samba - Nov 2022 - Normal users do not see memberOf and userAccountControl LDAP attributes

Hi,
I am connecting an application to Samba using a "service" account
(basically an Active Directory "normal" user account).

I realised that to have access to some attributes of all users (for example
"memberOf" and "userAccountControl") this user should be
part of the Domain
Admin group, else it has access only to all its own attributes, and it
shows only a partial sets of attributes for every other users.

I think this is a normal security approach, but I don't want to use a
Domain Admin account for applications.

For this reason I am wondering which permissions I should give to these
service user to access to all other users LDAP attributes.

Thank you very much!

Bye

On 14/11/2022 18:21, shacky via samba wrote:
> Hi,
> I am connecting an application to Samba using a "service" account
> (basically an Active Directory "normal" user account).
What application ?
> 
> I realised that to have access to some attributes of all users (for example
> "memberOf" and "userAccountControl") 
You do not actually set or read 'memberof', you add/remove the
'member'
attribute from the users AD object and then magically 'memberof' appears
(or disappears) in the groups AD object.

Do you really want a normal user to be able to change their 
userAccountControl attribute ?
> this user should be part of the Domain
> Admin group, else it has access only to all its own attributes, and it
> shows only a partial sets of attributes for every other users.
> 
> I think this is a normal security approach, but I don't want to use a
> Domain Admin account for applications.
> 
> For this reason I am wondering which permissions I should give to these
> service user to access to all other users LDAP attributes.
Absolutely none that they do not already have, the permissions are set 
as they are for a reason, mainly security.

Rowland