RE: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix
I am not so sure he needs to be able to actually understand what is in the blob so decoding of any part of the security descriptor shouldn't be necessary. Sounds like he simply wants to copy from one object to another and that should be possible using the LDAP_SERVER_SD_FLAGS_OID control which really shouldn't be all that difficult to build and submit to the server assuming you have ber_printf available and I believe most LDAP APIs do have it. If copying the entire SD and the app has the appropriate rights (i.e. something with rights to modify the SACL as that is generally the touchy part), it may be possible to do it without using the control even. It isn't something I have tried to do personally. Now seeing the domain from which the original poster is writing and having some detailed understanding of that specific environment and knowing all of the Enterprise/Domain Administrators, I am curious what exactly they want to do from UNIX and Java with machine accounts and whether they are chatting with anyone as they may find they really don't have rights to do what they are wanting to do or are specifically disallowed from mucking with it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Tuesday, December 12, 2006 11:00 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix On Tue, 12 Dec 2006 14:49:46 -0500 Santiago, Felderi (F.) [EMAIL PROTECTED] wrote: I know this may sounds crazy, but I need to write to the ntSecurityDescriptor attribute on a computer account from Unix via LDAP. Any clues? Essentially, what I am trying to do is query the ntsecuritydescriptor attribute of an object already in AD to see the value and would like to moving forward to set the same value to a specific object moving forward. Why ldap from Unix? Well, I am dealing with Unix Admins who hate Windows and want to do everything Unix. Any tips or tricks would be greatly appreciated. Doubt it. Basically you need two things: an LDAP client that supports the LDAP_SERVER_SD_FLAGS_OID control and a library that understands how to decode and manipulate the binary array of ACEs that makes up a security descriptor. The first part is easy. The second part is very difficult unless you're confortable hacking in C or Java. As LDAP clients on UNIX go the best ones are: 1) OpenLDAP's C library which give you low level access to build controls and therefore will definitely allow you to set LDAP_SERVER_SD_FLAGS_OID flags. 2) Java's JNDI which should also have low level access but I'm not sure. 3) The Perl binding for OpenLDAP is pretty good but again I'm not sure you can do an arbitrary LDAPControl. As security descriptor libraries go there are only two that I'm aware of: 1) Samba has a C api and a Python binding but it could be difficult trying to decipher how to use it as it most likely is not designed specifically for generic use such as this. 2) JCIFS has code to get security descriptors and resolve names of SIDs but it only has code to decode security descriptors not encode them. But the only reason that I mention JCIFS is because if *I* had to do this, I think JNDI/JCIFS would be the path of least resistance and you would end up with a pretty nice and flexible solution. Or, if they ok with using a web interface you could write a ASP to do the work and protect it with Kerberos SSO which Firefox can do. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix
Its certainly doable... there are two gotchas though. One, you need to use the 1.2.840.113556.1.4.801 (#defined as LDAP_SERVER_SD_FLAGS_OID in ntldap.h) control on the search and modify operations. This lets you set and retrieve portions of the nTSecurityDescriptor attribute. The paramter in an integer bit mask that describes what parts of the sd to return. See http://msdn2.microsoft.com/en-gb/library/aa366987.aspx. When you update the SD, be sure you set the flags only for the parts you are updating. If you don't you'll get an error on the update. The other thing you have to worry about is that the nTSecurityDescriptor attribute is a binary blob (ASN sequence of bytes). The blob is a self-relative security descriptor structure as defined in winnt.h (typedef'd as SECURITY_DESCRIPTOR_RELATIVE). You'll probably have to create the structure definition yourself based on what's in winnt.h. I don't know if the Samba headers have a usable definition or not. -gil Gil Kirkpatrick CTO, NetPro From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santiago, Felderi (F.) Sent: Tuesday, December 12, 2006 12:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix I know this may sounds crazy, but I need to write to the ntSecurityDescriptor attribute on a computer account from Unix via LDAP. Any clues? Essentially, what I am trying to do is query the ntsecuritydescriptor attribute of an object already in AD to see the value and would like to moving forward to set the same value to a specific object moving forward. Why ldap from Unix? Well, I am dealing with Unix Admins who hate Windows and want to do everything Unix. Any tips or tricks would be greatly appreciated. Thank you!
Re: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix
On Tue, 12 Dec 2006 14:49:46 -0500 Santiago, Felderi (F.) [EMAIL PROTECTED] wrote: I know this may sounds crazy, but I need to write to the ntSecurityDescriptor attribute on a computer account from Unix via LDAP. Any clues? Essentially, what I am trying to do is query the ntsecuritydescriptor attribute of an object already in AD to see the value and would like to moving forward to set the same value to a specific object moving forward. Why ldap from Unix? Well, I am dealing with Unix Admins who hate Windows and want to do everything Unix. Any tips or tricks would be greatly appreciated. Doubt it. Basically you need two things: an LDAP client that supports the LDAP_SERVER_SD_FLAGS_OID control and a library that understands how to decode and manipulate the binary array of ACEs that makes up a security descriptor. The first part is easy. The second part is very difficult unless you're confortable hacking in C or Java. As LDAP clients on UNIX go the best ones are: 1) OpenLDAP's C library which give you low level access to build controls and therefore will definitely allow you to set LDAP_SERVER_SD_FLAGS_OID flags. 2) Java's JNDI which should also have low level access but I'm not sure. 3) The Perl binding for OpenLDAP is pretty good but again I'm not sure you can do an arbitrary LDAPControl. As security descriptor libraries go there are only two that I'm aware of: 1) Samba has a C api and a Python binding but it could be difficult trying to decipher how to use it as it most likely is not designed specifically for generic use such as this. 2) JCIFS has code to get security descriptors and resolve names of SIDs but it only has code to decode security descriptors not encode them. But the only reason that I mention JCIFS is because if *I* had to do this, I think JNDI/JCIFS would be the path of least resistance and you would end up with a pretty nice and flexible solution. Or, if they ok with using a web interface you could write a ASP to do the work and protect it with Kerberos SSO which Firefox can do. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/