Openldap, groups, admin groups, etc

Posted by Juan Diego on Server Fault See other posts from Server Fault or by Juan Diego
Published on 2011-06-27T16:18:18Z Indexed on 2011/06/27 16:24 UTC
Read the original article Hit count: 376

Filed under:
|
|

We have a samba server as PDC with OpenLDAP. So far everything is working, even windows 7 can log on to the Domain.
Here is the tricky part. We have many departments, each department has it's own IT guys, and these IT guy should be able to create users in their department and change any info of the users in their department.

My Idea was to create 2 groups for each department, For example: Department1 and Admins Department1. Admins Deparment1 has "write" priviledges for members of group Department

dn: ou=People,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: organizationalUnit
ou: People

dn: cn=Admins,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: groupOfNames
objectClass: top
cn: Admins

dn: cn=Admins Department1,cn=Admins,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: groupOfNames
objectClass: top
cn: Admins Department1
member: uid=jdc,ou=People,dc=mydomain,dc=com,dc=ec
structuralObjectClass: groupOfNames

I dont know if you should make Department1 as part of Domain Users

dn: cn=Deparment1,cn=Domain Users,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: groupOfNames
objectClass: top
cn: Deparment1
member: uid=user1,ou=People,dc=mydomain,dc=com,dc=ec

Or just create the deparments like this.

dn: cn=Deparment1,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: groupOfNames
objectClass: top
cn: Deparment1
member: uid=user1,ou=People,dc=mydomain,dc=com,dc=ec

I seems that when you use smbldap tools bydefault the users are part of Domain Users even if you dont have them as part of Domain Users in the memberUid attribute, when I use finger they showup as part of the Domain Users group.

I dont want the Departments Admins to be Domain Admins because they have power over all the users, unless I am mistaken.

I also have trouble with the ACLs. I was trying to create an acl for members of this Admins group, I was trying with this search, but didnt work

ldapsearch -x "(&(objectClass=organizationalPerson)(member=cn=Admins Department1,ou=Group,dc=mydomain,dc=com,dc=ec))"

I am open to suggestions.

© Server Fault or respective owner

Related posts about samba

  • Unable to connect to Samba printer

    as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
    I have a headless Ubuntu 12.04 server for files and printers. It shares files via Samba just fine. However, the HP PSC-750xi connected to the server via USB is not accessible from my Ubuntu 12.04 laptop. I can browse for it in the Printing control panel, but any attempt to authenticate my ID to the… >>> More

  • Samba folder is gone

    as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
    I seem to have some issues sharing folders from my Ubuntu 12.04 machine to a Win7 machine. After playing around with the settings, I decided to revert to Samba's original setting by reinstalling it: sudo apt-get purge samba sudo rm -rf /etc/samba/ /etc/default/samba sudo apt-get install samba just… >>> More

  • Samba on OS X 10.6.4

    as seen on Server Fault - Search for 'Server Fault'
    I just updated from 10.6.3 to 10.6.4, and now my Samba shares won't mount and won't allow access into the directories. In the logs, I've started to get the following errors, any idea what might have gone wrong? 2010/06/25 15:54:27, 0, pid=13848] /SourceCache/samba/samba-235.4/samba/source/passdb/secrets… >>> More

  • OpenLDAP and Samba, can't log onto Samba share from Windows

    as seen on Server Fault - Search for 'Server Fault'
    The former jackass IT-guy that I'm taking over for had a Samba share setup on a Fedora server that uses our OpenLDAP server to authenticate users who want to log in from Windows. We recently added a new employee and I jumped through the LDAP hoops to add them to the system. However, I can't seem… >>> More

  • Windows 7 Samba issue

    as seen on Server Fault - Search for 'Server Fault'
    We have a strange samba issue affecting only one user. Our samba setup is as follow : Red Hat Enterprise Linux Server release 5.4 (Tikanga) - Samba Server Samba version 3.0.33-3.14.el5 - Samba version Domain Controller WIN2008R2 Standard -… >>> More

Related posts about openldap