Make strict AD group names optional
This commit is contained in:
Meik
@@ -564,7 +564,7 @@ namespace C4IT.LIAM
|
|||||||
groupTraverseTag = GetRequiredCustomTag("Filesystem_GroupTraverseTag"),
|
groupTraverseTag = GetRequiredCustomTag("Filesystem_GroupTraverseTag"),
|
||||||
groupDLTag = requiresDomainLocalTag ? GetRequiredCustomTag("Filesystem_GroupDomainLocalTag") : string.Empty,
|
groupDLTag = requiresDomainLocalTag ? GetRequiredCustomTag("Filesystem_GroupDomainLocalTag") : string.Empty,
|
||||||
groupGTag = GetRequiredCustomTag("Filesystem_GroupGlobalTag"),
|
groupGTag = GetRequiredCustomTag("Filesystem_GroupGlobalTag"),
|
||||||
allowExistingGroupWildcardMatch = IsAdditionalConfigurationEnabled("EnsureNtfsPermissionGroupsAllowRegexMatch")
|
forceStrictAdGroupNames = IsAdditionalConfigurationEnabled("ForceStrictAdGroupNames")
|
||||||
};
|
};
|
||||||
|
|
||||||
foreach (var template in BuildSecurityGroupTemplates())
|
foreach (var template in BuildSecurityGroupTemplates())
|
||||||
|
|||||||
@@ -51,7 +51,7 @@ namespace C4IT_IAM_SET
|
|||||||
public ICollection<string> ownerUserSids;
|
public ICollection<string> ownerUserSids;
|
||||||
public ICollection<string> readerUserSids;
|
public ICollection<string> readerUserSids;
|
||||||
public ICollection<string> writerUserSids;
|
public ICollection<string> writerUserSids;
|
||||||
public bool allowExistingGroupWildcardMatch;
|
public bool forceStrictAdGroupNames;
|
||||||
|
|
||||||
public int ReadACLPermission = 0x200A9;
|
public int ReadACLPermission = 0x200A9;
|
||||||
public int WriteACLPermission = 0x301BF;
|
public int WriteACLPermission = 0x301BF;
|
||||||
@@ -145,7 +145,7 @@ namespace C4IT_IAM_SET
|
|||||||
newSecurityGroups.username = username;
|
newSecurityGroups.username = username;
|
||||||
newSecurityGroups.domainName = domainName;
|
newSecurityGroups.domainName = domainName;
|
||||||
newSecurityGroups.password = password;
|
newSecurityGroups.password = password;
|
||||||
newSecurityGroups.AllowExistingGroupWildcardMatch = allowExistingGroupWildcardMatch;
|
newSecurityGroups.ForceStrictAdGroupNames = forceStrictAdGroupNames;
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
// ImpersonationHelper.Impersonate(domainName, username, new NetworkCredential("", password).Password, delegate
|
// ImpersonationHelper.Impersonate(domainName, username, new NetworkCredential("", password).Password, delegate
|
||||||
@@ -277,7 +277,7 @@ namespace C4IT_IAM_SET
|
|||||||
username = username,
|
username = username,
|
||||||
domainName = domainName,
|
domainName = domainName,
|
||||||
password = password,
|
password = password,
|
||||||
AllowExistingGroupWildcardMatch = allowExistingGroupWildcardMatch
|
ForceStrictAdGroupNames = forceStrictAdGroupNames
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -913,10 +913,10 @@ namespace C4IT_IAM_SET
|
|||||||
users = null;
|
users = null;
|
||||||
|
|
||||||
newSecurityGroups.EnsureADGroup(groupOUPath, newSecurityGroups.IAM_SecurityGroups[i], users);
|
newSecurityGroups.EnsureADGroup(groupOUPath, newSecurityGroups.IAM_SecurityGroups[i], users);
|
||||||
if (newSecurityGroups.IAM_SecurityGroups[i].ReusedExistingEntry)
|
if (newSecurityGroups.IAM_SecurityGroups[i].CreatedNewEntry)
|
||||||
resultToken.reusedGroups.Add(newSecurityGroups.IAM_SecurityGroups[i].Name);
|
|
||||||
else
|
|
||||||
resultToken.createdGroups.Add(newSecurityGroups.IAM_SecurityGroups[i].Name);
|
resultToken.createdGroups.Add(newSecurityGroups.IAM_SecurityGroups[i].Name);
|
||||||
|
else
|
||||||
|
resultToken.reusedGroups.Add(newSecurityGroups.IAM_SecurityGroups[i].Name);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
catch (Exception E)
|
catch (Exception E)
|
||||||
|
|||||||
@@ -23,7 +23,7 @@ namespace C4IT_IAM_Engine
|
|||||||
public string domainName;
|
public string domainName;
|
||||||
public string username;
|
public string username;
|
||||||
public SecureString password;
|
public SecureString password;
|
||||||
public bool AllowExistingGroupWildcardMatch;
|
public bool ForceStrictAdGroupNames;
|
||||||
|
|
||||||
public List<IAM_SecurityGroup> IAM_SecurityGroups;
|
public List<IAM_SecurityGroup> IAM_SecurityGroups;
|
||||||
public string rootUID;
|
public string rootUID;
|
||||||
@@ -482,7 +482,7 @@ namespace C4IT_IAM_Engine
|
|||||||
|
|
||||||
private void ApplyExistingGroup(IAM_SecurityGroup secGroup, DirectoryEntry existingGroup)
|
private void ApplyExistingGroup(IAM_SecurityGroup secGroup, DirectoryEntry existingGroup)
|
||||||
{
|
{
|
||||||
secGroup.ReusedExistingEntry = true;
|
secGroup.CreatedNewEntry = false;
|
||||||
secGroup.UID = getSID(existingGroup);
|
secGroup.UID = getSID(existingGroup);
|
||||||
|
|
||||||
if (existingGroup.Properties.Contains("sAMAccountName") && existingGroup.Properties["sAMAccountName"].Count > 0)
|
if (existingGroup.Properties.Contains("sAMAccountName") && existingGroup.Properties["sAMAccountName"].Count > 0)
|
||||||
@@ -544,9 +544,9 @@ namespace C4IT_IAM_Engine
|
|||||||
LogMethodBegin(MethodBase.GetCurrentMethod());
|
LogMethodBegin(MethodBase.GetCurrentMethod());
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
secGroup.ReusedExistingEntry = false;
|
secGroup.CreatedNewEntry = false;
|
||||||
var existingGroup = FindGroupEntry(secGroup.Name);
|
var existingGroup = FindGroupEntry(secGroup.Name);
|
||||||
if (existingGroup == null && AllowExistingGroupWildcardMatch)
|
if (existingGroup == null && !ForceStrictAdGroupNames)
|
||||||
existingGroup = FindGroupEntryByWildcard(ouPath, secGroup.WildcardPattern);
|
existingGroup = FindGroupEntryByWildcard(ouPath, secGroup.WildcardPattern);
|
||||||
|
|
||||||
if (existingGroup == null)
|
if (existingGroup == null)
|
||||||
@@ -572,7 +572,7 @@ namespace C4IT_IAM_Engine
|
|||||||
LogMethodBegin(MethodBase.GetCurrentMethod());
|
LogMethodBegin(MethodBase.GetCurrentMethod());
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
secGroup.ReusedExistingEntry = false;
|
secGroup.CreatedNewEntry = false;
|
||||||
if (!GroupAllreadyExisting(secGroup.Name.ToUpper()))
|
if (!GroupAllreadyExisting(secGroup.Name.ToUpper()))
|
||||||
{
|
{
|
||||||
|
|
||||||
@@ -609,6 +609,7 @@ namespace C4IT_IAM_Engine
|
|||||||
var objectid = SecurityGroups.getSID(ent);
|
var objectid = SecurityGroups.getSID(ent);
|
||||||
DefaultLogger.LogEntry(LogLevels.Debug, $"Security group created in ad: {secGroup.technicalName}");
|
DefaultLogger.LogEntry(LogLevels.Debug, $"Security group created in ad: {secGroup.technicalName}");
|
||||||
secGroup.UID = objectid;
|
secGroup.UID = objectid;
|
||||||
|
secGroup.CreatedNewEntry = true;
|
||||||
return ent;
|
return ent;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
@@ -686,7 +687,7 @@ namespace C4IT_IAM_Engine
|
|||||||
public string Parent = "";
|
public string Parent = "";
|
||||||
public string description;
|
public string description;
|
||||||
public string WildcardPattern;
|
public string WildcardPattern;
|
||||||
public bool ReusedExistingEntry;
|
public bool CreatedNewEntry;
|
||||||
public List<IAM_SecurityGroup> memberGroups;
|
public List<IAM_SecurityGroup> memberGroups;
|
||||||
public string Name;
|
public string Name;
|
||||||
public string technicalName;
|
public string technicalName;
|
||||||
|
|||||||
Reference in New Issue
Block a user