Re: [Samba] AD LDAP
- Date: Thu, 28 Jun 2018 01:18:29 +0200 (CEST)
- From: Michal via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] AD LDAP
---------- Původní e-mail ----------
Od: Harry Jede <walk2sun@xxxxxxxx>
Datum: 28. 6. 2018 0:17:29
Předmět: Re: [Samba] AD LDAP
Am Mittwoch, 27. Juni 2018, 11:31:15 CEST schrieb Michal via samba:
> it there any way how to look into samba ldap in the same way I can
> look into OpenLdap via LDAPAdmin, ldap tools etc, when I know
> OpenLDAP "root" dn and password?
Surely no. Sure yes.
AD does not know anything you want. "root dn" is a term from ldap rfc's or
x.509. But, have you ever seen any commercial program that follow rfc's?
I do not care about any commercial programs.
In AD the "root" user is called "administrator".
> Is there such "root" user for Samba
> AD LDAP?
> We have a lot of scripts based on "ldapsearch" (without
Realy? You use ldap protocol 2 clients against an ldap v3 server and you are
asking why it is not working??? You are kiddy, aren't you?
I am quite happy with my current OpenLDAP settings and functionality. But
it seems I will have to move to AD and this means using something what samba
calls "internal LDAP server". So I do not see anything strange on expecting
that standard LDAP tools will work with it. You want to say they should not
be working? Why?
> and "ldapmodify" (with ldap authentification). It
> would be very unpleasant if we can not use the scripts with SambaAD.
I want understand this! Ldap connections with authentification are possible.
So, where is your problem! But, you are asking this, so you have some
problems. Please, tell us more details.
When using OpenLDAP, I have full control over it. I know and I can define
who may read and what can be read, who may write and what may be written.
All set in one config file, no uncertainty. Do you want to say I am not able
to find out the same in samba ldap? Annoying.
I can store any data I want in my OpenLDAP. Not only one samba domain/AD
data. Am I able to do that with samba LDAP?
Forget the times where you could ask a directory server to give you all user
names anonymously, so you could simplify your bad scripts to hack the
directory server user accounts.
I believe I did write I can authenticate in my scripts - if samba LDAP
server worked like standard OpenLDAP. (And no, the possibility of anonymous
bind does not mean that anybody can read any data from anywhere.)
In a whole, samba LDAP seems to me to be a black box (so far). I can not
find out what is stored, how it is stored, who can access what data,
standard tools do not work. Compare this to clear, flat OpenLDAP config and
ability to easily see and check all data with standard tools. I really hope
I will understand samba LDAP better soon, because I really do not like
blackboxes at all. (If I wanted blackboxes I could use your commercial
To unsubscribe from this list go to the following URL and read the