[Samba] Set write permission for an user into a specific LDAP field...
Andrew Bartlett
abartlet at samba.org
Wed Aug 26 09:46:02 UTC 2020
On Wed, 2020-08-26 at 11:29 +0200, Marco Gaiarin via samba wrote:
> No one reply, so i try to clarify better.
>
> > I need to have an AD user that need to *write* in an users LDAP
> > field.
> > The user case is a MFP (a set of MFP, indeed) that have RFID auth,
> > and
> > so need to 'register' the RFID cards ID.
>
> The system works with direct LDAP access via some credential; if i
> temporary put the credential of an administrator, the MFPs write
> correctly in LDAP the ID of the card.
> So, MFPs side, the system seems to work.
>
>
> > Seems to me that i have to use dsacl/samba-tool acl ds, but i don't
> > found a way to set the property for every user.
> > EG, assign write permission to user 'mfp' to field 'pager' for
> > every
> > user, current and future ones.
>
> Clearly, have MFPs to write in LDAP data with administrators power is
> not a good policy; i'm looking if there's a way to set LDAP ACLs so a
> particular user can write to a particular field (in this example,
> 'pager'), and only this, for all users.
>
>
> > It is possible? Thanks.
>
> Thanks.
Yes, it should be possible. AD permission stuff is a pain, you want to
set an inherited ACL on the container giving permission to modify a
particular attribute by its schema GUID.
But you might choose to instead provide a web interface that does the
elevated privilege thing and some validation as well.
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list