Discussion:
[Samba] samba4 AD, allow users to modify (some of) their own attributesHi
(too old to reply)
mourik jan heupink - merit
2014-04-05 13:30:02 UTC
Permalink
Hi all,

In our openldap days, we allowed users to modify some of their own ldap
records. They logged on with their own username/password, and were
allowed to change stuff like 'roomNumber', jpegPhone', 'mobile', etc, etc.

It seems that samba4 AD handles permissions a bit stricter, and our
users are no longer allowed to edit those details.

I have searched around a bit, and found this:
http://www.schakko.de/2011/03/30/how-to-give-users-the-permission-to-change-their-own-active-directory-attributesprofile/

Are there others ways to do this easier, for example with acl's like we
had in openldap, or is the above link really the way to (attempt to) go
in samba4?

MJ
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2014-04-06 06:10:02 UTC
Permalink
Post by mourik jan heupink - merit
Hi all,
In our openldap days, we allowed users to modify some of their own ldap
records. They logged on with their own username/password, and were
allowed to change stuff like 'roomNumber', jpegPhone', 'mobile', etc, etc.
It seems that samba4 AD handles permissions a bit stricter, and our
users are no longer allowed to edit those details.
http://www.schakko.de/2011/03/30/how-to-give-users-the-permission-to-change-their-own-active-directory-attributesprofile/
Are there others ways to do this easier, for example with acl's like we
had in openldap, or is the above link really the way to (attempt to) go
in samba4?
That looks correct, as we implement NT ACLs on the AD database.

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mourik jan heupink - merit
2014-04-09 12:40:01 UTC
Permalink
Hi list, Andrew,
Post by Andrew Bartlett
Post by mourik jan heupink - merit
http://www.schakko.de/2011/03/30/how-to-give-users-the-permission-to-change-their-own-active-directory-attributesprofile/
Are there others ways to do this easier, for example with acl's like we
had in openldap, or is the above link really the way to (attempt to) go
in samba4?
That looks correct, as we implement NT ACLs on the AD database.
Andrew Bartlett
Thanks for your response, Andrew. Now I took the time to study this a
bit more, but it seems that giving modify permissions to 'SELF' on our
Active Directory, it would mean users could edit ALL their details. This
seems a bit too loose...

I would like my users to be able to self-edit only some fields like
roomNumber, jpegPhoto, displayName, mobile, wWWHomePage, etc.

I don't think the above link would help me to get those permissions,
right? Has anyone else already done something like this?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Davor Vusir
2014-04-09 15:10:01 UTC
Permalink
Post by mourik jan heupink - merit
Hi list, Andrew,
Post by Andrew Bartlett
Post by mourik jan heupink - merit
http://www.schakko.de/2011/03/30/how-to-give-users-the-permission-to-change-their-own-active-directory-attributesprofile/
Are there others ways to do this easier, for example with acl's like we
had in openldap, or is the above link really the way to (attempt to) go
in samba4?
That looks correct, as we implement NT ACLs on the AD database.
Andrew Bartlett
Thanks for your response, Andrew. Now I took the time to study this a
bit more, but it seems that giving modify permissions to 'SELF' on our
Active Directory, it would mean users could edit ALL their details.
This seems a bit too loose...
I would like my users to be able to self-edit only some fields like
roomNumber, jpegPhoto, displayName, mobile, wWWHomePage, etc.
I don't think the above link would help me to get those permissions,
right? Has anyone else already done something like this?
Start ADUC and create a group 'Selfie-PropEdit' and add select
useraccounts and groups.

Right-click the container where the useraccounts are situated and start
the 'Delegate Control...'-wizard. Click Next.
Add the group 'Selfie-PropEdit' and click Next.
Choose 'Create a custom task to delegate' and click Next.
Choose 'Only the following objects in the folder', scroll down and mark
'User objects'. Click Next.
Mark 'Property-specific' and choose appropriate properties from the
'Permissions'-list and click Next.
Click Finish.

Regards
Davor
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mourik jan heupink - merit
2014-04-09 15:30:02 UTC
Permalink
Hi Davor, list,
Post by Davor Vusir
Start ADUC and create a group 'Selfie-PropEdit' and add select
useraccounts and groups.
Right-click the container where the useraccounts are situated and start
the 'Delegate Control...'-wizard. Click Next.
Add the group 'Selfie-PropEdit' and click Next.
Choose 'Create a custom task to delegate' and click Next.
Choose 'Only the following objects in the folder', scroll down and mark
'User objects'. Click Next.
Mark 'Property-specific' and choose appropriate properties from the
'Permissions'-list and click Next.
Click Finish.
This is quite a cool recipe, thanks :-)

One question: doesn't the above mean Selfie-PropEdit-users can edit
those attributes for ALL users? I would like them ONLY to be able to
edit their own details..?

Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Davor Vusir
2014-04-09 17:10:03 UTC
Permalink
Post by mourik jan heupink - merit
Hi Davor, list,
Post by Davor Vusir
Start ADUC and create a group 'Selfie-PropEdit' and add select
useraccounts and groups.
Right-click the container where the useraccounts are situated and start
the 'Delegate Control...'-wizard. Click Next.
Add the group 'Selfie-PropEdit' and click Next.
Choose 'Create a custom task to delegate' and click Next.
Choose 'Only the following objects in the folder', scroll down and mark
'User objects'. Click Next.
Mark 'Property-specific' and choose appropriate properties from the
'Permissions'-list and click Next.
Click Finish.
This is quite a cool recipe, thanks :-)
One question: doesn't the above mean Selfie-PropEdit-users can edit
those attributes for ALL users? I would like them ONLY to be able to
edit their own details..?
You're welcome.

All users can edit all delegated userproperties. Unfortunately.

/Davor
Post by mourik jan heupink - merit
Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...