[Samba] ACL by LDAP port 389/636
Denis Cardon
dcardon at tranquil.it
Thu Sep 21 10:23:58 UTC 2017
Hi 3eb,
> We have AD controller with opened ldap ports (389/636).
> Problem is that users can connect by application like Apache DIrectory
> Studio and they see all ldap tree.
> Is it any solution to:
> - block view for all users without specific ACL,
> - block same attribute like uidNumber ?
>
> I'm lokking something like ACL in OpenLdap for Samba AD.
if you are locking out your user/workstation from any ldap query, you'll
have serious side effects and it probably won't work at all (or they may
perhaps downgrade in NT4 mode I guess).
A better option is to set restrictive ACLs on an OU or a specific
object, or even an attribute to restrict user access, but you have to be
very careful on what you do and check all the side effects. For testing
change in ACLs, you can do it simply with RSAT.
For instance, when deploying LAPS [1], there are ACLs setup on the
attribute ms-MCS-AdmPwd containing the local admin password so that only
admin can read them.
Cheers,
Denis
[1] https://technet.microsoft.com/en-us/mt227395.aspx
>
> Maybe somebody can help ?
>
> Best regards,
> Support 3eb
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list