I am not so sure he needs to be able to actually understand what is in the blob so decoding of any part of the security descriptor shouldn't be necessary. Sounds like he simply wants to copy from one object to another and that should be possible using the LDAP_SERVER_SD_FLAGS_OID control which really shouldn't be all that difficult to build and submit to the server assuming you have ber_printf available and I believe most LDAP APIs do have it.
If copying the entire SD and the app has the appropriate rights (i.e. something with rights to modify the SACL as that is generally the touchy part), it may be possible to do it without using the control even. It isn't something I have tried to do personally. Now seeing the domain from which the original poster is writing and having some detailed understanding of that specific environment and knowing all of the Enterprise/Domain Administrators, I am curious what exactly they want to do from UNIX and Java with machine accounts and whether they are chatting with anyone as they may find they really don't have rights to do what they are wanting to do or are specifically disallowed from mucking with it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Tuesday, December 12, 2006 11:00 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix On Tue, 12 Dec 2006 14:49:46 -0500 "Santiago, Felderi (F.)" <[EMAIL PROTECTED]> wrote: > > I know this may sounds crazy, but I need to write to the > ntSecurityDescriptor attribute on a computer account from Unix via LDAP. > Any clues? Essentially, what I am trying to do is query the > ntsecuritydescriptor attribute of an object already in AD to see the > value and would like to moving forward to set the same value to a > specific object moving forward. > > Why ldap from Unix? Well, I am dealing with Unix Admins who hate > Windows and want to do everything Unix. Any tips or tricks would be > greatly appreciated. Doubt it. Basically you need two things: an LDAP client that supports the LDAP_SERVER_SD_FLAGS_OID control and a library that understands how to decode and manipulate the binary array of ACEs that makes up a security descriptor. The first part is easy. The second part is very difficult unless you're confortable hacking in C or Java. As LDAP clients on UNIX go the best ones are: 1) OpenLDAP's C library which give you low level access to build controls and therefore will definitely allow you to set LDAP_SERVER_SD_FLAGS_OID flags. 2) Java's JNDI which should also have low level access but I'm not sure. 3) The Perl binding for OpenLDAP is pretty good but again I'm not sure you can do an arbitrary LDAPControl. As security descriptor libraries go there are only two that I'm aware of: 1) Samba has a C api and a Python binding but it could be difficult trying to decipher how to use it as it most likely is not designed specifically for generic use such as this. 2) JCIFS has code to get security descriptors and resolve names of SIDs but it only has code to decode security descriptors not encode them. But the only reason that I mention JCIFS is because if *I* had to do this, I think JNDI/JCIFS would be the path of least resistance and you would end up with a pretty nice and flexible solution. Or, if they ok with using a web interface you could write a ASP to do the work and protect it with Kerberos SSO which Firefox can do. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
