ldap object access controls
william at blackhats.net.au
Mon May 7 00:33:02 UTC 2018
On Fri, 2018-05-04 at 14:26 +0200, Denis Cardon wrote:
> Hi William,
> > I'm currently trying to understand the samba4/ad ldap object access
> > control for search and how to manipulate these.
> > Looking at various objects I can't seem to see where AD is storing
> > the
> > ACE entries, even though you can "edit" them via ADSI and the like.
> > What attribute of the object are the ACE attributes stored in and
> > how
> > can I modify these via the ldap interface? Any documentation or
> > references about this topic would be excellent,
> I don't think it is advisable to directly edit the
> attributes. If you don't mind using some python, you can get some
> inspiration from Andrew's mitigation script for CVE-2018-1057
> . I used it as a basis for implementing some ACL handling at
I've already submitted a patch in another thread for modifiying these
as part of the dsacl command,
>  https://download.samba.org/pub/samba/misc/samba_CVE-2018-1057_hel
> > Thank you!
More information about the samba-technical