#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2011
    Posts
    1
    Rep Power
    0

    Setting ntSecurityDescriptor permissions using JAVA


    I need a way to set permissions in LDAP. I cannot use the Access Control List as that attribute does not exist and it appears that Active Directory uses ntSecurityDescriptor which is not a multi-text field.

    I would like to modify set ntSecurityDescriptor which in turn hopefully produces the coreect ACl with the correct ACE Fields.

    Any suggestions would be helpful. Thanks in advance.
    G
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2015
    Posts
    1
    Rep Power
    0
    I created a Java (JNDI) library (Apache2 license) for Windows ntSecurityDescriptor management. Start reading from Tirasa Blog - Java library for Windows NT security descriptor management for intro.

    Take a look at the library (https://github.com/Tirasa/ADSDDL) integration tests for any help. Following an example to add 'user cannot change password' ACE into DACL.

    final SearchControls controls = new SearchControls();
    controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
    controls.setReturningAttributes(new String[] { "nTSecurityDescriptor" });

    ctx.setRequestControls(new Control[] { new SDFlagsControl(0x00000004) });

    NamingEnumeration<SearchResult> results =
    ctx.search(baseContext, searchFilter, controls);

    SearchResult res = results.next();
    final String dn = res.getNameInNamespace();

    byte[] orig = (byte[]) res.getAttributes().get("nTSecurityDescriptor").get();

    SDDL sddl = new SDDL(orig);
    results.close();

    final List<ACE> toBeChanged = new ArrayList<>();

    for (ACE ace : sddl.getDacl().getAces()) {
    if ((ace.getType() == AceType.ACCESS_ALLOWED_OBJECT_ACE_TYPE
    || ace.getType() == AceType.ACCESS_DENIED_OBJECT_ACE_TYPE)
    && ace.getObjectFlags().getFlags().contains(
    AceObjectFlags.Flag.ACE_OBJECT_TYPE_PRESENT)) {
    if (GUID.getGuidAsString(ace.getObjectType()).equals(
    UCP_OBJECT_GUID)) {

    final SID sid = ace.getSid();
    if (sid.getSubAuthorities().size() == 1
    && ((Arrays.equals(sid.getIdentifierAuthority(),
    new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 })
    && Arrays.equals(sid.getSubAuthorities().get(0),
    new byte[] { 0x00, 0x00, 0x00, 0x00 }))
    || (Arrays.equals(sid.getIdentifierAuthority(),
    new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x05 })
    && Arrays.equals(sid.getSubAuthorities().get(0),
    new byte[] { 0x00, 0x00, 0x00, 0x0a })))) {
    toBeChanged.add(ace);
    }
    }
    }
    }

    if (toBeChanged.isEmpty()) {
    // prepare aces
    ACE self = ACE.newInstance(AceType.ACCESS_DENIED_OBJECT_ACE_TYPE);
    self.setObjectFlags(new AceObjectFlags(
    AceObjectFlags.Flag.ACE_OBJECT_TYPE_PRESENT));
    self.setObjectType(GUID.getGuidAsByteArray(UCP_OBJECT_GUID));
    self.setRights(new AceRights().addOjectRight(AceRights.ObjectRight.CR));
    SID sd = SID.newInstance(NumberFacility.getBytes(0x000000000001));
    sd.addSubAuthority(NumberFacility.getBytes(0));
    self.setSid(sd);

    ACE all = ACE.newInstance(AceType.ACCESS_DENIED_OBJECT_ACE_TYPE);
    all.setObjectFlags(new AceObjectFlags(
    AceObjectFlags.Flag.ACE_OBJECT_TYPE_PRESENT));
    all.setObjectType(GUID.getGuidAsByteArray(UCP_OBJECT_GUID));
    all.setRights(new AceRights().addOjectRight(AceRights.ObjectRight.CR));
    sd = SID.newInstance(NumberFacility.getBytes(0x000000000005));
    sd.addSubAuthority(NumberFacility.getBytes(0x0A));
    all.setSid(sd);

    sddl.getDacl().getAces().add(self);
    sddl.getDacl().getAces().add(all);
    } else {
    for (ACE ace : toBeChanged) {
    ace.setType(AceType.ACCESS_DENIED_OBJECT_ACE_TYPE);
    }
    }

    final Attribute ntSecurityDescriptor = new BasicAttribute(
    "ntSecurityDescriptor", sddl.toByteArray());

    final ModificationItem[] mods = new ModificationItem[1];
    mods[0] = new ModificationItem(
    DirContext.REPLACE_ATTRIBUTE, ntSecurityDescriptor);

    ctx.modifyAttributes(dn, mods);
    // .....

IMN logo majestic logo threadwatch logo seochat tools logo