The SAMBA-LDAP-PDC Howto

Revision : 1.24

Of course, indices depends on you directory usage. Consult the OpenLDAP documentation for
more info.
Have a look on the following slapd.conf directives too:
• loglevel: lower to ’0’ for production purpose
• lastmod: set it to ’off’ if you really don’t need it
• cachesize: set a confortable cache size (say 1000 for a mid-level production site for 1000
users),
• dbcachesize: set a confortable db cache size (say 10000 for a mid-level production site
for 1000 users)
• dbnosync: in case you’re fool enought to think nothing will never crash :-)

15.2
15.2.1

Security
Use an account which is not Root DN

In this HOWTO, we’re using the Root DN : the ldap admin dn should be another account
than Root DN : you should use another ldap account who should have permissions to write
any sambaAccount and some posixAccount attrs.
15.2.2

Use SSL!

In this HOWTO, whe are using clear LDAP transport between Samba and OpenLDAP. As both
servers implement SSL, you should use LDAPS transport instead.
15.2.3

Use ACLs for LDAP

Place ACLs to protect the directory datas. For the usage of Samba, the following should
deliver basic protection:
1
2
3
4
5
6
7
8
9
10
11
12
13

# Password hashes password
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to attrs=lmPassword
by self write
by anonymous auth
by * none
access to attrs=ntPassword
by self write
by anonymous auth
by * none

14
15
16
17

# Global read access
access to *
by * read

page 39/56