Hello list,
Thanks for your help!
Op 07-12-15 om 11:28 schreef Terje Trane:
On 07.12.2015 10:22, Paul van der Vlis wrote:
It will be a only in cn=config.
This is the way I create a LDAP admin:
cat <<EOF >slapd-database.ldif dn: olcDatabase={1}hdb,cn=config changeType: modify replace: olcDbConfig olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
replace: olcRootPW olcRootPW: ${LDAP_ADMIN_HASH} EOF ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-database.ldif
The rootdn (with accompanying password) is, at least the way I think it is meant, a full-access-to-everything root account for use when setting up the directory. Only.
Then, good practice is to make the account(s) you need to administer and run the system in the LDAP tree, with appropriate ACLs, and disable the rootdn. (In slapd.conf it can be done by just commenting out the rootdn/rootpw lines).
So, for your samba servers you should make an account, e.g. cn=sambaserver, that is only for that use (and is replicated), and with rights only to what it really needs and not to the whole LDAP tree.
I have created such an user account, and I see the user on the replicated server as "cn=samba,dc=domain,dc=nl" (so without ou=user like normal users).
Point is that it does not work for authentication Samba, the ACL's will be not good. I will have to study ACL's again to give it full read access.
With regards, Paul van der Vlis.