ADAM10SP1 DSACLS: SELF right is disclosing too much
- From: dj.psd@xxxxxxx
- Date: 18 Nov 2006 07:12:55 -0800
To not open the whole directory for generic read, I tried the SELF
right:
dsacls \\localhost:389\dc=test /I:T /G S-1-1-0:LC;; (allow everyone
to list bare DNs without attributes)
dsacls \\localhost:389\dc=test /I:T /G S-1-5-10:RP;; (read oneself's
attributes)
dsacls \\localhost:389\dc=test /I:T /G "S-1-5-10:RP;group membership;"
(read group data where oneself is a member)
The currently logged on user is now able to see it's own data and data
of groups, where the user is assigned to. But besides that, the
currently logged user can also see the other values of "member" in
group entries.
The SELF right in my understanding should not reveal information about
other users INCLUDING their membership. I expected "SELF" right on
group's member attribute to not show DNs of other users.
Is this due to directory engine design or can this be done with other
ACLs?
(I know there are other solutions ("tokengroups" and "memberof"), but
unfortunately there are LDAP out-of-the-box applications out there that
rely on "member" searches)
.
- Follow-Ups:
- Re: ADAM10SP1 DSACLS: SELF right is disclosing too much
- From: Joe Richards [MVP]
- Re: ADAM10SP1 DSACLS: SELF right is disclosing too much
- From: Paul Williams [MVP]
- Re: ADAM10SP1 DSACLS: SELF right is disclosing too much
- Prev by Date: Re: Restore the AD Database
- Next by Date: Managing windows 2000 users and computers remotely
- Previous by thread: ADUC - need to remove smtp address from all contacts
- Next by thread: Re: ADAM10SP1 DSACLS: SELF right is disclosing too much
- Index(es):
