ldap object access controls
Denis Cardon
dcardon at tranquil.it
Fri May 4 12:26:47 UTC 2018
Hi William,
> I'm currently trying to understand the samba4/ad ldap object access
> control for search and how to manipulate these.
>
> Looking at various objects I can't seem to see where AD is storing the
> ACE entries, even though you can "edit" them via ADSI and the like.
>
> What attribute of the object are the ACE attributes stored in and how
> can I modify these via the ldap interface? Any documentation or
> references about this topic would be excellent,
I don't think it is advisable to directly edit the ntSecurityDescriptor
attributes. If you don't mind using some python, you can get some
inspiration from Andrew's mitigation script for CVE-2018-1057 mitigation
[1]. I used it as a basis for implementing some ACL handling at clients
recently.
Cheers,
Denis
[1] https://download.samba.org/pub/samba/misc/samba_CVE-2018-1057_helper
>
> Thank you!
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba-technical
mailing list