Re: AD Schema extension and ACLing

Ok, I think I got the conversion to work FINALLY! After much
searching, many red herrings and several false starts I ended up with
the following VB.NET code to convert the GUID into an Octet String
(decimal):

Imports ADs ' need the ADs.dll for this, but if you know the
equivalent .NET functions DO TELL

Module Module1

Sub Main()


Console.WriteLine(ConvertGUIDtoOCTET("bf967a86-0de6-11d0-a285-00aa003049e2"))

End Sub

'================================================================
' ConvertGUIDtoOCTET function
'================================================================
Function ConvertGUIDtoOCTET(ByVal strGUID) As String
Dim octetStr As String
Dim tmpGUID As String
Dim i As Short
Dim t As String
Dim s As String = ""
Dim vGUID As Byte()

For i = 0 To Len(strGUID)
t = Mid(strGUID, i + 1, 1)
Select Case t
Case "{"
Case "}"
Case "-"
Case Else
tmpGUID = tmpGUID + t
End Select
Next

octetStr = Mid(tmpGUID, 7, 2) ' 0
octetStr = octetStr + Mid(tmpGUID, 5, 2) ' 1
octetStr = octetStr + Mid(tmpGUID, 3, 2) ' 2
octetStr = octetStr + Mid(tmpGUID, 1, 2) ' 3
octetStr = octetStr + Mid(tmpGUID, 11, 2) ' 4
octetStr = octetStr + Mid(tmpGUID, 9, 2) ' 5
octetStr = octetStr + Mid(tmpGUID, 15, 2) ' 6
octetStr = octetStr + Mid(tmpGUID, 13, 2) ' 7
octetStr = octetStr + Mid(tmpGUID, 17, Len(tmpGUID))

Dim oConvert = New ADs.ArrayConvert
vGUID = oConvert.CvHexStr2vOctetStr(octetStr)

For Each b As Byte In vGUID
If s = "" Then
s = b.ToString
Else
s = s + " " + b.ToString
End If
Next

ConvertGUIDtoOCTET = s
End Function

End Module
------

This should result in:

134 122 150 191 230 013 208 017 162 133 000 170 000 048 073 226

which should match the decimal value of the schemaIDGUID of the
Computer schema class!

Ok, one small hurdle overcome, now back to the controlAccessRights...

Brad Turner, MIIS MVP

Brad Turner [MIIS MVP] wrote:
Thanks Joe,

I'm trying to use your GUIDConverter tool, but the Octet String it
provides is not compatible with the Octet String (Octal) the
attributeSecurityGUID or schemaIDGUID requires. For instance:

Your tool provides as the Octet String (using the Computer class
schemaIDGUID - bf967a86-0de6-11d0-a285-00aa003049e2):
867A96BFE60DD011A28500AA003049E2

But the interface wants three digits offset by a space (taken from
Computer schemaIDGUID):
206 172 226 277 346 015 320 021 242 205 000 252 000 060 111 342

schemaIDGUID and attributeSecurityGUID require the same input
characteristics and I am modifying the attributes using ADSI Edit.
What am I doing wrong here?

Brad Turner, MIIS MVP

Joe Kaplan wrote:
schemaIDGUID is required, but AD and ADAM will create one on the fly for you
if you don't specify one. From my perspective though, this is a bad thing.
The schemaIDGUID should be a fixed, published value, like the
attribute/class name and OID, as it is used in the ACLing system for
attributes and classes. You really want all instances of the same schema
object to have the same schemaIDGUID.

You can specify this attribute value (and any other binary value) to LDIF in
base64 format. It just so happens that I have a handy tool called
GuidConverter on the website for my book that will generate and convert
GUIDs into LDAP friendly formats such as octet strings, LDAP filter syntax
and Base64 (for just this purpose). It will give you a handy way to create
some guids, save them in your documentation somewhere and copy and paste
into your LDIF script. It is in the files section of the website in the
signature. You can also do this pretty easily with other tools. The code
is pretty trivial.

Regarding the default security descriptor stuff, I'm not sure how that works
with an aux class. I think the default security descriptor comes from the
concrete class. I don't know if that would get merged together with one
defined on an auxClass or not. It sounds unlikely to me.

What you might be best off doing would be to create a property set for the
attributes in question so that they can all be ACLed atomically. The
documentation in MSDN describes how to set this up. You can also create the
property set object via LDIF (although it isn't a schema object; it goes in
the extended rights container instead).

HTH,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Brad Turner [MIIS MVP]" <bradturner32@xxxxxxxxx> wrote in message
news:1158003127.650260.9400@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Paul,

Thanks for the reply - the example will work out great. I see that I
will need to make a few calls to schemaUpdateNow and I see an example
of the class defaultSecurityDescriptor so I should be able to export my
examples and weed out the unneeded lines.

Now in the MSDN reference under "Defining a new Attribute"
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/defining_a_new_attribute.asp)
they show a matrix that claims that schemaIDGUID is required but I
don't see how that is possible before creation - is that a doc bug?

Also, do you have any comments on the ACL problem of protecting the
custom attributes themselves from Read access?

Brad Turner, MIIS MVP

Paul Williams [MVP] wrote:
LDIFDE in export mode (default) will produce an LDIF file for you. It's
a
bit stupid and dumps a couple of constructed or system-only attributes
that
need to be excluded, e.g. whenChanged, but otherwise works fine.

If you have some schema extensions and want an LDIF file of those,
there's
also the schema analyser tool that ships with ADAM SP1 (R2).

An example can be found here:
--
http://www.microsoft.com/technet/itsolutions/network/wifi/vista_ad_ext.mspx


Basically, you have something like this:

dn: cn=new-attr,cn=schema,cn=configuration,dc=domain-name,dc=com
changeType: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: newAttribute
attributeId: <ID goes here>
attributeSyntax: 2.5.5.3
omSyntax: 27
isSingleValued: TRUE

# reload the cache
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

# class
dn: cn=new-class,cn=schema,cn=configuration,dc=domain-name,dc=com
changeType: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: newClass
governsId: <ID goes here>
objectClassCategory: 3
rDNAttID: cn
mayContain: newAttribute


--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net


.

Loading