Setting up LDAP Authentification - Tree design/search scope
in [Samba]
|
Prev: [Samba] error today
Next: [Samba] Time stamps
From: Gaiseric Vandal on 8 Mar 2010 11:10 smb.conf will list where samba searches in ldap. e.g. ldap suffix=o=abc.com ldap user suffix=ou=employees,ou=people ldap group suffix = ou=groups ldap machine suffix=ou=machines,ou=people I think the main challenge will be configuring access control lists. If you have a server you only want accessed by employees, you would set the "ldap user suffix" parameter in smb.conf appropriately. But in terms of an address book, if someone has an LDAP address book client (e.g. thunderbird) you can't prevent them from trying to recursively query "ou=people,....) vs "ou=students." You can advise end users whether they should set up two LDAP address books (students vs employees) rather than one top level "people" one. From the end user pespective, a single LDAP directory will probably be simpler. So you would need to set ACL's to restrict access to "ou=other" OR to restrict access to "ou=people" and then grant it back to "ou=employees" and "ou=students." You also want to make sure that certain fields (passwd) are restricted so that only "administrator" accounts can access them. You can also configure whether anonymous users can access certain information or not (e.g. names and phone numbers.) I use Sun's directory server as an LDAP backend. I suspect most samba users are using OpenLDAP. I also suspect that LDAP attributes may not be restricted by default as much as they should be. On 03/08/2010 08:49 AM, Götz Reinicke - IT-Koordinator wrote: > Hi, > > recently I started to evaluate and think about setting up a central LDAP > system for authentification and "phonebook". I'm also new to LDAP. > > There is a lot of doc and well documented how tos, and I came across the > following question: > > Where is the search scope for samba defiend? Or is the LDAP servers > setting defining the scope? > > All docs "talk" about putting all people under one branche, e.g. > > ou=People,dc=example,dc=com for the samba setting I'd have > > "ldap user suffix = ou=People" > > But with this setting I dont see how I may restrict the search for the > phonebook look up. (e.g. I do have students, empoyees and other. > Students may look up students and employees, but not the "other" group.) > > For me it would make more sense to "subgroup" the people like this: > > ou=students,ou=People,dc=example,dc=com > ou=employees,ou=People,dc=example,dc=com > ou=other,ou=People,dc=example,dc=com > > May be I'm mistaken. > > Thanks for any comment and best regards! > > Götz > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Brother Railgun of Reason on 8 Mar 2010 13:10 On Mon, Mar 08, 2010 at 11:04:42AM -0500, Gaiseric Vandal wrote: > But in terms of an address book, if someone has an LDAP address book > client (e.g. thunderbird) you can't prevent them from trying to > recursively query "ou=people,....) vs "ou=students." You can advise > end users whether they should set up two LDAP address books (students > vs employees) rather than one top level "people" one. From the end > user pespective, a single LDAP directory will probably be simpler. > > > So you would need to set ACL's to restrict access to "ou=other" OR to > restrict access to "ou=people" and then grant it back to "ou=employees" > and "ou=students." You also want to make sure that certain fields > (passwd) are restricted so that only "administrator" accounts can access > them. You can also configure whether anonymous users can access certain > information or not (e.g. names and phone numbers.) > > I use Sun's directory server as an LDAP backend. I suspect most samba > users are using OpenLDAP. I also suspect that LDAP attributes may > not be restricted by default as much as they should be. I've never gotten around to actually setting up LDAP anywhere, though I've looked at it several times. Each time I do, I come away from it feeling that LDAP suffers badly from "The wonderful thing about standards is that there's so many to choose from". It seems it's so open-ended, and there are so many possible ways to set up a directory, that it becomes difficult to find any two LDAP-aware applications that actually use (and expect to see) the same LDAP schema. How does one overcome this? -- Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355 alaric(a)caerllewys.net alaric(a)metrocast.net phil(a)co.ordinate.org Renaissance Man, Unix ronin, Perl hacker, Free Stater It's not the years, it's the mileage. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Götz Reinicke - IT-Koordinator on 9 Mar 2010 02:20 Hi, the ACLs are indeed one of the importent topics. Therefore I was hoping, that samba searches sub-trees for the login and auth information. Than I could set up LDAP ACLs so samba looks up all information in the tree for all groups (we do have only one fileserver for all user groups togehter) and other ACLs "handel" the access for phonebook lookups from the mailclients. That is what I was thinking off. But if samba only browses one tree level and not the sub levels, than I do have to think in an other direction. Or what do you think? Thanks and best regards, Götz Gaiseric Vandal schrieb: > smb.conf will list where samba searches in ldap. > > e.g. > > ldap suffix=o=abc.com > ldap user suffix=ou=employees,ou=people > ldap group suffix = ou=groups > ldap machine suffix=ou=machines,ou=people > > > I think the main challenge will be configuring access control lists. > If you have a server you only want accessed by employees, you would set > the "ldap user suffix" parameter in smb.conf appropriately. > > > But in terms of an address book, if someone has an LDAP address book > client (e.g. thunderbird) you can't prevent them from trying to > recursively query "ou=people,....) vs "ou=students." You can advise > end users whether they should set up two LDAP address books (students > vs employees) rather than one top level "people" one. From the end > user pespective, a single LDAP directory will probably be