Web lists-archives.com

Re: [Samba] ACL by LDAP port 389/636




Hi 3eb,

We have AD controller with opened ldap ports (389/636).
Problem is that users can connect by application like Apache DIrectory
Studio and they see all ldap tree.
Is it any solution to:
- block view for all users without specific ACL,
- block same attribute like uidNumber ?

I'm lokking something like ACL in OpenLdap for Samba AD.

if you are locking out your user/workstation from any ldap query, you'll have serious side effects and it probably won't work at all (or they may perhaps downgrade in NT4 mode I guess).

A better option is to set restrictive ACLs on an OU or a specific object, or even an attribute to restrict user access, but you have to be very careful on what you do and check all the side effects. For testing change in ACLs, you can do it simply with RSAT.

For instance, when deploying LAPS [1], there are ACLs setup on the attribute ms-MCS-AdmPwd containing the local admin password so that only admin can read them.

Cheers,

Denis

[1] https://technet.microsoft.com/en-us/mt227395.aspx


Maybe somebody can help ?

Best regards,
Support 3eb


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba