ldap object access controls
William Brown
william at blackhats.net.au
Mon May 7 00:33:02 UTC 2018
On Fri, 2018-05-04 at 14:26 +0200, Denis Cardon wrote:
> Hi William,
>
> > I'm currently trying to understand the samba4/ad ldap object access
> > control for search and how to manipulate these.
> >
> > Looking at various objects I can't seem to see where AD is storing
> > the
> > ACE entries, even though you can "edit" them via ADSI and the like.
> >
> > What attribute of the object are the ACE attributes stored in and
> > how
> > can I modify these via the ldap interface? Any documentation or
> > references about this topic would be excellent,
>
> I don't think it is advisable to directly edit the
> ntSecurityDescriptor
> attributes. If you don't mind using some python, you can get some
> inspiration from Andrew's mitigation script for CVE-2018-1057
> mitigation
> [1]. I used it as a basis for implementing some ACL handling at
> clients
> recently.
Hey mate,
I've already submitted a patch in another thread for modifiying these
as part of the dsacl command,
Thank you!
>
> Cheers,
>
> Denis
>
> [1] https://download.samba.org/pub/samba/misc/samba_CVE-2018-1057_hel
> per
>
> >
> > Thank you!
> >
>
>
More information about the samba-technical
mailing list