Restricting the rights (700) of the ldapsearch command to root user only

Hi all,

All my 5 documents on Active Directory are ready for publishing.

The last problem I have is with ldapsearch.

Since I cannot encrypt the Qestion/Answer for the Self Service Parword and everyone can use ldapsearch to display the parameters of a user with:

# ldapsearch -Y EXTERNAL | grep -e "# " -e info:

# toto, People, directory.nh
info: {car}Honda

I decide to restrict the ldapsearch command to the root user only with:

# chmod 700 /usr/bin/ldapsearch

Will it interfere with some applications, if any, using ldapsearch?
Another way for the question is: which programs absolutely need ldapsearch?


AFAIK for most applications when LDAP authentication is used, the ldapservice account is used. This is the LDAP bind account for Samba4 account provider.
I think it would be a good idea to give that account rights to ldapsearch too.

Hi Rob,

Thank you very much for your reply.

On a server with LDAP as Accounts Provider, I changed the rights to 700 of /usr/bin/ldapsearch.

  • A standard user can login to Web interface and can change is password.
  • He can use Self Service Password and he can ask to change his password with a mail token. He login to Webmail and click the mail token link and he is able to change his password.

On a server with AD as Accounts Provider, I changed the rights to 700 of /usr/bin/ldapsearch.

  • A standard user can do the same as above.
  • A user on a jointed Win-8.1 to AD can login and do all the above also.

I don’t have a special application on the Nethserver to test further.

It looks like nobody is using ldapsearch… Maybe even the ldapservice does not use ldapsearch or it has the same rights as root?

Any suggestion for other tests?


Unless it is root itself this can’t be the case if you have set permissions to 700. first full access is for the specific account you gave the permission to: in this case root.
If you need to give another account permission too, the only way is to appoint a group with permissions and add that other account to that group. Then the 2nd digit should be different than 0. Basic file permissions…

Hi Rob,

Thank you for your reply.

What I had in mind was that if it is the system that start ldapservice then it will have the same rights as root?

# id ldap
uid=55(ldap) gid=55(ldap) groupes=55(ldap)

Because ldap has uid 55, which is in the range 0 to 99, it is a system account?

No sure about all that,