Samba PDC install running OpenLDAP backend, it was possible to define this in slapd.conf by lines like that:

access to *
    by dn="uid=ldapadmin,ou=users,dc=domain,dc=lan" write

or

rootdn        "uid=ldapadmin,ou=users,dc=domain,dc=lan"


Now that ldap is internal to Samba, i'm wondering where to put these options...

Right now, i can make successful ldap queries with ldapsearch (both ssl and tls) like that:

ldapsearch -H ldaps://srv-samba.domain.lan:636 -LLL -x -D "DOMAIN\user" -W -b "CN=Users,DC=ensfea,DC=lan" "(&(objectClass=*)(sAMAccountName=*))"

or

ldapsearch -H ldap://srv-samba.domain.lan:389 -ZZ -LLL -x -D "cn=user,cn=users,dc=domain,dc=lan" -W -b "CN=Users,DC=domain,DC=lan" "(&(objectClass=*)(sAMAccountName=*))"


but i'm able to perform successfully those requests with  all users (i can put any of the users, even non admin ones, in -D field) of my ldap database, which is a bad/unwanted situation.


My smb.conf:

[global]
        netbios name = SRV-SAMBA
        realm = DOMAIN.LAN
        workgroup = DOMAIN
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        interfaces = lo,ens192
        bind interfaces only = yes

        tls enabled  = yes
        tls keyfile  = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile   = tls/ca.pem

[netlogon]
        path = /var/lib/samba/sysvol/domain.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No



Cheers, Sam


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba