[Samba] Normal users do not see memberOf and userAccountControl LDAP attributes
Rowland Penny
rpenny at samba.org
Mon Nov 14 19:08:59 UTC 2022
On 14/11/2022 18:21, shacky via samba wrote:
> Hi,
> I am connecting an application to Samba using a "service" account
> (basically an Active Directory "normal" user account).
What application ?
>
> I realised that to have access to some attributes of all users (for example
> "memberOf" and "userAccountControl")
You do not actually set or read 'memberof', you add/remove the 'member'
attribute from the users AD object and then magically 'memberof' appears
(or disappears) in the groups AD object.
Do you really want a normal user to be able to change their
userAccountControl attribute ?
> this user should be part of the Domain
> Admin group, else it has access only to all its own attributes, and it
> shows only a partial sets of attributes for every other users.
>
> I think this is a normal security approach, but I don't want to use a
> Domain Admin account for applications.
>
> For this reason I am wondering which permissions I should give to these
> service user to access to all other users LDAP attributes.
Absolutely none that they do not already have, the permissions are set
as they are for a reason, mainly security.
Rowland
More information about the samba
mailing list