thr3ads.net - samba - [Samba] Restrict ldap queries on LDB [Dec 2021]

If this information is useful, please help other people find it:
Share via:

Sergio Belkin

2021-Dec-22 07:23 UTC

[Samba] Restrict ldap queries on LDB

Hi,
If I run something like :

ldapsearch -b dc=EXAMPLE,dc=com -D
"CN=test,CN=Users,DC=example,DC=com" -ZZ
  -LLL  -H ldap://ldap.example.com -W

I get almost everything of another users (test is an ordinary user)
for example that user could obtain fields such as:
dn,objectClass,objectClass,objectClass,objectClass,sn,instanceType,whenCreated,uSNCreated,
company,objectGUID,badPwdCount,codePage,countryCode,badPasswordTime,
lastLogoff,primaryGroupID,objectSid,accountExpires,sAMAccountName,
sAMAccountType,userPrincipalName,objectCategory,mail,pwdLastSet,
userAccountControl,memberOf,cn,name,givenName,displayName,
lastLogonTimestamp,whenChanged,uSNChanged,lastLogon,logonCount,
distinguishedName,

Please could you help me to restrict the queries, I'd want that every
non-Administrator user can get only some attributes, but not everything.
How can I do that using LDB, is that possible?
Thanks in advance!

-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

Jon Gerdes

2021-Dec-22 14:13 UTC

head link

[Samba] Restrict ldap queries on LDB

On Wed, 2021-12-22 at 04:23 -0300, Sergio Belkin via samba
wrote:> Hi,
> If I run something like :
> 
> ldapsearch -b dc=EXAMPLE,dc=com -D
"CN=test,CN=Users,DC=example,DC=com" -ZZ
> ? -LLL? -H ldap://ldap.example.com -W
> 
> I get almost everything of another users (test is an ordinary user)
> for example that user could obtain fields such as:
>
dn,objectClass,objectClass,objectClass,objectClass,sn,instanceType,whenCreated,uSNCreated,
> company,objectGUID,badPwdCount,codePage,countryCode,badPasswordTime,
> lastLogoff,primaryGroupID,objectSid,accountExpires,sAMAccountName,
> sAMAccountType,userPrincipalName,objectCategory,mail,pwdLastSet,
> userAccountControl,memberOf,cn,name,givenName,displayName,
> lastLogonTimestamp,whenChanged,uSNChanged,lastLogon,logonCount,
> distinguishedName,
> 
> Please could you help me to restrict the queries, I'd want that every
> non-Administrator user can get only some attributes, but not everything.
> How can I do that using LDB, is that possible?
> Thanks in advance!
> 
> -- 
> --
> Sergio Belkin
> LPIC-2 Certified - http://www.lpi.org
Sergio

By default, membership of "Domain Users", which is in turn a member of
Builtin\Users grants quite a lot of permissions.
That is why you see a lot of information.  You can change the default ACLs in
your domain but I really don't recommend
it.

A better way is to create a new account to test with and a new group which you
put the test account in and remove it
from domain users.  Add ACLs to the group until you get what you need.  Be sure
to test absolutely everything - a pretty
huge job!  Now you can move your users into your new group in batches and remove
them from Domain Users.

Another way is to copy your Domain Users group to a new group and use that as a
starting point.  You then work in the
opposite way by removing rights from the new group instead of adding them to a
blank new group.  This is still a pretty
big job and will need a lot of testing.

Windows works in mysterious ways and so does Samba so be careful when playing
with security ACLs. Please document your
changes and check your backups.

Cheers
Jon

samba - Dec 2021 - Restrict ldap queries on LDB

[Samba] Restrict ldap queries on LDB

[Samba] Restrict ldap queries on LDB