Reputation: 146
Active Directory (2012) - Allow "SELF" to read attribute with confidential bit set.
I have extended my schema to include a field called mobilePrivate. I have set the searchFlags for this attribute to 128 bits to make it confidential.
Now I am trying to allow user accounts to read/write to this attribute. I have the write part down but when they try to read it back they can't. I have run the LDP.EXE tools provided with Windows Sever 2012 and given the NT AUTHORITY\SELF permissions on the OU where all the users are located yet it still can not read it's own field.
Anybody have any idea's to get this working? I need to give the users the ability to enter in their own private phone numbers without the data showing up in LDAP browses.
Upvotes: 1
Views: 1403
Answers (1)
Reputation: 40988
According to this blog, they also need the 'Control Access' permission.
CF: Mark this attribute as confidential. This bit marks attributes as confidential so it can only be read by securityPrincipals that have special permission (“Read” and “Control Access”) to it.
Also, make sure you don't have any 'Deny' permissions that would apply to the user. 'Deny' takes precedence over 'Allow'.
Upvotes: 2
Related Questions
- Re-write Name,CN, and DN attribute for Active Directory users with Powershell
- Provide all users with ability to edit their own specific attributes in Active Directory
- Is there a way to return the manager of a user from an LDAP query?
- Active Directory LDAPS is enabled via self signed certificate. But the PHP client fails to authenticate with the AD server
- How to add an attribute to an LDAP schema
- User Group and Role Management in .NET with Active Directory
- Manage/Set Permissions in Active Directory via PHP LDAP
- LDAP / Active Directory with External Users