Skip to content

Create ntSecurityDescriptor utilities #681

Description

@stevebauman

@kbisignani was able to utilize LdapTool's ntSecurityDescriptor to be able to update them in LdapRecord.

#678 (reply in thread)

$sd = new SecurityDescriptor($user->getAttribute('ntsecuritydescriptor')[0]);

// Flip the Everyone ACE type to deny for the 'WD' SID ('WD' is the SID short name for "Everyone").
foreach ($sd->getDacl()->getAces() as $ace) {
   if ((string) $ace->getTrustee() === SID::SHORT_NAME['WD'] && (string) $ace->getObjectType() === AceRights::EXTENDED['CHANGE_PASSWORD']) {
	   $ace->setType('OD');
   }
}

// OD is short for an object deny ace type...
$ace = (new Ace('OD'))
    // The SID of the user being granted the right ('PS' is the SID short name for "Principal Self").
    ->setTrustee('PS')
    // This is an extended access right for "User cannot change password"...
    ->setObjectType(AceRights::EXTENDED['CHANGE_PASSWORD'])
    // This sets the ACE with the "Control Access" right...
    ->setRights(new AceRights(AceRights::SHORT_NAME['CR']));
$sd->getDacl()->addAce($ace);

// Now set the new Security Descriptor value and save it
$user->setAttribute('ntSecurityDescriptor', $sd->toBinary());
$user->save();

LdapTools is MIT so we can port some of these utilities over and maintain credit to the original author with an @author tag.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions