Composition relation between object in active directory schema - active-directory

I played a bit with AD and schema and was able to made some custom attributes for my users.
For some reason, adding attributes is not enough for me and I would like to know if it is possible to create a new AD object "clearance", with some attributes, and add a 0..* relation betwen user and clearance like this :
I'm a total noob in Active directory so I wasn't able to find some reliable information about the schema meta-model so ... is it even possible ? If yes, how can I do that ?
To get further I need to make a security claim on this relation and then use it in Dynamic Access Control rules ...
Thanks for your help

Related

LDAP User Filter

I need help for my AD Integration.
I’m using Spiceworks for the system and there is a portion there for AD Integration.
The problem is that I need to sync two different OU’s
Base DN for LDAP search:
DC=dc1,DC=dc2
LDAP user filter:
(&(objectCategory=person)(|(ou=OU1)(ou=OU2)))
And its not working.
My AD Structure is
dc1.dc2
— OU1
— OU2
— OU3
dc1.dc2 is the top level.
OU1, OU2, OU3 are on the same level.
The reason is I don’t want to include OU3 in the syncing
LDAP filters are generally only applicable to attributes that are in the user entries.
If you want to include attributes that are part of the DN (the path to entries), you need to use extensible filters such as:
(&(objectCategory=person)(|(ou:dn:=OU1)(ou:dn:=OU2)))
Note that while this is standard LDAP filters, not all servers support this.
Active Directory doesn't support filters based on OU. In this instance, it's an "extensible match filter" that some LDAP implementations support, but not all (including AD). More info here.
By the way, you can't do a wildcard search on the distinguishedName, if you're tempted to try.
To be honest, this is why it's best to have all your "person" user accounts in one OU (maybe subdivided further down), groups in another, etc. In your case, if you can, it might be a good idea to move your "synching" account OUs under a new OU. If you have a enterprise environment, you will want to be careful there are no dependencies on the OU structure before making such a change. Or that you can identify any such dependencies and fix them before or at the time of making the change.
Otherwise, you'll need to make your searchbase the root of the domain. If you have other user account attributes you can use to search, such as department names or similar, that will work. If it's employee accounts, do they all have a common field that's populated, such as "employeeID" or "streetAddress" or something? Or do the accounts you want to exclude have a specific name format (such as all the service accounts starting with "SVC")? By combining things like that, you can generally get it pretty good.
Finally, for searching normal user accounts, a more efficient basic query is:
(samAccountType=805306368)
Your query of (objectCategory=person) returns User and Contact objects. The usual way to scope it property is (&(objectClass=user)(objectCategory=person)), but the two clauses makes it less efficient than my recommendation (which is using an indexed attribute as well).

best way to implement laravel database system to manage posts read/share/edit permissions

Thank you for helping on this!
I am designing an app with documents and posts sharing with Laravel.
I tried to do it myself since two weeks but I am not sure what the best is.
I've tried implementing many packages and used crud generators, but as a Laravel beginner it's difficult to find the good package and to mix them.
What I want is a system like google docs sharing behaviour but for posts.
You could write a post and set it as
private
shared with those with the secret link
shared with users names list (or ids in database)
shared with groups of users
So what is the best way to build that?
1) Using a package? Which one?
2) table_users | table_posts | table_permissions
one permission per user that can read / edit (permission level)
3) table_users | table_posts including permissions for each posts
owner_id
share_link
users_that_can_read
users_that_can_edit
If anyone can direct me to a good tutorial or give me a good start structure for this tables to be efficient and secure.
Maybe I do not see all the complexity of this so I will enjoy any suggestions
The problem for this is I want a more flexible rights management than wordpress one that provides user rights levels, the availability of data will be managed by simple subscribers for a lot of things(files, posts, maybe comments, groups and maybe more stuff).
You just need to create three tables roles,permissions and roles_permission.The roles of the user goes in the table roles table.the permission of a user are stored in the table permission.You can map the roles and permission of a particular user in the roles_permission table.However,for more flexible way to add role-based-permission use entrust package.In which,you can dynamically add/update/delete the roles and permissions in laravel.

How to query for LDAP (Active Directory) deleted objects since a given time?

