Merge pull request #13875 from mayx/HPCC-AADAdministratorsGroup

HPCC-24265 Azure AD has different default administrators group

Reviewed-By: Anthony Fishbeck <anthony.fishbeck@lexisnexis.com>
Reviewed-By: Russ Whitehead <william.whitehead@lexisnexis.com>
Reviewed-By: Richard Chapman <rchapman@hpccsystems.com>

system/security/LdapSecurity/ldapconnection.cpp

@@ -431,7 +431,10 @@ public:
         cfg->getProp(".//@adminGroupName", adminGrp);
         if(adminGrp.isEmpty())
         {
-            adminGrp.set(m_serverType == ACTIVE_DIRECTORY ? "cn=Administrators,cn=Builtin" : "cn=Directory Administrators");
+            if (m_isAzureAD)
+                adminGrp.clear().appendf("cn=%s,ou=%s", AAD_ADMINISTRATORS_GROUP, AAD_USERS_GROUPS_OU);
+            else
+                adminGrp.set(m_serverType == ACTIVE_DIRECTORY ? "cn=Administrators,cn=Builtin" : "cn=Directory Administrators");
         }
         else if (0 == stricmp("Administrators", adminGrp.str()))
         {
@@ -528,7 +531,9 @@ public:
 
         if(sysuser_basedn.length() == 0)
         {
-            if(m_serverType == ACTIVE_DIRECTORY)
+            if (m_isAzureAD)
+                m_sysuser_basedn.appendf("ou=%s", AAD_USERS_GROUPS_OU);
+            else if(m_serverType == ACTIVE_DIRECTORY)
                 LdapUtils::normalizeDn( "cn=Users", m_basedn.str(), m_sysuser_basedn);
             else if(m_serverType == IPLANET)
                 m_sysuser_basedn.append("ou=administrators,ou=topologymanagement,o=netscaperoot");
@@ -755,7 +760,7 @@ public:
         return m_timeout;
     }
 
-    bool isAzureAD()
+    virtual bool isAzureAD()
     {
         return m_isAzureAD;
     }
@@ -2499,6 +2504,8 @@ public:
                 filter.append("uid=").append(act_name);
 
             basedn = m_ldapconfig->getUserBasedn();
+            if (m_ldapconfig->isAzureAD() && strieq(act_name, m_ldapconfig->getSysUser()))
+                basedn = m_ldapconfig->getSysUserBasedn();
             lookupSid(basedn, filter.str(), act_sid);
             if(act_sid.length() == 0)
             {
@@ -3828,9 +3835,12 @@ public:
             groups.append("Authenticated Users");
             managedBy.append("");
             descriptions.append("");
-            groups.append("Administrators");
-            managedBy.append("");
-            descriptions.append("");
+            if (!m_ldapconfig->isAzureAD())
+            {
+                groups.append("Administrators");
+                managedBy.append("");
+                descriptions.append("");
+            }
         }
         else
         {

system/security/LdapSecurity/ldapconnection.hpp

@@ -88,6 +88,9 @@ ldap_compare_ext_s LDAP_P((
 #endif
 #define DEFAULT_LDAP_POOL_SIZE 10
 
+#define AAD_ADMINISTRATORS_GROUP "AAD DC Administrators"
+#define AAD_USERS_GROUPS_OU      "AADDC Users"
+
 // 1 for ActiveDirectory, 2 for iPlanet, 3 for openLdap
 enum LdapServerType
 {
@@ -209,6 +212,7 @@ interface ILdapConfig : extends IInterface
     virtual int getMaxConnections() = 0;
     virtual void setResourceBasedn(const char* rbasedn, SecResourceType rtype = RT_DEFAULT) = 0;
     virtual int getLdapTimeout() = 0;
+    virtual bool isAzureAD() = 0;
 };
 
 

system/security/LdapSecurity/permissions.cpp

@@ -1200,7 +1200,7 @@ bool PermissionProcessor::getPermissionsArray(CSecurityDescriptor *sd, IArrayOf<
             account_name.append("everyone");
             act_type = GROUP_ACT;
         }
-        else if(EqualSid(cursid, administrators_psid))
+        else if (!m_ldap_client->queryConfig()->isAzureAD() && EqualSid(cursid, administrators_psid))
         {
             account_name.append("Administrators");
             act_type = GROUP_ACT;
@@ -1456,9 +1456,22 @@ CSecurityDescriptor* PermissionProcessor::createDefaultSD(ISecUser * const user,
     InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
     InitializeAcl(pacl, 1024, ACL_REVISION);
 
+    if (m_ldap_client->getLdapConfig()->isAzureAD() && DEFAULT_ADMINISTRATORS_PERMISSION != SecAccess_None)
+    {
+        MemoryBuffer gmb;
+        lookupSid(AAD_ADMINISTRATORS_GROUP, gmb, GROUP_ACT);
+        psid = (PSID)(gmb.toByteArray());
+        if (psid != nullptr)
+        {
+            rc = AddAccessAllowedAce(pacl, ACL_REVISION, sec2ldap(DEFAULT_ADMINISTRATORS_PERMISSION), psid);
+            if (rc == 0)
+                throw MakeStringException(-1, "Error AddAccessAllowedAce - error code = %d", GetLastError());
+        }
+    }
+
     if(ptype != PT_ADMINISTRATORS_ONLY)
     {
-        MemoryBuffer umb, gmb;
+        MemoryBuffer umb;
         if(user && DEFAULT_OWNER_PERMISSION != SecAccess_None)
         {
             //Add SD for given user

system/security/LdapSecurity/permissions.hpp

@@ -27,6 +27,7 @@ typedef unsigned int DWORD;
 
 #define DEFAULT_OWNER_PERMISSION SecAccess_Full
 #define DEFAULT_AUTHENTICATED_USERS_PERMISSION SecAccess_Full
+#define DEFAULT_ADMINISTRATORS_PERMISSION SecAccess_Full
 
 class CSecurityDescriptor : public CInterface, implements IInterface
 {