Re: ADAM10SP1 DSACLS: SELF right is disclosing too much
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sat, 18 Nov 2006 18:45:04 -0500
Your understanding of SELF is a little off. SELF simply means anything that matches you, i.e. groups you are in, your user object. What permissions SELF has are assigned by you.
So the permissions you have set specifically give out what you are seeing. In fact, you don't even need the last line
> dsacls \\localhost:389\dc=test /I:T /G "S-1-5-10:RP;group membership;"
because that line is duplicating a portion of what was done by
> dsacls \\localhost:389\dc=test /I:T /G S-1-5-10:RP;;
specially only for the attributes member and memberof attributes which is what the property set "Group Membership" represents. Since you didn't specify only USER Objects it applies to users and groups.
You can't configure any ACLs such that you can only see yourself (or any subset) in the member attribute. If you allow someone to see the member attribute, they see all values in the member attribute. You either grant RP of the member attribute or not... You can't grant access to see part of the member attribute.
You could prevent them from seeing any membership with something like
dsacls \\localhost:389\dc=test /I:T /D SomeGroup;RP;member;
You would assign that to some group that you add users too that you don't want seeing membership. I.E. Don't add admins or others that need to see membership to that group.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
dj.psd@xxxxxxx wrote:
To not open the whole directory for generic read, I tried the SELF.
right:
dsacls \\localhost:389\dc=test /I:T /G S-1-1-0:LC;; (allow everyone
to list bare DNs without attributes)
dsacls \\localhost:389\dc=test /I:T /G S-1-5-10:RP;; (read oneself's
attributes)
dsacls \\localhost:389\dc=test /I:T /G "S-1-5-10:RP;group membership;"
(read group data where oneself is a member)
The currently logged on user is now able to see it's own data and data
of groups, where the user is assigned to. But besides that, the
currently logged user can also see the other values of "member" in
group entries.
The SELF right in my understanding should not reveal information about
other users INCLUDING their membership. I expected "SELF" right on
group's member attribute to not show DNs of other users.
Is this due to directory engine design or can this be done with other
ACLs?
(I know there are other solutions ("tokengroups" and "memberof"), but
unfortunately there are LDAP out-of-the-box applications out there that
rely on "member" searches)
- Follow-Ups:
- Re: ADAM10SP1 DSACLS: SELF right is disclosing too much
- From: Paul Williams [MVP]
- Re: ADAM10SP1 DSACLS: SELF right is disclosing too much
- References:
- ADAM10SP1 DSACLS: SELF right is disclosing too much
- From: dj . psd
- ADAM10SP1 DSACLS: SELF right is disclosing too much
- Prev by Date: Re: Advice with SOHO setup
- Next by Date: Re: OU Setup
- Previous by thread: Re: ADAM10SP1 DSACLS: SELF right is disclosing too much
- Next by thread: Re: ADAM10SP1 DSACLS: SELF right is disclosing too much
- Index(es):
Relevant Pages
|
Loading
