Re: How to set ADAM ACL programmatically?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

At a high level, you would be passing in raw binary here. Essentially, you
would use the Win32 security descriptor APIs to do the SD manipulation and
then get a copy of the binary buffer containing the SD data to pass back
into AD via LDAP.

Since I'm not an LDAP API guy, I can't give you many specifics here.

Another thing that might help you with reverse engineering would be to use
the SD editor built into the version of ldp.exe that comes with ADAM SP1 to
do some manipulations, then look at the mod operations performed on the wire
using a packet sniffer like ethereal. That should help you with reverse
engineering.

Joe K.

"An" <An@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:03594C78-30A3-41AD-B3FA-0B4655C938D1@xxxxxxxxxxxxxxxx
I know it can be very painful, but I really have no choice. it's a part of
intergrating my application with ADAM test. My application has to be able
to
programmatically set ACL for the ADAM partition that it creates. Without
be
able to set it programmatically, the intergation doesn't happen.

You mentions that you have tried programmatically update ACLs successfully
using LDAP API, can you give some tip and some sample code?
What do you pass as the the flag for the mod operation mod_op,
is LDAP_MOD_BVALUES one of the flag? Since the type is
"ntSecurityDescriptor" I'm not sure what flag as the type to pass in the
mod_op field.

Any suggestion is greated appreciated.
Thank you ,
An


"Joe Richards [MVP]" wrote:

You can't set an SDDL value, you have to encode the SDDL into a blob and
write
that.

This is an extremely painful way of updating ACLs and you can mess all
sorts of
things up because you don't necessarily order things properly. I am
experienced
with both Windows LDAP and Windows Security Descriptors and I am still
nervous
when I write ACL update code.




--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



An wrote:
The format of the ACE the I passed in was incorrect. I didn't include
the
string in the "(" and ")".
After I fix this I got "Server is unwilling to perform".
My ACE String is in the format : "(A;CI;GR;;;[object SID that i I got
from
searching])


"An" wrote:

I use ldap_modify_s() to try to modify the "ntSecurityDescriptor" and
got an
error
"Invalid Syntax" which I expected because I'm not sure what kind of
value
"ntSecurityDescrptor" expect.
I passed it in as LDAP_MOD_BVALUES, I didn't convert the value to any
format.
Just simply do a memcpy to the .bv_val
Do I need to convert the the value to some other format?
Can you take a look at the sample code below and give me some
suggestion on
the syntax of the "ntSecurityDescriptor"
Here is the sample code that I have
...
LDAPMod *modEntry[2];
LDAPMod modAce;
struct berval *attr[2];
struct berval aceVal={0, NULL};

modEntry[0] = &modAce;
modEntry[1] = NULL;

modAce.mod_op = LDAP_MOD_ADD|LDAP_MOD_BVALUES;
modAce.mod_type = "ntSecurityDescriptor";
modAce.mod_vals.modv_bvals = attr;

attr[0] = &aceVal;
attr[1] = NULL;

aceVal.bv_len = strlen(_aceStr);

aceVal.bv_val = (char *)calloc(1, aceVal.bv_len+1);
if (aceVal.bv_val == NULL)
{
printf("out of memory\n");
goto cleanup;
}
memcpy((char *)aceVal.bv_val, _aceStr, strlen(_aceStr));
rc = ldap_modify_s(ldap, _ace_dn, modEntry);
...
Thank you,
An
"Joe Kaplan (MVP - ADSI)" wrote:

The attribute is definitely ntSecurityDescriptor. You should be able
to
retrieve that with LDP as a binary blob representing a security
descriptor,
but make sure you are bound as a Windows admin when you do so that
you can
read the whole object. The security descriptor has some interesting
behavior where you need a special OS privilege to read the SACL part
of the
SD and if you don't have that, you can only retrieve certain parts.
If you
don't specify the server control that allows you to specify which
parts of
the SD you want, it will try to retrieve the whole thing and may fail
as a
result.

Joe K.

"An" <An@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8D5116A9-DB0B-49FA-8D50-3891B6A6813B@xxxxxxxxxxxxxxxx
Hi Joe,
You mentioned about using LDAP API to also set ACL. Do you know
what
attribute ADAM uses to store ACL? I read on one of the Microsoft
help
page
that I search, and it mentioned that ACL for ADAM is stored in
attribute
"ntSecurityDescriptor",
but if I tried to query for that attribute it give me back with
nothing.

My application invloved with programmatically creating the
partitions
using
object and classes that I defined in ADAM, then I need to also set
the ACL
programmactically to control the access on the partition that I
created.
I'm
more interested in use LDAP APIs to do it. If you have any
information
about
this, please point me to it.

Thank you.
An

"Joe Kaplan (MVP - ADSI)" wrote:

The only way I would consider easy is to use .NET 2.0
System.DirectoryServices and the ACL support there. It works fine
with
ADAM.

The current ADSI interface for security descriptors,
IADsSecurityDescriptor,
has some issues with ADAM. This will be fixed in a future release,
but
it
can make for a painful experience for now.

You can also use lower level Windows security APIs for programming
SDs
and
write the binary data to ADAM using LDAP.

However, much of the time I see people setting ACLs
programmatically, it
ends up being something that they could have done declaratively in
the UI
(even with a low level UI tool like LDP from ADAM SP1). It is
beneficial
to
your admins to not rely on code for doing this stuff if it can be
avoided.
This isn't always the case, but many times it is.

Joe K.

"An" <An@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CFFCBE14-C75A-4EC8-B432-C937D62A3CCE@xxxxxxxxxxxxxxxx
Hi,
I'm new with ADAM. I would like to set ACL for certain ADAM
object
programmatically. I'm trying to look for some sample code on how
to do
that
and unable to find any.
I used the tool dsacls.exe to set ACL manual but I want to do it
programmatically because sometime my application would create
groups on
the
fly and I also want to add ACL for these group on a specific ADAM
partitions
If any of you have done this before please let me.

Thanks,
An







.

Relevant Pages

  • Re: How to set ADAM ACL programmatically?
    ... The security descriptor has some interesting ... You mentioned about using LDAP API to also set ACL. ... attribute ADAM uses to store ACL? ... You can also use lower level Windows security APIs for programming SDs ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to set ADAM ACL programmatically?
    ... Seems like I needs to know what encoding ADAM ... Since I'm not an LDAP API guy, I can't give you many specifics here. ... programmatically set ACL for the ADAM partition that it creates. ... You can also use lower level Windows security APIs for programming ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM - New users reading data - best practices
    ... The SID is created when the security principal is created. ... When does ADAM create a sid for a user? ... You bind to the directory (or the connection to the ... property set to ACL these as a group. ...
    (microsoft.public.windows.server.active_directory)
  • RE: File Security Descriptor
    ... >> Public Sub SetAccess(sUserName As String, sFileName As String, lMask As Long) ... >> the ACL. ... >> Dim sSystemName As String ' Name of this computer system. ... >> Dim sNewSD As SECURITY_DESCRIPTOR ' New security descriptor. ...
    (microsoft.public.vb.general.discussion)
  • Re: ADAM - New users reading data - best practices
    ... When does ADAM create a sid for a user? ... You bind to the directory (or the connection to the ... property set to ACL these as a group. ... AUTHENTICATED USERS built-in security principal for your ACL entries. ...
    (microsoft.public.windows.server.active_directory)