[Samba] [Samba as AD] ACLs on LDAP attributes?
Rowland penny
rpenny at samba.org
Tue Jun 28 13:22:54 UTC 2016
On 28/06/16 14:07, mathias dufresne wrote:
> Hi all,
>
> We are thinking to hide some attribute contents to almost everyone but
> those we decide they can read it. It is possible with real LDAP servers as
> OpenLDAP but is it with LDAP server shipped with Samba 4 working as AD?
>
> About accessing the whole tree I believe that Samba as AD refuses any
> unauthenticated query. Is that true? I did tested that but my search could
> be wrong or perhaps the default configuration makes authentication
> necessary but this configuration could be changed. In that case I would
> know how to change that behaviour to avoid changing it by mistake : )
>
> Best regards,
>
> mathias
Try investigating the 'nTSecurityDescriptor' attribute, which funnily
enough is an hidden attribute, this contains the ownership and
permissions of an AD object.
You will probably need to read this as well:
https://msdn.microsoft.com/en-us/library%28d=robot%29/aa379570%28d=robot,l=en-us,v=vs.85%29.aspx
Rowland
More information about the samba
mailing list