define frequently used filters and AD UAC filters

2024-01-21 12:53:41 +01:00 · 2024-01-21 12:53:41 +01:00 · 6bf8f8769b
parent cb0d98e4b2
commit 6bf8f8769b
1 changed files with 54 additions and 0 deletions
--- a/pkg/js/libs/ldap/ldap.go
+++ b/pkg/js/libs/ldap/ldap.go
@ -105,6 +105,60 @@ func (c *LdapClient) AuthenticateWithNTLMHash(realm string, username, hash strin
 	return true, nil
 }

+// LDAP makes you search using an OID
+// http://oid-info.com/get/1.2.840.113556.1.4.803
+//
+// The one for the userAccountControl in MS Active Directory is
+// 1.2.840.113556.1.4.803 (LDAP_MATCHING_RULE_BIT_AND)
+//
+// We can look at the enabled flags using a query like (!(userAccountControl:1.2.840.113556.1.4.803:=2))
+//
+// https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+const (
+	FilterIsPerson                   = "(objectCategory=person)"
+	FilterIsGroup                    = "(objectCategory=group)"
+	FilterIsComputer                 = "(objectCategory=computer)"
+	FilterIsAdmin                    = "(adminCount=1)"
+	FilterLogonScript                = "(userAccountControl:1.2.840.113556.1.4.803:=1)"        // The logon script will be run.
+	FilterAccountDisabled            = "(userAccountControl:1.2.840.113556.1.4.803:=2)"        // The user account is disabled.
+	FilterAccountEnabled             = "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"     // The user account is enabled.
+	FilterHomedirRequired            = "(userAccountControl:1.2.840.113556.1.4.803:=8)"        // The home folder is required.
+	FilterLockout                    = "(userAccountControl:1.2.840.113556.1.4.803:=16)"       // The user is locked out.
+	FilterPasswordNotRequired        = "(userAccountControl:1.2.840.113556.1.4.803:=32)"       // No password is required.
+	FilterPasswordCantChange         = "(userAccountControl:1.2.840.113556.1.4.803:=64)"       // The user can't change the password.
+	FilterCanSendEncryptedPassword   = "(userAccountControl:1.2.840.113556.1.4.803:=128)"      // The user can send an encrypted password.
+	FilterIsDuplicateAccount         = "(userAccountControl:1.2.840.113556.1.4.803:=256)"      // It's an account for users whose primary account is in another domain.
+	FilterIsNormalAccount            = "(userAccountControl:1.2.840.113556.1.4.803:=512)"      // It's a default account type that represents a typical user.
+	FilterInterdomainTrustAccount    = "(userAccountControl:1.2.840.113556.1.4.803:=2048)"     // It's a permit to trust an account for a system domain that trusts other domains.
+	FilterWorkstationTrustAccount    = "(userAccountControl:1.2.840.113556.1.4.803:=4096)"     // It's a computer account for a computer that is running old Windows builds.
+	FilterServerTrustAccount         = "(userAccountControl:1.2.840.113556.1.4.803:=8192)"     // It's a computer account for a domain controller that is a member of this domain.
+	FilterDontExpirePassword         = "(userAccountControl:1.2.840.113556.1.4.803:=65536)"    // Represents the password, which should never expire on the account.
+	FilterMnsLogonAccount            = "(userAccountControl:1.2.840.113556.1.4.803:=131072)"   // It's an MNS logon account.
+	FilterSmartCardRequired          = "(userAccountControl:1.2.840.113556.1.4.803:=262144)"   // When this flag is set, it forces the user to log on by using a smart card.
+	FilterTrustedForDelegation       = "(userAccountControl:1.2.840.113556.1.4.803:=524288)"   // When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation.
+	FilterNotDelegated               = "(userAccountControl:1.2.840.113556.1.4.803:=1048576)"  // When this flag is set, the security context of the user isn't delegated to a service even if the service account is set as trusted for Kerberos delegation.
+	FilterUseDesKeyOnly              = "(userAccountControl:1.2.840.113556.1.4.803:=2097152)"  // Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
+	FilterDontRequirePreauth         = "(userAccountControl:1.2.840.113556.1.4.803:=4194304)"  // This account doesn't require Kerberos pre-authentication for logging on.
+	FilterPasswordExpired            = "(userAccountControl:1.2.840.113556.1.4.803:=8388608)"  // The user's password has expired.
+	FilterTrustedToAuthForDelegation = "(userAccountControl:1.2.840.113556.1.4.803:=16777216)" // The account is enabled for delegation.
+	FilterPartialSecretsAccount      = "(userAccountControl:1.2.840.113556.1.4.803:=67108864)" // The account is a read-only domain controller (RODC).
+
+)
+
+func JoinFilters(filters ...string) string {
+	var builder strings.Builder
+	builder.WriteString("(&")
+	for _, s := range filters {
+		builder.WriteString(s)
+	}
+	builder.WriteString(")")
+	return builder.String()
+}
+
+func NegativeFilter(filter string) string {
+	return fmt.Sprintf("(!%s)", filter)
+}
+
 // Search is a method that uses the already Connect()'ed client to query the LDAP
 // server, works for openldap and for Microsoft's Active Directory Ldap
 //