Web lists-archives.com

Re: [Samba] AD LDAP

---------- Původní e-mail ----------
Od: Harry Jede <walk2sun@xxxxxxxx>
Komu: Michal67M@xxxxxxxxx
Datum: 28. 6. 2018 0:17:29
Předmět: Re: [Samba] AD LDAP 

Am Mittwoch, 27. Juni 2018, 11:31:15 CEST schrieb Michal via samba:

>   Hi,

>  it there  any way how to look into samba ldap in the same way I can

> look into OpenLdap via LDAPAdmin, ldap tools etc, when I know

> OpenLDAP "root" dn and password?

Surely no. Sure yes.

AD does not know anything you want. "root dn" is a term from ldap rfc's or 
x.509. But, have you ever seen any commercial program that follow rfc's?


  I do not care about any commercial programs.


In AD the "root" user is called "administrator".




> Is there such "root" user for Samba



>  We have a lot of scripts based on "ldapsearch" (without

> authentification)

Realy? You use ldap protocol 2 clients against an ldap v3 server and you are
asking why it is not working??? You are kiddy, aren't you?


 I am quite happy with my current  OpenLDAP settings and functionality. But 
it seems I will have to move to AD and this means using something what samba
calls "internal LDAP server". So I do not see anything strange on expecting 
that standard LDAP tools will work with it.  You want to say they should not
be working? Why?


> and "ldapmodify" (with ldap authentification). It

> would be very unpleasant if we can not use the scripts with SambaAD.

I want understand this! Ldap connections with authentification are possible.
So, where is your problem! But, you are asking this, so you have some 
problems. Please, tell us more details.


When using OpenLDAP, I have full control over it. I know and I can define 
who may read  and what can be read, who may write and what may be written. 
All set in one config file, no uncertainty. Do you want to say I am not able
to find out the same in samba ldap? Annoying.

I can store any data I want in my OpenLDAP.  Not only one samba domain/AD 
data. Am I able to do that with samba LDAP? 


Forget the times where you could ask a directory server to give you all user
names anonymously, so you could simplify your bad scripts to hack the 
directory server user accounts.


  I believe I did write I can authenticate in my scripts - if samba LDAP 
server worked like standard OpenLDAP.  (And no, the possibility of anonymous
bind does not mean that anybody can read any data from anywhere.)

  In a whole, samba LDAP seems to me to be a black box (so far). I can not 
find out what is stored, how it is stored, who can access what data, 
standard tools do not work. Compare this to clear, flat OpenLDAP config and 
ability to easily see and check all data with standard tools. I really hope 
I will understand samba LDAP better soon, because I really do not like 
blackboxes at all. (If I wanted blackboxes I could use your commercial 
programs. )

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba