Hi all, We are thinking to hide some attribute contents to almost everyone but those we decide they can read it. It is possible with real LDAP servers as OpenLDAP but is it with LDAP server shipped with Samba 4 working as AD? About accessing the whole tree I believe that Samba as AD refuses any unauthenticated query. Is that true? I did tested that but my search could be wrong or perhaps the default configuration makes authentication necessary but this configuration could be changed. In that case I would know how to change that behaviour to avoid changing it by mistake : ) Best regards, mathias
On 28/06/16 14:07, mathias dufresne wrote:> Hi all, > > We are thinking to hide some attribute contents to almost everyone but > those we decide they can read it. It is possible with real LDAP servers as > OpenLDAP but is it with LDAP server shipped with Samba 4 working as AD? > > About accessing the whole tree I believe that Samba as AD refuses any > unauthenticated query. Is that true? I did tested that but my search could > be wrong or perhaps the default configuration makes authentication > necessary but this configuration could be changed. In that case I would > know how to change that behaviour to avoid changing it by mistake : ) > > Best regards, > > mathiasTry investigating the 'nTSecurityDescriptor' attribute, which funnily enough is an hidden attribute, this contains the ownership and permissions of an AD object. You will probably need to read this as well: https://msdn.microsoft.com/en-us/library%28d=robot%29/aa379570%28d=robot,l=en-us,v=vs.85%29.aspx Rowland
Thank you Rowland : ) I did read about that attribute once or twice, every time I deeply hoped to not have to deal with one day... And I should have think about them as I already read about them and because passwords are not shown too... Thank you again. 2016-06-28 15:22 GMT+02:00 Rowland penny <rpenny at samba.org>:> On 28/06/16 14:07, mathias dufresne wrote: > >> Hi all, >> >> We are thinking to hide some attribute contents to almost everyone but >> those we decide they can read it. It is possible with real LDAP servers as >> OpenLDAP but is it with LDAP server shipped with Samba 4 working as AD? >> >> About accessing the whole tree I believe that Samba as AD refuses any >> unauthenticated query. Is that true? I did tested that but my search could >> be wrong or perhaps the default configuration makes authentication >> necessary but this configuration could be changed. In that case I would >> know how to change that behaviour to avoid changing it by mistake : ) >> >> Best regards, >> >> mathias >> > > Try investigating the 'nTSecurityDescriptor' attribute, which funnily > enough is an hidden attribute, this contains the ownership and permissions > of an AD object. > > You will probably need to read this as well: > https://msdn.microsoft.com/en-us/library%28d=robot%29/aa379570%28d=robot,l=en-us,v=vs.85%29.aspx > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >