RE: [ActiveDir] Using an LDIF to set ACLs
That would actually be really cool in my opinion; not only for LDIFs but for general scripting and programming. When ever Im creating some sort of automation tool for AD I always have to stop and think about how to set the ACL piece because it seems so different from the way you set other Directory data. Although it might just be that my feeble brain is not capable of remembering two different processes ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov Sent: Friday, October 06, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using an LDIF to set ACLs Yeah, Joes correct, dsacls or scripting is your best bet. SDDL+encoding is also possible, but it would replace the whole SD value, which is rarely what you really want. Usually you just need to add or remove an ACE, right? This would require reading the old value, which is not possible with LDIF. At some point, I looked at trying to expose the SD value as a multi-valued string attribute, each value representing an individual ACE (e.g. in SDDL). This is approximately what iPlanet and OpenLdap do. Unfortunately, it never went further than that. Would have been pretty cool, and very much LDIFable. Alas From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using an LDIF to set ACLs I think you could but it would be non-trivial, I agree with Al, use a different tool. dsacls or scripting is the standard. Theoretically, and Dmitri or Eric can correct me if I am off, you could create yourSecurity Descriptorin SDDL format, convert that to the binary form, then mime encode it, then try to apply that string for the ntSecurityDescriptor attribute. You will likely have to do it as an Administrator or else you will get an error since non-admins have to set special controls to update the security descriptor and I don't think LDIFDE will do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 06, 2006 4:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Using an LDIF to set ACLs There's no provision in the ldif standard that I'm aware of that would allow this. LDIFDE might have something with it, but I haven't seen it. You'd be better off using a different tool in my opinion. Al On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote: Does anyone know if it's possible to set Directory ACLs using an LDIF? I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Using an LDIF to set ACLs
Does anyone know if it's possible to set Directory ACLs using an LDIF? I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Using an LDIF to set ACLs
There's no provision in the ldif standard that I'm aware of that would allow this. LDIFDE might have something with it, but I haven't seen it. You'd be better off using a different tool in my opinion. Al On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote: Does anyone know if it's possible to set Directory ACLs using an LDIF?I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Using an LDIF to set ACLs
I think you could but it would be non-trivial, I agree with Al, use a different tool. dsacls or scripting is the "standard". Theoretically, and Dmitri or Eric can correct me if I am off, you could create yourSecurity Descriptorin SDDL format, convert that to the binary form, then mime encode it, then try to apply that string for the ntSecurityDescriptor attribute. You will likely have to do it as an Administrator or else you will get an error since non-admins have to set special controls to update the security descriptor and I don't think LDIFDE will do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, October 06, 2006 4:36 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Using an LDIF to set ACLs There's no provision in the ldif standard that I'm aware of that would allow this. LDIFDE might have something with it, but I haven't seen it. You'd be better off using a different tool in my opinion. Al On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote: Does anyone know if it's possible to set Directory ACLs using an LDIF?I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Using an LDIF to set ACLs
Ouch that does sound like a lot of trouble. And once the binary string is in the LDIF admins wont be able to tell what the string is doing. Sounds like dsacls is the way to go. Thanks for the info From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using an LDIF to set ACLs I think you could but it would be non-trivial, I agree with Al, use a different tool. dsacls or scripting is the standard. Theoretically, and Dmitri or Eric can correct me if I am off, you could create yourSecurity Descriptorin SDDL format, convert that to the binary form, then mime encode it, then try to apply that string for the ntSecurityDescriptor attribute. You will likely have to do it as an Administrator or else you will get an error since non-admins have to set special controls to update the security descriptor and I don't think LDIFDE will do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 06, 2006 4:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Using an LDIF to set ACLs There's no provision in the ldif standard that I'm aware of that would allow this. LDIFDE might have something with it, but I haven't seen it. You'd be better off using a different tool in my opinion. Al On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote: Does anyone know if it's possible to set Directory ACLs using an LDIF? I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Using an LDIF to set ACLs
Yeah, Joes correct, dsacls or scripting is your best bet. SDDL+encoding is also possible, but it would replace the whole SD value, which is rarely what you really want. Usually you just need to add or remove an ACE, right? This would require reading the old value, which is not possible with LDIF. At some point, I looked at trying to expose the SD value as a multi-valued string attribute, each value representing an individual ACE (e.g. in SDDL). This is approximately what iPlanet and OpenLdap do. Unfortunately, it never went further than that. Would have been pretty cool, and very much LDIFable. Alas From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using an LDIF to set ACLs I think you could but it would be non-trivial, I agree with Al, use a different tool. dsacls or scripting is the standard. Theoretically, and Dmitri or Eric can correct me if I am off, you could create yourSecurity Descriptorin SDDL format, convert that to the binary form, then mime encode it, then try to apply that string for the ntSecurityDescriptor attribute. You will likely have to do it as an Administrator or else you will get an error since non-admins have to set special controls to update the security descriptor and I don't think LDIFDE will do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 06, 2006 4:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Using an LDIF to set ACLs There's no provision in the ldif standard that I'm aware of that would allow this. LDIFDE might have something with it, but I haven't seen it. You'd be better off using a different tool in my opinion. Al On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote: Does anyone know if it's possible to set Directory ACLs using an LDIF? I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Using an LDIF to set ACLs
I'd love to see something like that as a constructed read/write attribute if it could ever be made to happen. You could also blow apart the fields in the SD into separate attributes to make the semantics more clear. Joe - Original Message - From: Dmitri Gavrilov To: ActiveDir@mail.activedir.org Sent: Friday, October 06, 2006 6:40 PM Subject: RE: [ActiveDir] Using an LDIF to set ACLs Yeah, Joe's correct, dsacls or scripting is your best bet. SDDL+encoding is also possible, but it would replace the whole SD value, which is rarely what you really want. Usually you just need to add or remove an ACE, right? This would require reading the old value, which is not possible with LDIF. At some point, I looked at trying to expose the SD value as a multi-valued string attribute, each value representing an individual ACE (e.g. in SDDL). This is approximately what iPlanet and OpenLdap do. Unfortunately, it never went further than that. Would have been pretty cool, and very much LDIF'able. Alas. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
