Windows File Access policy odd behaviour dealing w...

PaulWhite1977_ · ‎10-19-2009

I've connected the IVE appliance to Microsoft Active directory and am retrieving the company attribute to dynamically build file UNC paths e.g

\\server\share\<userAttr.company>

However if the company attribute is blank the user could potentially list the entire main tree level which I need to avoid.

I was hoping to create a file access policy along the lines of

userAttr.company = '' -> then deny as its blank and permit all else.

What appears to happen is that if the attribute is blank it is not retrieved in the LDAP lookup and this above condition is never true.

Aside from flipping the logic on its head and listing every case such as:

userAttr.company = 'CUSTOMER' OR userAttr.company = 'SUPPLIER' etc.....

Is there a simple way to check on a File Access policy is the attribute is blank or not returned at all?

Something along the lines of.....

If Not exists userAttr.company or userAttr.company = BLANK -> Deny

stine_ · ‎05-05-2008

Would it be simpler to run an LDAP query against your AD for blank/null values of that field? If blank/null is a valid value, then you'd have to come up with a solution to cause a path other than root to be mapped. If the users never navigate above this directory, you could rename them all "_$directory" and then create an empty, read-only "_" diretory so that if the value was blank/null, the end result would still be a subdirectory instead of the root.

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)

Windows File Access policy odd behaviour dealing with blanks and nulls?

Windows File Access policy odd behaviour dealing with blanks and nulls?

Re: Windows File Access policy odd behaviour dealing with blanks and nulls?