Announcement

Collapse
No announcement yet.

How do I confine the scope of an LDAP search

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How do I confine the scope of an LDAP search

    Hi,

    Senario: We have a MS Sharepoint Server will pulls user information from our AD database through LDAP queries.

    All users accounts are held in a sub OU's of a toplevel OU called "Users"

    For admin purposes we have our domain accounts in a seperate toplevel OU called "Admin Users"

    Problem: When a user in Sharepoint (or any other LDAP querying package) performs an LDAP search, all user accounts are visable.

    Question: Is it possible to apply security on certain parts of the LDAP tree so that only OU's that I specify are visual when a LDAP search is performed? Or simularly, is it possible to block the OU "Admin Users" from being visable when LDAP queries are performed.

    Thanx...

  • #2
    The AD is 2000 or 2003 ?
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Sorry, Windows 2003 Server AD

      Comment


      • #4
        You can re-ACL the AdminOU and revoke the "List Contents" right from the Authenticated Users. In W2K3 you need an explicit right to "List Contents" to access the container.

        Not sure in which security context the SharePoint performs the search, but if it does it not in user's context, but rather it's own service account's context, you can Deny "List contents" on the AdminOU for this service account.

        Just to point the obvious: till now users could read the AdminOU with any LDAP browser, like LDP or ADSI Edit. The fact that with SP it's much easier exposes the fact to the masses, but you should not be elluded - it has nothing to do with SP (hence I mentioned removin "Authenticated Users" from the OU's ACL)
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          yes, that works great..

          Thanks for your help..

          Comment

          Working...
          X