Its certainly doable... there are two gotchas though. One, you need to use the 1.2.840.113556.1.4.801 (#defined as LDAP_SERVER_SD_FLAGS_OID in ntldap.h) control on the search and modify operations. This lets you set and retrieve portions of the nTSecurityDescriptor attribute. The paramter in an integer bit mask that describes what parts of the sd to return. See http://msdn2.microsoft.com/en-gb/library/aa366987.aspx. When you update the SD, be sure you set the flags only for the parts you are updating. If you don't you'll get an error on the update. The other thing you have to worry about is that the nTSecurityDescriptor attribute is a binary blob (ASN sequence of bytes). The blob is a self-relative security descriptor structure as defined in winnt.h (typedef'd as SECURITY_DESCRIPTOR_RELATIVE). You'll probably have to create the structure definition yourself based on what's in winnt.h. I don't know if the Samba headers have a usable definition or not. -gil Gil Kirkpatrick CTO, NetPro
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santiago, Felderi (F.) Sent: Tuesday, December 12, 2006 12:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix I know this may sounds crazy, but I need to write to the ntSecurityDescriptor attribute on a computer account from Unix via LDAP. Any clues? Essentially, what I am trying to do is query the ntsecuritydescriptor attribute of an object already in AD to see the value and would like to moving forward to set the same value to a specific object moving forward. Why ldap from Unix? Well, I am dealing with Unix Admins who hate Windows and want to do everything Unix. Any tips or tricks would be greatly appreciated. Thank you!
