ldap object access controls

Rowland Penny rpenny at samba.org
Fri May 4 09:09:21 UTC 2018

On Fri, 4 May 2018 11:38:22 +0300
Nadezhda Ivanova via samba-technical <samba-technical at lists.samba.org>

> Hi William,
> Perhaps I don't understand your question, do you mean 
> nTSecurityDescriptor? To "see" it you need to be a domain admin or 
> provide SD_FLAGS_CONTROL in the request. Also, it's a binary blob. I 
> have forgotten if there is a samba tool to display the decoded 
> descriptors, there must be. Else some of the python test code can be 
> re-used.

it is one of the hidden attributes, you need to explicitly ask for it

ldbsearch -H ldap://dc4 -b 'dc=samdom,dc=example,dc=com' -s sub -U
rowland '(&(objectclass=user)(samaccountname=rowland))'


More information about the samba-technical mailing list