A required configfile

openldap-samba.conf

@@ -0,0 +1,91 @@
+# If interested in using OpenLDAP as backend for Samba, load this file
+# or copy uncommented lines below to your slapd.conf.
+#
+# For details see:
+#  /etc/openldap/schema/README.samba4
+
+include /etc/openldap/schema/samba4.schema
+#include /etc/openldap/schema/samba4.ldif
+
+# Protect passwords, using a regex so we can have generic accounts with
+# write access
+# Openldap will not authenticate against non-userPassword attributes
+# but we would have to duplicate most rules ...
+access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$"
+        attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLastSet
+        by self write
+        by dn.exact,expand="uid=root,ou=People,$2" write
+        by group.expand="cn=Domain Controllers,ou=Group,$2" write
+	by group.expand="cn=Replicator,ou=Group,$2" write
+        by anonymous auth
+        by * none
+
+# ACL allowing samba domain controllers to write their domain info
+access to dn.regex="^sambaDomainName=([^,]+),(dc=[^,]+(,dc=[^,]+)*)$"
+        attrs=entry,children,sambaDomain
+        by dn.exact,expand="uid=root,ou=People,$2" write
+        by group.expand="cn=Domain Controllers,ou=Group,$2" write
+	by group.expand="cn=Replicator,ou=Group,$2" write
+        by users read
+	by anonymous read
+
+# ACL allowing samba domain controllers to add user accounts
+access to dn.regex="^([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
+        attrs=entry,children,posixAccount,sambaSamAccount
+        by dn.exact,expand="uid=root,ou=People,$2" write
+        by group.expand="cn=Domain Controllers,ou=Group,$2" write
+	by group.expand="cn=Replicator,ou=Group,$2" write
+        by users read
+	by anonymous read
+
+# allow users to modify their own "address book" entries:
+access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
+        attrs=inetOrgPerson,mail
+        by self write
+        by dn.exact,expand="uid=root,ou=People,$2" write
+        by group.expand="cn=Domain Controllers,ou=Group,$2" write
+	by group.expand="cn=Replicator,ou=Group,$2" write
+        by users read
+	by anonymous read
+
+# Allow samba domain controllers to create groups and group mappings
+access to dn.regex="^([^,]+,)?ou=Group,(dc=[^,]+(,dc=[^,]+)*)$"
+        attrs=entry,children,posixGroup,sambaGroupMapping
+        by dn.exact,expand="uid=root,ou=People,$2" write
+        by group.expand="cn=Domain Controllers,ou=Group,$2" write
+	by group.expand="cn=Replicator,ou=Group,$2" write
+        by users read
+	by anonymous read
+
+# Allow samba domain controllers to create machine accounts
+access to dn.regex="^([^,]+,)?ou=Hosts,(dc=[^,]+(,dc=[^,]+)*)$"
+        attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount
+        by dn.exact,expand="uid=root,ou=People,$2" write
+        by group.expand="cn=Domain Controllers,ou=Group,$2" write
+	by group.expand="cn=Replicator,ou=Group,$2" write
+        by users read
+	by anonymous read
+
+# Allow samba to create idmap entries
+access to dn.regex="^([^,]+,)?ou=Idmap,(dc=[^,]+(,dc=[^,]+)*)$"
+        attrs=entry,children,sambaIdmapEntry
+        by dn.exact,expand="uid=root,ou=People,$2" write
+        by group.expand="cn=Domain Controllers,ou=Group,$2" write
+	by group.expand="cn=Replicator,ou=Group,$2" write
+        by users read
+	by anonymous read
+
+# Allow users in the domain to add entries to the "global address book":
+# For use with Evolution, the attrs list could be modified to be:
+# attrs=children,entry,inetOrgPerson,evolutionperson,calEntry
+# if evolutionperson.schema and calendar.schema are available
+access to dn.regex="^([^,]+,)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$"
+       attrs=children,entry,inetOrgPerson
+        by dn.sub,expand="ou=People,$2" write
+        by group.expand="cn=Replicator,ou=Group,$2" write
+        by users read
+	by anonymous read
+
+# samba:
+# index	sambaSID,sambaDomainName,displayName	eq
+