/// <summary> /// Adds the specified access rule to the Discretionary Access Control List (DACL) associated with this /// <see cref="CommonObjectSecurity"/> object. /// </summary> /// <param name="rule">The access rule to add.</param> /// <returns><strong>True</strong> if the access rule was added, otherwise <strong>False</strong>.</returns> /// <remarks> /// The method does nothing if current DACL already contains identity specified in the <strong>rule</strong> /// parameter. DACL merging is not supported. /// </remarks> public Boolean AddAccessRule(CertTemplateAccessRule rule) { AuthorizationRuleCollection rules = GetAccessRules(true, false, typeof(NTAccount)); CertTemplateRights effectiveRuleRights = rule.Rights; if (_schemaVersion == 1 && (rule.Rights & CertTemplateRights.Autoenroll) > 0) { effectiveRuleRights &= ~CertTemplateRights.Autoenroll; } var existingRule = rules .Cast <CertTemplateAccessRule>() .FirstOrDefault(x => x.IdentityReference.Value == rule.IdentityReference.Value && x.AccessControlType == rule.AccessControlType); if (existingRule != null) { RemoveAccessRule(existingRule); var ace = new CertTemplateAccessRule( rule.IdentityReference, effectiveRuleRights | existingRule.Rights, rule.AccessControlType); base.AddAccessRule(ace); return(true); } base.AddAccessRule(rule); return(true); }
void fromActiveDirectorySecurity() { ActiveDirectorySecurity dsSecurity; using (var entry = new DirectoryEntry("LDAP://" + _x500Name)) { dsSecurity = entry.ObjectSecurity; } try { SetOwner(dsSecurity.GetOwner(typeof(NTAccount))); } catch { SetOwner(dsSecurity.GetOwner(typeof(SecurityIdentifier))); } IEnumerable <IdentityReference> users = dsSecurity .GetAccessRules(true, true, typeof(NTAccount)) .Cast <ActiveDirectoryAccessRule>() .Select(x => x.IdentityReference) .Distinct(); foreach (IdentityReference user in users) { foreach (AccessControlType accessType in Enum.GetValues(typeof(AccessControlType))) { CertTemplateRights rights = 0; IEnumerable <ActiveDirectoryAccessRule> aceList = dsSecurity.GetAccessRules(true, true, typeof(NTAccount)) .Cast <ActiveDirectoryAccessRule>() .Where(x => x.IdentityReference == user && x.AccessControlType == accessType); foreach (ActiveDirectoryAccessRule ace in aceList) { ActiveDirectoryRights aceRights = ace.ActiveDirectoryRights; if (aceRights.HasFlag(ActiveDirectoryRights.GenericRead) || aceRights.HasFlag(ActiveDirectoryRights.GenericExecute)) { rights |= CertTemplateRights.Read; } if (aceRights.HasFlag(ActiveDirectoryRights.WriteDacl)) { rights |= CertTemplateRights.Write; } if (aceRights.HasFlag(ActiveDirectoryRights.GenericAll)) { rights |= CertTemplateRights.FullControl; } if (aceRights.HasFlag(ActiveDirectoryRights.ExtendedRight)) { switch (ace.ObjectType.ToString()) { case GUID_ENROLL: rights |= CertTemplateRights.Enroll; break; case GUID_AUTOENROLL: rights |= CertTemplateRights.Autoenroll; break; } } } if (rights > 0) { AddAccessRule(new CertTemplateAccessRule(user, rights, accessType)); } } } }
ActiveDirectorySecurity toAdSecurity(DirectoryEntry entry) { ActiveDirectorySecurity dsSecurity = entry.ObjectSecurity; // clear all existing ACEs dsSecurity .GetAccessRules(true, true, typeof(NTAccount)) .Cast <ActiveDirectoryAccessRule>() .Select(x => x.IdentityReference) .Distinct() .ToList() .ForEach(x => dsSecurity.PurgeAccessRules(x)); // iterate over local ACEs and translate to DS ACL foreach (CertTemplateAccessRule localAce in GetAccessRules(true, false, typeof(NTAccount))) { CertTemplateRights localRights = localAce.Rights; if ((localRights & CertTemplateRights.FullControl) > 0) { var ace = new ActiveDirectoryAccessRule( localAce.IdentityReference, ActiveDirectoryRights.GenericAll, localAce.AccessControlType); dsSecurity.AddAccessRule(ace); continue; } CertTemplateRights rw = localRights & (CertTemplateRights.Read | CertTemplateRights.Write); if (rw > 0) { ActiveDirectoryRights tempRights; if (rw == (CertTemplateRights.Read | CertTemplateRights.Write)) { tempRights = ActiveDirectoryRights.CreateChild | ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.Self | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.Delete | ActiveDirectoryRights.GenericRead | ActiveDirectoryRights.WriteDacl | ActiveDirectoryRights.WriteOwner; } else if (rw == CertTemplateRights.Read) { tempRights = ActiveDirectoryRights.GenericRead; } else { tempRights = ActiveDirectoryRights.Self | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.WriteDacl | ActiveDirectoryRights.WriteOwner; } var ace = new ActiveDirectoryAccessRule( localAce.IdentityReference, tempRights, localAce.AccessControlType); dsSecurity.AddAccessRule(ace); } if ((localRights & CertTemplateRights.Enroll) > 0) { var ace = new ActiveDirectoryAccessRule( localAce.IdentityReference, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.ExtendedRight, localAce.AccessControlType, new Guid(GUID_ENROLL)); dsSecurity.AddAccessRule(ace); } if ((localRights & CertTemplateRights.Autoenroll) > 0) { var ace = new ActiveDirectoryAccessRule( localAce.IdentityReference, ActiveDirectoryRights.ExtendedRight, localAce.AccessControlType, new Guid(GUID_AUTOENROLL)); dsSecurity.AddAccessRule(ace); } } return(dsSecurity); }