security descriptor

Discussion in 'Active Directory' started by aks, May 11, 2005.

  1. aks

    aks Guest

    my CAR is called 'myperm' class, it has the following:

    Dn: CN=myperm,CN=Extended-Rights,CN=Configuration,DC=bago,DC=com
    changetype: add
    cn: myperm
    rightsGuid: 36BB01B9-AFC0-4972-94C4-82275B949401
    objectClass: controlAccessRight
    appliesTo: 5e0ad683-eb2c-4675-9e94-aff90f69af7f
    #showInAdvancedViewOnly: TRUE
    validAccesses: 256

    where the field 'appliesTo' has the schemaIDGUID of class 'testpermissions'
    and 'rightsGUID' has the objectGUID of the attribute 'clear-log' (clear-log
    is an attribute of class testpermissions). Ldif dumps of testpermissions and
    clear-log are below:

    dn: CN=TestPermission,CN=Schema,CN=Configuration,DC=bago,DC=com
    changetype: add
    cn: TestPermission
    lDAPDisplayName: TestPermission
    governsID: 1.2.360.142565.1.9000.1908.22
    objectClass: classSchema
    objectClassCategory: 1
    possSuperiors: organizationalUnit
    subClassOf: top
    mayContain: clear-log

    dn:
    changetype: modify
    add: schemaUpdateNow
    schemaUpdateNow: 1
    -
    ------------------
    dn: CN=clear-log,CN=Schema,CN=Configuration,DC=bago,DC=com
    changetype: add
    cn: clear-log
    objectClass: attributeSchema
    objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=bago,DC=com
    lDAPDisplayName: clear-log
    attributeID: 1.2.360.142565.1.9000.1908.32
    attributeSyntax: 2.5.5.5
    omSyntax: 19
    isSingleValued: TRUE
    description: clears log file
     
    aks, May 16, 2005
    #21
    1. Advertisements

  2. That is not the complete dump. Please export the object with ldifde.

    Also, what attribute??? You don't need an attribute in the schema.
    You only need the CAR object, with a unique rightsGuid.
    AppliesTo should point to objectClasses where you want this CAR to appear.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 16, 2005
    #22
    1. Advertisements

  3. aks

    aks Guest

    here's the dump:

    objectClass: top
    objectClass: controlAccessRight
    cn: myperm
    distinguishedName:
    CN=myperm,CN=Extended-Rights,CN=Configuration,DC=bago,DC=com
    instanceType: 4
    whenCreated: 05/14/2005 01:16:04
    whenChanged: 05/14/2005 01:16:04
    uSNCreated: 24430
    uSNChanged: 24430
    showInAdvancedViewOnly: TRUE
    name: myperm
    objectGUID: {ACC9F9DC-C005-4581-BA5C-31DB096288FF}
    rightsGuid: 36BB01B9-AFC0-4972-94C4-82275B949401
    appliesTo: 5e0ad683-eb2c-4675-9e94-aff90f69af7f
    objectCategory:
    CN=Control-Access-Right,CN=Schema,CN=Configuration,DC=bago,DC=com
    validAccesses: 256
    ADsPath:
    LDAP://server1.bago.com/CN=myperm,CN=Extended-Rights,CN=Configuration,DC=bago,DC=com

    About your comment "You don't need an attribute in the schema. You only need
    the CAR object, with a unique rightsGuid":
    My initial attempt was with a unique rightsGUID generated using uuidgen, and
    I was unable to see the change in ACL dialog box (hence my 2 posts on fri).
    However, if I point the rightsGUID to an attribute of a class, I was able to
    see the changes in dialog box. Am certainly doing something very wrong
    somewhere... Do let me know.

    Thanks.
     
    aks, May 16, 2005
    #23
  4. aks

    aks Guest

    Hi Dmitri,

    I tried to use the CAR, straight with my object (no use of any attribute,
    just using unique rightsGUUID in the CAR), and the ACL dialog box shows the
    attribute/string - on fri, probably i was setting the value of the attribute
    to something other than 6,5 or 0. So, that is working as suggested by you.

    The question remains about 'read' and 'write' strings getting prefixed in
    the dialog box. Thanks.
     
    aks, May 16, 2005
    #24
  5. No repro. I just created a new class and a new controlAccessRight, assigned
    appliesTo to the schemaIdGuid of the class, valid accesses=256, and was able
    to see it in the ACLUI, without Read/Write. I did not have to touch
    dssec.dat at all.

    If you want me do double-check your CAR definition, please post the *actual
    LDIFDE dump*, produced by windows version of ldifde.exe. Yours is not.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 18, 2005
    #25
  6. aks

    aks Guest

    Hi Dmitri,

    Interesting to know you were able to do it...

    Does the class you created makes any difference. I have a structural class
    that has 'subclassof' defined as top - am assigning the schemaIDGUID of this
    class to the appliesTo field in CAR.

    Also, could you let me know if you are using 'Delegate Control' wizard in
    ADU&C's to see the CAR in the ACLUI or were you just right-clicking an entry
    in ADU&C's to select Properties -> 'Security' tab -> Select User/Groupname ->
    click Advanced

    Thanks.
     
    aks, May 18, 2005
    #26
  7. My class was a structural class, subclass of top. ACLUI --
    properties/security/advanced. I was doing it on a pretty new OS build
    though...

    In your appliesTo field -- did you specify the "string" guid of the class?

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 19, 2005
    #27
  8. aks

    aks Guest

    Yes, in the 'appliesTo' field of the CAR, I did specify the string guid of
    the class for which I would be using the CAR. Infact, the definition of CAR
    is quite simple - appliesTo and rightsGUID field.

    So you were using ADU&C's or Delegate Control to get to the ACLUI ? My OS
    version, I don't remember, its at work (will have to check).

    Thanks.
     
    aks, May 19, 2005
    #28
  9. I was using ADUC to get to ACLUI.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 19, 2005
    #29
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.