Re: [Samba] AD LDAP
- Date: Wed, 27 Jun 2018 11:37:46 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] AD LDAP
On Wed, 27 Jun 2018 12:12:42 +0200 (CEST)
> ---------- Původní e-mail ----------
> Od: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
> Komu: samba@xxxxxxxxxxxxxxx
> Datum: 27. 6. 2018 11:49:38
> Předmět: Re: [Samba] AD LDAP
> "On Wed, 27 Jun 2018 11:31:15 +0200 (CEST)
> Michal via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > Hi,
> > it there any way how to look into samba ldap in the same way I
> > can look into OpenLdap via LDAPAdmin, ldap tools etc, when I know
> > OpenLDAP "root" dn and password? Is there such "root" user for
> > Samba AD LDAP?
> Samba AD uses its own version of ldap and most, if not all, standard
> ldap tools will work with it.
> The 'root' user for AD is called 'Administrator', but you are not
> restricted to this user, you can use any user that is a member of
> 'Domain Admins', for instance.
> (on samba ad server)
> ldapsearch -x localhost
> # extended LDIF
> # LDAPv3
> # base <dc=nspuh, dc=cz> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: localhost
> # search result
> search: 2
> result: 1 Operations error
> text: 00002020: Operation unavailable without authentication
> This is problem. We used to be able get "public" data from ldap
> without authentification (password attributes can not be read without
> user bind, of course). Is there any way how to do it?
Yes, but before I tell you, why do you feel you need to do this, what
are you searching for ?
> > We have a lot of scripts based on "ldapsearch" (without
> > authentification) and "ldapmodify" (with ldap authentification). It
> > would be very unpleasant if we can not use the scripts with
> > SambaAD.
> They should work, but you may not need all of them, Samba comes with
> 'samba-tool' and you can use this to maintain user & groups etc. "
> samba-tool can do queries like
> "-b "ou=people,dc=nspuh,dc=cz" "(!(mail=*))"
To be honest, no.
To carry out such searches, you will need to authenticate, this is the
standard way of doing things on AD and is a lot more secure compared
with the way openldap does it.
To unsubscribe from this list go to the following URL and read the