gpt4 book ai didi

active-directory - 如何使用普通的 ldap 客户端访问 nTSecurityDescriptor?

转载 作者:行者123 更新时间:2023-12-04 08:36:10 24 4
gpt4 key购买 nike

我尝试以普通域用户身份从带有 ldapsearch(或其他东西)的 linux 机器上读取 nTSecurityDescriptor

搜索其他内容有效,但我找不到 nTSecurityDescriptor

This KB可能相关,但作为域管理员运行不是服务的选项。

那么我该如何阅读这些信息呢?我知道我可以读取 DACL,但问题是如何读取。

最佳答案

我为 Windows ntSecurityDescriptor 管理创建了一个新的 Java (JNDI) 库(Apache2 许可)。从http://blog.tirasa.net/ntsecuritydescripto-management.html开始阅读介绍。

查看库 ( https://github.com/Tirasa/ADSDDL) 集成测试以获得任何帮助。以下示例将“用户无法更改密码”ACE 添加到 DACL 中。

final SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
controls.setReturningAttributes(new String[] { "nTSecurityDescriptor" });

ctx.setRequestControls(new Control[] { new SDFlagsControl(0x00000004) });

NamingEnumeration<SearchResult> results =
ctx.search(baseContext, searchFilter, controls);

SearchResult res = results.next();
final String dn = res.getNameInNamespace();

byte[] orig = (byte[]) res.getAttributes().get("nTSecurityDescriptor").get();

SDDL sddl = new SDDL(orig);
results.close();

final List<ACE> toBeChanged = new ArrayList<>();

for (ACE ace : sddl.getDacl().getAces()) {
if ((ace.getType() == AceType.ACCESS_ALLOWED_OBJECT_ACE_TYPE
|| ace.getType() == AceType.ACCESS_DENIED_OBJECT_ACE_TYPE)
&& ace.getObjectFlags().getFlags().contains(
AceObjectFlags.Flag.ACE_OBJECT_TYPE_PRESENT)) {
if (GUID.getGuidAsString(ace.getObjectType()).equals(
UCP_OBJECT_GUID)) {

final SID sid = ace.getSid();
if (sid.getSubAuthorities().size() == 1
&& ((Arrays.equals(sid.getIdentifierAuthority(),
new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 })
&& Arrays.equals(sid.getSubAuthorities().get(0),
new byte[] { 0x00, 0x00, 0x00, 0x00 }))
|| (Arrays.equals(sid.getIdentifierAuthority(),
new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x05 })
&& Arrays.equals(sid.getSubAuthorities().get(0),
new byte[] { 0x00, 0x00, 0x00, 0x0a })))) {
toBeChanged.add(ace);
}
}
}
}

if (toBeChanged.isEmpty()) {
// prepare aces
ACE self = ACE.newInstance(AceType.ACCESS_DENIED_OBJECT_ACE_TYPE);
self.setObjectFlags(new AceObjectFlags(
AceObjectFlags.Flag.ACE_OBJECT_TYPE_PRESENT));
self.setObjectType(GUID.getGuidAsByteArray(UCP_OBJECT_GUID));
self.setRights(new AceRights().addOjectRight(AceRights.ObjectRight.CR));
SID sd = SID.newInstance(NumberFacility.getBytes(0x000000000001));
sd.addSubAuthority(NumberFacility.getBytes(0));
self.setSid(sd);

ACE all = ACE.newInstance(AceType.ACCESS_DENIED_OBJECT_ACE_TYPE);
all.setObjectFlags(new AceObjectFlags(
AceObjectFlags.Flag.ACE_OBJECT_TYPE_PRESENT));
all.setObjectType(GUID.getGuidAsByteArray(UCP_OBJECT_GUID));
all.setRights(new AceRights().addOjectRight(AceRights.ObjectRight.CR));
sd = SID.newInstance(NumberFacility.getBytes(0x000000000005));
sd.addSubAuthority(NumberFacility.getBytes(0x0A));
all.setSid(sd);

sddl.getDacl().getAces().add(self);
sddl.getDacl().getAces().add(all);
} else {
for (ACE ace : toBeChanged) {
ace.setType(AceType.ACCESS_DENIED_OBJECT_ACE_TYPE);
}
}

final Attribute ntSecurityDescriptor = new BasicAttribute(
"ntSecurityDescriptor", sddl.toByteArray());

final ModificationItem[] mods = new ModificationItem[1];
mods[0] = new ModificationItem(
DirContext.REPLACE_ATTRIBUTE, ntSecurityDescriptor);

ctx.modifyAttributes(dn, mods);
// .....

关于active-directory - 如何使用普通的 ldap 客户端访问 nTSecurityDescriptor?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/16521790/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com