[Samba] Samba LDAP: memberOf attribute not readable by non-admin users?
rpenny at samba.org
Tue Mar 23 09:02:17 UTC 2021
On 22/03/2021 23:29, Flavio Stanchina via samba wrote:
> We're migrating a customer's network to Samba AD using Zentyal and
> we're reconfiguring several services to use AD for authentication.
> We've created a dedicated, unprivileged user for each service to bind
> to AD, but we're having some problems with grouping. We'd like to use
> filters like this to limit access:
> memberOf=CN=VPN Users,CN=Groups,DC=domain
> ...but it appears that non-admin users can't access the memberOf
> attribute, which I understand is not a "real" attribute but is being
> synthesized on-the-fly from group memberships.
> A LDAP query like this won't return memberOf (without erroring out) if
> the user is not a Domain Admin:
> ldapsearch -h dc1.domain -D user at domain -W \
> -b 'cn=Users,dc=domain' \
> sAMAccountName memberOf
> I tried this against a Windows DC and it works as expected (Win 2016
> if it matters, but I'm pretty sure I had it working on other versions).
> Is this expected?
> Is there a way to set ACLs or other permissions on the LDAP
> attributes? I tried all the searches I could think of on this subject,
> but couldn't find anything.
> Should I try with a fresh and clean Samba installation instead of
> Zentyal? Would official Debian "buster" Samba packages be any good?
> Sorry for many questions and fragmentary data, but this isn't
> something I do often and I wasn't expecting this particular problem.
> Any additional info you need to help me, just ask.
this works for me against a Samba DC:
ldapsearch -x -h dc4.samdom.example.com -D rowland at SAMDOM.EXAMPLE.COM -W
-b 'cn=Users,dc=samdom,dc=example,dc=com' sAMAccountName memberOf
Though it doesn't work against my other DC, it needs stronger
Also 'memberOf' is an actual attribute, it isn't 'synthesised', it is
actually a linked attribute, it is linked with 'member'.
More information about the samba