Marek Szuba wrote:
At the moment everything works fine, but I'd like Samba to use a
dedicated LDAP access DN instead of the global directory admin one.
Could you give me any recommendations as to how access rules should be
set for this DN so that it both can work without problems and have no
unnecessary privileges?
I use following settings:
--- cut ---
access to dn.subtree="dc=GYRUS,dc=office,dc=local"
attrs=sambaLMPassword,sambaNTPassword
by dn="uid=ssamba,ou=Shadow,dc=office,dc=local" write
by dn="uid=radiusd,ou=Shadow,dc=office,dc=local" read
by * none
access to attr=userPassword
by dn="uid=ssamba,ou=Shadow,dc=office,dc=local" write
by self write
by anonymous auth
by * none
access to dn.subtree="dc=GYRUS,dc=office,dc=local"
by dn="uid=ssamba,ou=Shadow,dc=office,dc=local" write
by * read
access to *
by * read
--- cut ---
Samba domain stored under dc=GYRUS,dc=office,dc=local node,
samba uses posixAccount record uid=ssamba,ou=Shadow,dc=office,dc=local
to access LDAP-server. May be it is not the best way, but it works for me.
--
mccloud@
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba