[Samba] [Samba as AD] ACLs on LDAP attributes?

Rowland penny rpenny at samba.org
Tue Jun 28 13:22:54 UTC 2016

On 28/06/16 14:07, mathias dufresne wrote:
> Hi all,
> We are thinking to hide some attribute contents to almost everyone but
> those we decide they can read it. It is possible with real LDAP servers as
> OpenLDAP but is it with LDAP server shipped with Samba 4 working as AD?
> About accessing the whole tree I believe that Samba as AD refuses any
> unauthenticated query. Is that true? I did tested that but my search could
> be wrong or perhaps the default configuration makes authentication
> necessary but this configuration could be changed. In that case I would
> know how to change that behaviour to avoid changing it by mistake : )
> Best regards,
> mathias

Try investigating the 'nTSecurityDescriptor' attribute, which funnily 
enough is an hidden attribute, this contains the ownership and 
permissions of an AD object.

You will probably need to read this as well: 


More information about the samba mailing list