[Samba] ACL by LDAP port 389/636

Denis Cardon dcardon at tranquil.it
Thu Sep 21 10:23:58 UTC 2017

Hi 3eb,

> We have AD controller with opened ldap ports (389/636).
> Problem is that users can connect by application like Apache DIrectory
> Studio and they see all ldap tree.
> Is it any solution to:
> - block view for all users without specific ACL,
> - block same attribute like uidNumber ?
> I'm lokking something like ACL in OpenLdap for Samba AD.

if you are locking out your user/workstation from any ldap query, you'll 
have serious side effects and it probably won't work at all (or they may 
perhaps downgrade in NT4 mode I guess).

A better option is to set restrictive ACLs on an OU or a specific 
object, or even an attribute to restrict user access, but you have to be 
very careful on what you do and check all the side effects. For testing 
change in ACLs, you can do it simply with RSAT.

For instance, when deploying LAPS [1], there are ACLs setup on the 
attribute ms-MCS-AdmPwd containing the local admin password so that only 
admin can read them.



[1] https://technet.microsoft.com/en-us/mt227395.aspx

> Maybe somebody can help ?
> Best regards,
> Support 3eb

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0)

More information about the samba mailing list