Ldap security question
 

I'm currently trying to setup samba as a primary domain controller using ldap, but to do so, I need an account in ldap with uid = 0, so that I can add machines to the domain. Otherwise it fails with access denied.

My boss is worried that if someone hacks our ldap server, they can get at all of our machines using that account. Is it really that much of a concern? Or is there a work around?

I'd wonder how insecure a network would be to able to be comprimised in that way. The 'admin' or 'root' account (UID=0) shouldn't be allowed to login remotely on any system. If its linux based then use su, if its windows then use runas. I'd hope that there are firewalls in place and restrictions on internal and external port traffic.

Keep any ldap directory service patched since it is critical. Audit the hell out of it, and watch the logs. How is your ldap traffic being submitted on your network? Is it secure?