Question for time based group membership in FL 2016

Fri Feb 2 11:19:35 UTC 2024

On 02-02-2024 11:29, Rowland Penny via samba-technical wrote:
> On Thu, 1 Feb 2024 23:32:37 +0100
> Kees van Vloten via samba-technical <samba-technical at lists.samba.org>
> wrote:
>
>> On 01-02-2024 22:42, Rowland Penny via samba-technical wrote:
>>> On Thu, 1 Feb 2024 22:16:35 +0100
>>> Kees van Vloten via samba-technical
>>> <samba-technical at lists.samba.org> wrote:
>>>
>>>> On 01-02-2024 21:38, Douglas Bagnall via samba-technical wrote:
>>>>> On 2/02/24 07:22, Stefan Kania via samba-technical wrote:
>>>>>> Hi to all,
>>>>>>
>>>>>> I already posted the question in the samba-mailinlist but I think
>>>>>> it's more a question for developers :-)
>>>>>>
>>>>>> I have a question about FL 2016 and if samba supports it. If yes,
>>>>>> how can I use it without powershell.
>>>>>>
>>>>>> In FL 2016 there is the possibility to put a user into a group
>>>>>> and the membership is time based. So I could put the user Foo
>>>>>> into the group 'domain admins' for 30 minutes and after 30
>>>>>> minutes the system will remove user foo from the group.
>>>>> That sounds good. We don't do that, and we don't call it part of
>>>>> "functional level 2016".
>>>>>
>>>>> The things that count as "functional level" are listed here:
>>>>>
>>>>> https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
>>>>>
>>>>>
>>>>> They are protocol level things -- supporting FL2016 means you can
>>>>> properly be a DC in an FL2016 domain.
>>>>>
>>>>> Temporary memberships is a useful trick that Windows Server 2016
>>>>> can do, for which FL2016 is necessary, but not sufficient.
>>>>>
>>>>> That's my understanding, at least.
>>>>>
>>>>> Douglas
>>>>>
>>>>>
>>>> Still, if you know what this powershell call changes in the LDAP
>>>> record of the group, the user or elsewhere in LDAP, you can mimic
>>>> this functionality quite easily with a little cron script on the
>>>> DC.
>>>>
>>>> I have created a kind similar implementation called auto-lock,
>>>> where (admin-)users that member of the "autolock" group
>>>> automatically get disabled at midnight every day
>>>> (https://github.com/kvvloten/samba_integrations/tree/main/domain_controller/manage_scripts#disable-special-users-daily)
>>>>
>>>> And another piece of cron-scripting makes "password expired" LDAP
>>>> searchable (which is not the case with the computed attribute
>>>> "msDS-User-Account-Control-Computed").
>>> That attribute is searchable, it is one of the attributes you have
>>> to explicitly ask for.
>> We had this discussing before: you can get it returned in an ldap
>> query, but you can't use it in an ldap filter. Applications tend to
>> use a filter to find find users, so it does not work for my usecase
>> (with Privacyidea).
> Fair enough, it isn't that Samba ldap is limited, it is a limitation of
> the tool that you are using.

Sure, but there are not many applications where you can do things with 
retrieved attributes and multiple ldap-searches in the selection of 
users and groups.

Most (nearly all?) applications allow just server settings, bind 
settings, base-dn, a ldap-filter and sometimes attribute mapping. That 
includes big names like Postfix and Dovecot.

I would think this is more a Microsoft limitation than anything else. Or 
perhaps it is even generic for ldap, I have no clue how OpenLdap treats 
computed attributes.

Then again, it does not matter much what the root-cause of the 
limitation is, more important is how to overcome it :-)

>
>> My workaround is to have a cron-script do the check and write the
>> result in one of the unused attributes (e.g. the telex number), then
>> the application can filter on that. Not the royal solution, but it
>> works...
>>
>> - Kees.
>>
>>>> With this applications like
>>>> Privacyidea can disallow MFA for users with an expired domain
>>>> password.
>>>>
>>>> It can't be hard to query some attribute and add or remove a user
>>>> from a group.
>>>>
>>> Would that it was that easy, but as I said on the samba mailing
>>> list, I am sure the timing is done in code, but I am sure that
>>> those wiser than myself will know.
>>>
>>> Rowland
>>>
>>>
>>>
>>>
>>>
> OK, I have been looking into this and from my googling, you need the
> 'Privileged Access Management Optional Feature' , so that means 2016
> functional level (at least), see:
>
> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/d079eee8-1bac-4b03-86e4-506a21450905
>
> Samba will also need to implement the
> LDAP_SERVER_LINK_TTL_OID: 1.2.840.113556.1.4.2309
>
> Finally, it seems that Samba will need the code to tie all this together,
> just having the functional level and OID will not be enough.
>
> Not a five minute job by the sound of it.
>
> Rowland
>