Re: [SOGo] Samba4 anonymous bind
You needn't use an account with administrative rights to bind to Samba 4 AD DC (or Microsoft AD DS). It is a common misconception (or plain laziness) that an administrator account has to be used for this kind of operations. It is perfectly good with an account that is a member of the Domain Users group (ordinary domain user account). That is perfectly true. Don't use the admin user to bind to AD. It isn't required. However, I don't know whether the password changing ability is affected. If so, make the bind user account member of the Account Operators group. That way you give the account sufficient rights to manipulate S4 ADDC-accounts but the Administrator account. And maintain some level of security. The password changing is done with the credentials of the logged in user. SOGo sends the old passwd along with the new password when doing the ldap modify operation. (for the curious: https://github.com/inverse-inc/sogo/commit/d7e6648396acfb4cafbfb7a8b338a3e292c7ba19#diff-3def561ac819d0cad0891746f3f84a2aR635) So there's basically no reason to use a privileged user to bind to the directory. -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Samba4 anonymous bind
On 2013-12-30 18:30, Ben wrote: Can Samba4 + SOGo be configured for anonymous bind? Looking at the documentation in http://www.sogo.nu/files/docs/SOGo%20Native%20Microsoft%20Outlook%20Configuration.pdf the proceedure is to set an admin password for samba4 and then configure SOGo's SOGoUserSouces to bind to this Administrator account for doing logins, etc. I'd rather not store the domain password in plaintext in a file (chmod 600 for root, but still). Can SOGo be configured to do an anonymous bind (as I currently do against my own ldap server, not using samba4 or openchange) when using Samba4? If not, can I have it bind as some less privileged user than Administarator? Thanks, Ben You needn't use an account with administrative rights to bind to Samba 4 AD DC (or Microsoft AD DS). It is a common misconception (or plain laziness) that an administrator account has to be used for this kind of operations. It is perfectly good with an account that is a member of the Domain Users group (ordinary domain user account). However, I don't know whether the password changing ability is affected. If so, make the bind user account member of the Account Operators group. That way you give the account sufficient rights to manipulate S4 ADDC-accounts but the Administrator account. And maintain some level of security. Regards Davor -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Samba4 anonymous bind
Can Samba4 + SOGo be configured for anonymous bind? Looking at the documentation in http://www.sogo.nu/files/docs/SOGo%20Native%20Microsoft%20Outlook%20Configuration.pdf the proceedure is to set an admin password for samba4 and then configure SOGo's SOGoUserSouces to bind to this Administrator account for doing logins, etc. I'd rather not store the domain password in plaintext in a file (chmod 600 for root, but still). Can SOGo be configured to do an anonymous bind (as I currently do against my own ldap server, not using samba4 or openchange) when using Samba4? If not, can I have it bind as some less privileged user than Administarator? Thanks, Ben -- users@sogo.nu https://inverse.ca/sogo/lists