Re: [Samba] ACL by LDAP port 389/636
- Date: Thu, 21 Sep 2017 12:23:58 +0200
- From: Denis Cardon via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] ACL by LDAP port 389/636
We have AD controller with opened ldap ports (389/636).
Problem is that users can connect by application like Apache DIrectory
Studio and they see all ldap tree.
Is it any solution to:
- block view for all users without specific ACL,
- block same attribute like uidNumber ?
I'm lokking something like ACL in OpenLdap for Samba AD.
if you are locking out your user/workstation from any ldap query, you'll
have serious side effects and it probably won't work at all (or they may
perhaps downgrade in NT4 mode I guess).
A better option is to set restrictive ACLs on an OU or a specific
object, or even an attribute to restrict user access, but you have to be
very careful on what you do and check all the side effects. For testing
change in ACLs, you can do it simply with RSAT.
For instance, when deploying LAPS , there are ACLs setup on the
attribute ms-MCS-AdmPwd containing the local admin password so that only
admin can read them.
Maybe somebody can help ?
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 188.8.131.52.55
To unsubscribe from this list go to the following URL and read the