[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

Jonathan Hunter jmhunter1 at gmail.com
Wed Nov 22 17:33:37 UTC 2023


On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett <abartlet at samba.org> wrote:
> Are you sure that the ACLs on all the items in the chain should allow reading?

It's an excellent question, thank you - I'd like to just say "Yes" but
I will certainly check, as it's of course possible that my domain was
misconfigured previously, and the change has in fact introduced
correct behaviour..

Am I right in thinking that the objects I need to look at are
- the group itself
- all (some?) members of the group
- any others?

Are permissions checked in a hiearchical fashion, i.e. if OU=myou does
not allow a particular user to read it, then would
CN=somegroup,OU=myou still be denied regardless of the explicit
permissions on the CN=somegroup,OU=myou object? And I believe I'm
correct in thinking that a user can be a member of a group, even
though that user might not have permission to read the group
themselves...?

Is there a programmatical way of viewing permissions on all these
objects, or am I best manually going through with the 'ldifde'
Windows tool (which I think is what I originally used to set the
permissions in the first place)?

Many thanks

Jonathan

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein



More information about the samba mailing list