3.1.6.17 Set Object Security Using LDAP

This event MUST be generated with the following arguments:

• iPath: the distinguished name of the object; optional if iGuid is supplied.

• iGuid: the value of the objectGuid attribute of the object; optional if iPath is supplied.

• iSecurity: a SECURITY_DESCRIPTOR ([MS-DTYP] section 2.4.6).

Return Values:

• rStatus: A DirectoryOperationResult that indicates the result of this directory operation.

The algorithm MUST perform the following actions to process this event:

• If the value of the CachedConfigurationNamingContext ADM element is an empty string, rStatus MUST be set to DirectoryOperationResult.DirectoryNotConnected, and processing MUST end.

• Raise a Prepare an LDAP Connection (section 3.1.6.18) event. The event takes no arguments. If the rStatus returned is not DirectoryOperationResult.Success, rStatus MUST be set to DirectoryOperationResult.DirectoryNotConnected, and processing MUST end. Otherwise, let DirectoryServerConnection be a variable of type ADCONNECTION_HANDLE ([MS-DTYP] section 2.2.2), which is initialized to the value returned in rADConnection.

• If iGuid is supplied, perform the following steps:

  • Raise a Find Object By GUID Using LDAP (section 3.1.6.19) event with the following arguments:

    • iGuid = iGuid

    • iADConnection = DirectoryServerConnection

  • If the value of rStatus returned by the event is not DirectoryOperationResult.Success, rStatus MUST be set to the value of rStatus returned by the event, and processing MUST end.

  • Set iPath to the value of rDN.

• Construct an LDAPMessage ([RFC2251] section 4.1):

  • messageID = set as described in [RFC2251] section 4.1.1.1.

  • protocolOp = searchRequest

  • controls = none

  • baseObject = iPath

  • scope = baseObject

  • derefAliases = neverDerefAliases

  • sizeLimit = 0

  • timeLimit = 0

  • typesOnly = FALSE

  • filter = "(objectClass=*)"

  • attributes = a one-element list consisting of the string "objectClass"

• Perform the Performing an LDAP Operation on an ADConnection ([MS-ADTS] section 7.6.1.6) task with the following parameters:

  • TaskInputADConnection = DirectoryServerConnection

  • TaskInputRequestMessage = the LDAPMessage constructed in the preceding step

• If the value of TaskReturnStatus is not success, as defined in [RFC2251] section 4.1.10, the algorithm MUST perform the following steps:

  • rStatus MUST be set to a DirectoryOperationResult enumeration value according to the conversion rules for TaskReturnStatus specified in section 2.2.6.

  • Raise a Shut Down an LDAP Connection (section 3.1.6.21) event.

  • Processing MUST end.

• Construct an LDAPMessage:

  • messageID = set as described in [RFC2251] section 4.1.1.1.

  • protocolOp = searchRequest

  • controls = none

  • baseObject = iPath

  • scope = baseObject

  • derefAliases = neverDerefAliases

  • sizeLimit = 0

  • timeLimit = 0

  • typesOnly = FALSE

  • filter = "(nTSecurityDescriptor=*)"

  • attributes = a one-element list consisting of the string "objectClass"

• Perform the Performing an LDAP Operation on an ADConnection task with the following parameters:

  • TaskInputADConnection = DirectoryServerConnection

  • TaskInputRequestMessage = the LDAPMessage constructed in the preceding step

• If the value of TaskReturnStatus is not success, as defined in [RFC2251] section 4.1.10, the algorithm MUST perform the following steps:

  • rStatus MUST be set to a DirectoryOperationResult enumeration value according to the conversion rules for TaskReturnStatus specified in section 2.2.6.

  • Raise a Shut Down an LDAP Connection event.

  • Processing MUST end.

• Construct an LDAPMessage:

  • messageID = set as described in [RFC2251] section 4.1.1.1.

  • protocolOp = modifyRequest

  • controls = none

  • baseObject = iPath

  • operation = replace

  • modification = an attribute-value pair consisting of "ntSecurityDescriptor" and iSecurity

• Perform the Performing an LDAP Operation on an ADConnection task with the following parameters:

  • TaskInputADConnection = DirectoryServerConnection

  • TaskInputRequestMessage = the LDAPMessage constructed in the preceding step

• If the value of TaskReturnStatus is not success, as defined in [RFC2251] section 4.1.10, the algorithm MUST perform the following steps:

  • rStatus MUST be set to a DirectoryOperationResult enumeration value according to the conversion rules for TaskReturnStatus specified in section 2.2.6.

  • Raise a Shut Down an LDAP Connection event.

  • Processing MUST end.

• Raise a Shut Down an LDAP Connection event.

• Processing MUST end.