Re: Urgent: Restrict LDAP Queries of a domain user
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 15 Jun 2007 12:42:30 -0500
The way I read your question was from a strictly LDAP sense. You initially
asked if a user could be set up so they could only do a subtree level query
from the domain root. That is not possible. If they can do a subtree
query, they can do a one-level or base level query as well. Additionally,
if they can see any objects below the domain root, they can use those
objects as the base DN of any other query too.
So technically, my answer to your original question was correct. However,
based on your follow up questions, I think what you are trying to do is not
what you really asked. You want to to restrict certain types of read access
in general. This type of thing is certainly possible as well. However, by
default, users will have read access to just about everything in the
directory, so you'll need to do some work to change that. Hiding data from
users in the directory is possible, but the defaults make it such that it is
not that easy to do. It is also very easy to do something that will have
unintended consequences, so you must be careful.
I'm still not entirely sure I understand what your actual goal is.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Filipe" <clemente.filipe@xxxxxxxxx> wrote in message
news:1181921160.915704.240890@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I can only set LDAP read permissions to all the tree? Not to some
portions (OUs) of the tree?
Joe Kaplan escreveu:
From the LDAP perspective, you can't restrict this. If the users can
read
objects in the tree, then they can use the object as a base DN in a query
and can use subtree, one level or base for their query level.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Filipe" <clemente.filipe@xxxxxxxxx> wrote in message
news:1181905342.631608.6480@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I want to have a Windows 2003 domain user performing LDAP queries only
to a certain scope (subtree) of the entire Active Directory tree. I
only have one Windows 2003 domain.
Is there a way to restrict LDAP queries of a particular user?
Is this possible? If yes, how?
TIA,
Clemente
Portugal
.
- References:
- Urgent: Restrict LDAP Queries of a domain user
- From: Filipe
- Re: Urgent: Restrict LDAP Queries of a domain user
- From: Joe Kaplan
- Re: Urgent: Restrict LDAP Queries of a domain user
- From: Filipe
- Urgent: Restrict LDAP Queries of a domain user
- Prev by Date: Re: Best way to audit installed software?
- Next by Date: Re: Best way to audit installed software?
- Previous by thread: Re: Urgent: Restrict LDAP Queries of a domain user
- Next by thread: NTDS KCC with Windows Firewall service
- Index(es):
Relevant Pages
|