I need to query for incremental changes from an Active Directory forest using LDAP.
The easy part is to query for incremental updates of objects, and for creation of new objects. For this you can use the whenChanged property
Example:
(&(objectClass=user)(whenChanged>=20180501000000.0Z))
So far, so good.
But what about querying for deleted records. Is there some way to query LDAP for all items deleted since a given time?
I do know about the fact that Active Directory marks objects for deletion (doesn't actually delete stuff). And I know there is some way to get deleted objects: (See this msdn post)
But I haven't had much luck creating an LDAP query that, against a very vanilla active directory server, can get a list of deleted accounts.
Related: LDAP query for deleted users
I tried that suggestion too:
(&(isDeleted=TRUE)(userAccountControl:1.2.840.113556.1.4.803:=512))
Still Nothing.
How can I make this work?
What programming language are you using to make the query? It seems to be an LDAP Extended Control (specifically LDAP_SERVER_SHOW_DELETED_OID) that needs to be enabled as part of the search properties, and not in the LDAP query string itself. So it depends on the implementation of how you're searching.
For example, in .NET, the DirectorySearcher class has a Tombstone property that will enable this.
Or PowerShell's Get-ADObject command has -IncludeDeletedObjects.

Generalise LDAP query for groups

I use the following query to find the groups each user is a member of:
(&(objectClass=group)(|(member=cn=UID,OU=ServiceAccounts,OU=MC,DC=ads,DC=myCompany,DC=com,DC=au)(member=cn=UID,OU=BTLY,OU=Sites,OU=MC,DC=ads,DC=myCompany,DC=com,DC=au)))
This query works and runs using the following Base DN:
OU=MC,DC=ads,DC=myCompany,DC=com,DC=au
I have few problems with the query:
I don't like having to use the OR operator to find Service Account users and BTLY users.
I don't want to hard-code the BTLY site, there are others, too.
Ideally, I'd just like to have the query as:
(&(objectClass=group)(|(member=cn=UID,OU=MC,DC=ads,DC=myCompany,DC=com,DC=au))
This way, I don't care whether the user account is a service account nor which site the account belongs to. Unfortunately, that query doesn't work.
Can someone please help me generalise the LDAP query? I'm a bit of a newbie, so I'm most likely missing something completely obvious!
Thanks!
Thanks for the reply. What you've said makes sense, but it doesn't help me, unfortunately. We're using GlassFish (a Java app server), and have configured it to point to the local AD server. Normally, a person can tell GlassFish how to retrieve users, eg
(&(objectCategory=user)(CN=UID))
and GlassFish will pick up all the groups (perhaps by using the memberOf attribute).
This time round we're using a different AD server which hosts a different directory of users. GlassFish isn't able to retrieve the groups by itself. So, there is a field where we can give GlassFish a custom query to find groups. In this field, I've put the query I've posted which works, but is ugly and verbose.
What I'd love to be able to do is:
(&(objectClass=group)(member=cn=UID))
but this doesn't work.
Is there anyway to do this?
Thanks,
Muel.
My guess is that using this technique is not possible. You would need to use wildcard here:
(&(objectCategory=group)(member=CN=UID,*))
and this is not acceptable for DN attributes (like the one stored in 'member' property):
http://msdn.microsoft.com/en-us/library/ms676930(v=vs.85).aspx
My suggestion here would be: use some tool to generate 'ugly' query for you (using syntax mentioned above) and "feed" your tool with end result. Can't see any option, sorry...
I just try to reformulate your question, but it's to much text for a comment.
You are trying to find all the groups the user CN=UID belongs to begining from the nod OU=MC,DC=ads,DC=myCompany,DC=com,DC=au.
This can be done by retreiving the memberOf attribute of the user itself. The only problem (perhaps not in your case) is that the primary group is not in this list of DN, it's coded appart using primaryGroupId attribute.
so
(&(objectCategory=user)(CN=UID))
Will do the job test :
ldifde -f t.ldf -D "OU=MC,DC=ads,DC=myCompany,DC=com,DC=au" -r "(&(objectCategory=user)(CN=UID))" -l memberof
Remark : samAccountName or userPrincipalName are attributes you can rely on for uniqueness of the entry in Active-Directory, that is not the case of CN (an admin can change it)

How do I accomplish the following in LDAP?

I would like to accomplish this goal using AD/ADAM
The ability to make an email or other attributeClass as part of inetOrgPerson globally unique across entries
The ability to attach a regular expression to an attribute for validation purposes
The ability to provide a constraint of enumerated choices such as choosing from a list of valid state codes in a state attributeClass
You can't do any of that in AD or ADAM. They're just the data storage repository: I'm afraid you'll have to build the validation code yourself.

Resources