I'm using the following c# .net core code to get the ntSecurityDescriptor attribute from Active Directory server.
I'm using the Novell.Directory.Ldap library because I need this code to run on a Linux machine.
using (var ldapConnection = new LdapConnection { SecureSocketLayer = false })
{
ldapConnection.Connect(_ldapHost, _ldapPort);
ldapConnection.Bind(_loginDN, _password);
var constraints = new LdapSearchConstraints();
constraints.SetControls(new LdapControl("1.2.840.113556.1.4.801", true
, new byte[] {48, 3, 2, 1, 7}));
ldapConnection.Constraints = constraints;
var searchFilter = "(objectClass=user)";
var searchResults = ldapConnection.Search(
_searchBase,
LdapConnection.ScopeSub,
searchFilter,
null,
false
);
var accessRules = new List<ActiveDirectoryAccessRule>();
while (searchResults.HasMore())
{
var nextEntry = searchResults.Next();
var userAttributes = nextEntry.GetAttributeSet();
var acl = userAttributes.GetAttribute("ntSecurityDescriptor");
var byteValue = userAttributes.GetAttribute("nTSecurityDescriptor").ByteValue;
var security = new CommonSecurityDescriptor(true, true, byteValue, 0);
foreach (var acl in security.DiscretionaryAcl)
{
var accessRule = new ActiveDirectoryAccessRule(
((KnownAce)acl).AccessMask,
((KnownAce)acl).SecurityIdentifier.Value,
((QualifiedAce)acl).AceQualifier,
acl.IsInherited,
acl is ObjectAce ? ((ObjectAce)acl).ObjectAceType : Guid.Empty,
acl is ObjectAce ? ((ObjectAce)acl).InheritedObjectAceType : Guid.Empty,
acl is ObjectAce ? ((ObjectAce)acl).ObjectAceFlags : ObjectAceFlags.None,
acl.PropagationFlags
);
accessRules.Add( accessRule );
}
}
}
The problem is that the System.Security.AccessControl types (CommonSecurityDescriptor, KnownAce, QualifiedAce, ObjectAce etc.) are only supported on windows.
How can I get this info on a linux machine?
I used the mono project objects and code instead of the microsoft ones. e.g.:CommonSecurityDescriptor