simpler. > > > So you would need to set ACL's to restrict access to "ou=other" OR to > restrict access to "ou=people" and then grant it back to "ou=employees" > and "ou=students." You also want to make sure that certain fields > (passwd) are restricted so that only "administrator" accounts can access > them. You can also configure whether anonymous users can access certain > information or not (e.g. names and phone numbers.) > > I use Sun's directory server as an LDAP backend. I suspect most samba > users are using OpenLDAP. I also suspect that LDAP attributes may > not be restricted by default as much as they should be. > > > > > On 03/08/2010 08:49 AM, Götz Reinicke - IT-Koordinator wrote: >> Hi, >> >> recently I started to evaluate and think about setting up a central LDAP >> system for authentification and "phonebook". I'm also new to LDAP. >> >> There is a lot of doc and well documented how tos, and I came across the >> following question: >> >> Where is the search scope for samba defiend? Or is the LDAP servers >> setting defining the scope? >> >> All docs "talk" about putting all people under one branche, e.g. >> >> ou=People,dc=example,dc=com for the samba setting I'd have >> >> "ldap user suffix = ou=People" >> >> But with this setting I dont see how I may restrict the search for the >> phonebook look up. (e.g. I do have students, empoyees and other. >> Students may look up students and employees, but not the "other" group.) >> >> For me it would make more sense to "subgroup" the people like this: >> >> ou=students,ou=People,dc=example,dc=com >> ou=employees,ou=People,dc=example,dc=com >> ou=other,ou=People,dc=example,dc=com >> >> May be I'm mistaken. >> >> Thanks for any comment and best regards! >> >> Götz >> > -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke(a)filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Staatsrätin für Demographischen Wandel und für Senioren im Staatsministerium Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Adam Tauno Williams on 9 Mar 2010 18:20 On Mon, 2010-03-08 at 11:04 -0500, Gaiseric Vandal wrote: > smb.conf will list where samba searches in ldap. > ldap suffix=o=abc.com > ldap user suffix=ou=employees,ou=people > ldap group suffix = ou=groups > ldap machine suffix=ou=machines,ou=people > I think the main challenge will be configuring access control lists. > If you have a server you only want accessed by employees, you would set > the "ldap user suffix" parameter in smb.conf appropriately. We've parented all of Samba related 'stuff' under ou=SAM,$BASE, so we have ou=SAM,$BASE ou=Entities,ou=SAM,$BASE ou=People,ou=Entities,ou=SAM,$BASE ou=System Account,ou=Entities,ou=SAM,$BASE ou=Groups,ou=SAM,$BASE Because very different ACLs typically apply to these three types of objects (users, system accounts, and groups) > But in terms of an address book, if someone has an LDAP address book > client (e.g. thunderbird) you can't prevent them from trying to > recursively query "ou=people,....) vs "ou=students." You can advise > end users whether they should set up two LDAP address books (students > vs employees) rather than one top level "people" one. From the end > user pespective, a single LDAP directory will probably be simpler. True; or all non-related entries can simply be hidden from the clients. Or, the simplest solution, is it use a virtual root to 'glob' any objects [and just the specific attributes] that an addressbook consumer would want to see. OpenLDAP provides excellent support for partitioning, federating, and creating virtual (remapped) partitions. Aside: Although in the end I think you'll find LDAP makes a very crappy addressbook soluton. > I also suspect that LDAP attributes may > not be restricted by default as much as they should be. Yep; you'll find most sites [in-my-experience] to have severely neglected the confguration of their DSA once they reach got-it-working status. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Adam Tauno Williams on 10 Mar 2010 07:20
On Wed, 2010-03-10 at 08:38 +0100, Götz Reinicke - IT-Koordinator wrote: > Adam Tauno Williams schrieb: > > On Mon, 2010-03-08 at 11:04 -0500, Gaiseric Vandal wrote: > >> But in terms of an address book, if someone has an LDAP address book > >> client (e.g. thunderbird) you can't prevent them from trying to > >> recursively query "ou=people,....) vs "ou=students." You can advise > >> end users whether they should set up two LDAP address books (students > >> vs employees) rather than one top level "people" one. From the end > >> user pespective, a single LDAP directory will probably be simpler. > > True; or all non-related entries can simply be hidden from the clients. > > Or, the simplest solution, is it use a virtual root to 'glob' any > > objects [and just the specific attributes] that an addressbook consumer > > would want to see. OpenLDAP provides excellent support for > > partitioning, federating, and creating virtual (remapped) partitions. > So I may have one branch with the DNs of users with there IDs, > passwords, ... and one partition for the phonebook entries: > dn: ou=People,dc=example,dc=com I'd recommend sub-rooting everything Samba needs to see; and not using the [dreadful IMO] ou=People,$ROOT, ou=Groups,$ROOT design. > dn: ou=Phonebook,dc=example,dc=com You certainly can do that. > > Aside: Although in the end I think you'll find LDAP makes a very crappy > > addressbook soluton. > Why that? For us e.g the purpose of the addressbook is to have name and > e-mail-address available; postal Address, phonenumber etc should not be > in our directory. (a) No client but Evolution supports write access. This shortly equals unhappy users. (b) Clients blithely ignore schema rules [for example "mail" is multi-valued] (c) How clients map attributes to fields varies widely [and who ever wrote the Mozilla addressbook's LDAP support was using hard-drugs at the time] If you really want nothing more than to expose e-mail addresses it works reasonably well. It is pretty terrible once you go beyond that. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |