|Anonymous | Login | Signup for a new account||2017-05-24 02:36 MEST|
|Viewing Issue Simple Details|
|ID||Category||Severity||Reproducibility||Date Submitted||Last Update|
|0000217||[LEX] Edit Function||major||always||2010-01-19 12:43||2010-01-25 19:47|
|Summary||0000217: AD Permissions cannot be set if an object from another domain or namespace is in the ACL|
AD Permissions cannot be set if an object from another domain or namespace is in the ACL
LEX just do nothing. If you look at a network trace (with unencrypted basic bind), you see that the server response is a Referral. I guess this is because LEX has an error while enumerating the SID from another namespace!
|Tags||No tags attached.|
There was the same issue reported by users which wanted to set permission owners from another domain or namespace.
It's a rather complicated problem, because we need to identify a valid global catalog to resolve all the SIDs - it's easy to find a GC if you are member in a domain, but it's not so easy if you just have a LDAP connection to a DC (but this is all what LEX might have - an LDAP connection to a DC without being member of the according domain/forest).
Another important problem which we didn't realize first is that although the nTSecurityDescriptor is one single attribute, it might be that you are only able to write parts of it:
- DACL (normal permissions)
- SACL (AuditSettings)
So the next Version of LEX has to identify if the user maybe changed only one part of the whole object security, and then write the nTSecurityDescriptor back together with the LDAP xtended Control 1.2.840.1135126.96.36.1991 (SD_FLAGS)
This is hard work, but i'm already working on it for a week now, the GC issue is solved, and i have some ideas to qickly identify what SD Flags to pass for the LDAP modify operation.
|2010-01-19 12:43||nick||New Issue|
|2010-01-19 22:09||PhilippFoeckeler||Target Version||=> 1.2.004|
|2010-01-19 22:09||PhilippFoeckeler||Status||new => assigned|
|2010-01-19 22:09||PhilippFoeckeler||Assigned To||=> PhilippFoeckeler|
|2010-01-23 22:27||PhilippFoeckeler||Description Updated|
|2010-01-23 22:27||PhilippFoeckeler||Summary||AD Permissions cannot be set if an obect from another domain or namespace is in the ACL => AD Permissions cannot be set if an object from another domain or namespace is in the ACL|
|2010-01-24 12:39||PhilippFoeckeler||Note Added: 0000031|
|2010-01-25 19:46||PhilippFoeckeler||Status||assigned => resolved|
|2010-01-25 19:46||PhilippFoeckeler||Fixed in Version||=> 1.2.004|
|2010-01-25 19:46||PhilippFoeckeler||Resolution||open => fixed|
|Mantis 1.1.8[^] Copyright © 2000 - 2009 Mantis Group|