General discussion on installation and configuration of SOGo

Text archives Help


Re: [SOGo] Samba4 & anonymous bind


Chronological Thread 
  • From: Jean Raby < >
  • To:
  • Subject: Re: [SOGo] Samba4 & anonymous bind
  • Date: Mon, 06 Jan 2014 20:01:52 -0500

You needn't use an account with administrative rights to bind to Samba 4 AD DC
(or Microsoft AD DS). It is a common misconception (or plain laziness) that an
administrator account has to be used for this kind of operations. It is
perfectly good with an account that is a member of the Domain Users group
(ordinary domain user account).
That is perfectly true. Don't use the admin user to bind to AD. It isn't
required.
However, I don't know whether the password
changing ability is affected. If so, make the bind user account member of the
Account Operators group. That way you give the account sufficient rights to
manipulate S4 ADDC-accounts but the Administrator account. And maintain some
level of security.

The password changing is done with the credentials of the logged in user. SOGo sends the old passwd along with the new password when doing the ldap modify operation. (for the curious: https://github.com/inverse-inc/sogo/commit/d7e6648396acfb4cafbfb7a8b338a3e292c7ba19#diff-3def561ac819d0cad0891746f3f84a2aR635)

So there's basically no reason to use a privileged user to bind to the
directory.


  • Re: [SOGo] Samba4 & anonymous bind, Jean Raby, 01/06/2014

Archive powered by MHonArc 2.6.18.

Top of page