RE: securing AD parameters

  • From: Dan HINCKLEY <danslists@xxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Fri, 25 Feb 2005 14:53:30 +0100

At 14:30 2/25/2005, you wrote:

I think you answered your own question (well, almost).

What you want are rights assignments. It's not done via attribute per se, but rather through permissions settings on the attributes. Often done via schema if global.

What exactly do you need to accomplish? By default LDAP users can't browse the directory in the first place without authentication.

There may be an easier way to do what you want, but we'll need more information about the expected end state.

I am looking for a way for an admin group (for example) to store mildly sensitive information using AD, and blocking access to that information for my LDAP users, for example, remote mail clients who use LDAP for address lookup; as these people authenticate with a username and password, as far as I can tell they could lookup any AD parameter unless it has restricted rights. I admit most wouldn't know the attributes are there or how to query them, but why take a chance?

If indeed it's a question of managing rights on AD attributes, i confess I have not gotten far enough into AD to know where to do that. If you have pointers for self-study I'd be delighted to have them. Yes, I do know the dangers of messing with the schema; we have a development server.

-----Original Message-----
From: Dan HINCKLEY [mailto:danslists@xxxxxxxx]
Sent: Friday, February 25, 2005 3:25 AM
To: [ExchangeList]
Subject: [exchangelist] securing AD parameters


Is there a way to set the security on an AD parameter (extensionAttribute1 for example) so that only specific users or groups can query it via LDAP? I'm looking at keeping certain info in user objects secure from the general LDAP user but accessible to those with the right to query it.

Other related posts: