samba - Aug 2020 - Set write permission for an user into a specific LDAP field...

I need to have an AD user that need to *write* in an users LDAP field.

The user case is a MFP (a set of MFP, indeed) that have RFID auth, and
so need to 'register' the RFID cards.

Seems to me that i have to use dsacl/samba-tool acl ds, but i don't
found a way to set the property for every user.

EG, assign write permission to user 'mfp' to field 'pager' for
every
user, current and future ones.


It is possible? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

No one reply, so i try to clarify better.
> I need to have an AD user that need to *write* in an users LDAP field.
> The user case is a MFP (a set of MFP, indeed) that have RFID auth, and
> so need to 'register' the RFID cards ID.
The system works with direct LDAP access via some credential; if i
temporary put the credential of an administrator, the MFPs write
correctly in LDAP the ID of the card.
So, MFPs side, the system seems to work.

> Seems to me that i have to use dsacl/samba-tool acl ds, but i don't
> found a way to set the property for every user.
> EG, assign write permission to user 'mfp' to field 'pager'
for every
> user, current and future ones.
Clearly, have MFPs to write in LDAP data with administrators power is
not a good policy; i'm looking if there's a way to set LDAP ACLs so a
particular user can write to a particular field (in this example,
'pager'), and only this, for all users.

> It is possible? Thanks.
Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Wed, 2020-08-26 at 11:29 +0200, Marco Gaiarin via samba
wrote:
> No one reply, so i try to clarify better.
> 
> > I need to have an AD user that need to *write* in an users LDAP
> > field.
> > The user case is a MFP (a set of MFP, indeed) that have RFID auth,
> > and
> > so need to 'register' the RFID cards ID.
> 
> The system works with direct LDAP access via some credential; if i
> temporary put the credential of an administrator, the MFPs write
> correctly in LDAP the ID of the card.
> So, MFPs side, the system seems to work.
> 
> 
> > Seems to me that i have to use dsacl/samba-tool acl ds, but i
don't
> > found a way to set the property for every user.
> > EG, assign write permission to user 'mfp' to field
'pager' for
> > every
> > user, current and future ones.
> 
> Clearly, have MFPs to write in LDAP data with administrators power is
> not a good policy; i'm looking if there's a way to set LDAP ACLs so
a
> particular user can write to a particular field (in this example,
> 'pager'), and only this, for all users.
> 
> 
> > It is possible? Thanks.
> 
> Thanks.
Yes, it should be possible.  AD permission stuff is a pain, you want to
set an inherited ACL on the container giving permission to modify a
particular attribute by its schema GUID.

But you might choose to instead provide a web interface that does the
elevated privilege thing and some validation as well.

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba