3.2.5.3 Policy State Configuration

  • Article

After all the distinguished name values are retrieved, the CSE MUST perform the following steps for each entry in the CentralAccessPolicyDNList ADM element. If any LDAP operations fail, the corresponding distinguished name entry MUST be ignored.

  1. Perform an LDAP bind to the CAP object in Active Directory by using the LDAP distinguished name specified by the CentralAccessPolicyDNList ADM element entry value, as created in section 3.2.5.2.

  2. Create a new CentralAccessPolicy ADM element and add it to the CentralAccessPoliciesList ADM element. Populate the fields of this element as follows:

    • Set the value of the CAPID field of this new CentralAccessPoliciesList ADM element entry to the value obtained by performing an LDAP read of the msAuthz-CentralAccessPolicyID attribute on the object that was bound to in step 1.

    • Set the CentralAccessPolicyDN ADM field value of this new entry to the LDAP distinguished name of the CAP object that was bound to in step 1.

    • Create a new CentralAccessPolicyRulesList ADM structure.

    • Perform an LDAP read of the msAuthz-MemberRulesInCentralAccessPolicy attribute of the CAP object bound to in step 1 to obtain the list of DNs of CAR object rule entries. If this list is empty, ignore this entry.

    • For each CAR object distinguished name in the list obtained in step 2 bullet 4, create a new CentralAccessPolicyRule ADM structure, perform an LDAP bind on the CAR object by using the distinguished name, and then do the following:

      • Set the value of the AppliesToPredicate data element field of the EffectiveCentralAccessPolicy data element field of the CentralAccessPolicyRule structure to the binary equivalent of the security descriptor definition language (SDDL) ([MS-DTYP] section 2.5.1) string value obtained by performing an LDAP read of the msAuthz-ResourceCondition attribute of the CAR object bound to in step 2 bullet 5.

      • Set the value of the AccessCondition ADM element field of the EffectiveCentralAccessPolicy ADM element field of the CentralAccessPolicyRule structure to the binary equivalent of the SDDL string value obtained by performing an LDAP read of the msAuthz-EffectiveSecurityPolicy attribute of the CAR object bound to in step 2 bullet 5.

      • Set the value of the AppliesToPredicate data element field of the StagedCentralAccessPolicy data element field of the CentralAccessPolicyRule structure to the binary equivalent of the SDDL string value obtained by performing an LDAP read of the msAuthz-ResourceCondition attribute of the CAR object bound to in step 2 bullet 5.

      • Set the value of the AccessCondition data element field of the StagedCentralAccessPolicy data element field of the CentralAccessPolicyRule structure to the binary equivalent of the SDDL string value obtained by performing an LDAP read of the msAuthz-ProposedSecurityPolicy attribute of the CAR object bound to in step 2 bullet 5.

    • Add the populated CentralAccessPolicyRule ADM structure created in step 2 bullet 5 to the CentralAccessPolicyRulesList ADM structure created in step 2 bullet 3.

  3. Add the CentralAccessPolicyRulesList ADM structure created in step 2 bullet 3 to the CentralAccessPolicy ADM structure created in step 2.