[Samba] Set write permission for an user into a specific LDAP field...

Andrew Bartlett abartlet at samba.org
Wed Aug 26 09:46:02 UTC 2020

On Wed, 2020-08-26 at 11:29 +0200, Marco Gaiarin via samba wrote:
> No one reply, so i try to clarify better.
> > I need to have an AD user that need to *write* in an users LDAP
> > field.
> > The user case is a MFP (a set of MFP, indeed) that have RFID auth,
> > and
> > so need to 'register' the RFID cards ID.
> The system works with direct LDAP access via some credential; if i
> temporary put the credential of an administrator, the MFPs write
> correctly in LDAP the ID of the card.
> So, MFPs side, the system seems to work.
> > Seems to me that i have to use dsacl/samba-tool acl ds, but i don't
> > found a way to set the property for every user.
> > EG, assign write permission to user 'mfp' to field 'pager' for
> > every
> > user, current and future ones.
> Clearly, have MFPs to write in LDAP data with administrators power is
> not a good policy; i'm looking if there's a way to set LDAP ACLs so a
> particular user can write to a particular field (in this example,
> 'pager'), and only this, for all users.
> > It is possible? Thanks.
> Thanks.

Yes, it should be possible.  AD permission stuff is a pain, you want to
set an inherited ACL on the container giving permission to modify a
particular attribute by its schema GUID.

But you might choose to instead provide a web interface that does the
elevated privilege thing and some validation as well.

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list