[Samba] Restrict ldap queries on LDB

Jon Gerdes gerdesj at blueloop.net
Wed Dec 22 14:13:05 UTC 2021

On Wed, 2021-12-22 at 04:23 -0300, Sergio Belkin via samba wrote:
> Hi,
> If I run something like :
> ldapsearch -b dc=EXAMPLE,dc=com -D "CN=test,CN=Users,DC=example,DC=com" -ZZ
>   -LLL  -H ldap://ldap.example.com -W
> I get almost everything of another users (test is an ordinary user)
> for example that user could obtain fields such as:
> dn,objectClass,objectClass,objectClass,objectClass,sn,instanceType,whenCreated,uSNCreated,
> company,objectGUID,badPwdCount,codePage,countryCode,badPasswordTime,
> lastLogoff,primaryGroupID,objectSid,accountExpires,sAMAccountName,
> sAMAccountType,userPrincipalName,objectCategory,mail,pwdLastSet,
> userAccountControl,memberOf,cn,name,givenName,displayName,
> lastLogonTimestamp,whenChanged,uSNChanged,lastLogon,logonCount,
> distinguishedName,
> Please could you help me to restrict the queries, I'd want that every
> non-Administrator user can get only some attributes, but not everything.
> How can I do that using LDB, is that possible?
> Thanks in advance!
> -- 
> --
> Sergio Belkin
> LPIC-2 Certified - http://www.lpi.org


By default, membership of "Domain Users", which is in turn a member of Builtin\Users grants quite a lot of permissions.
That is why you see a lot of information.  You can change the default ACLs in your domain but I really don't recommend

A better way is to create a new account to test with and a new group which you put the test account in and remove it
from domain users.  Add ACLs to the group until you get what you need.  Be sure to test absolutely everything - a pretty
huge job!  Now you can move your users into your new group in batches and remove them from Domain Users. 

Another way is to copy your Domain Users group to a new group and use that as a starting point.  You then work in the
opposite way by removing rights from the new group instead of adding them to a blank new group.  This is still a pretty
big job and will need a lot of testing.

Windows works in mysterious ways and so does Samba so be careful when playing with security ACLs. Please document your
changes and check your backups.


More information about the samba mailing list