When modifying a property of a user account in an MS Active Directory environment, LAM sends an LDAP modifyRequest with the objectClass attribute and securityPrincipal value even though the original account is not directly associated with this class.
This results in issues for users who have permissions to edit basic LDAP properties (such as telephone or address) but are not allowed to add the objectClass, thereby preventing any modification of such AD accounts.
The default objectClasses for users created (via PowerShell New-ADUser or GUI) in our environment are:
Issue Summary
When modifying a property of a user account in an MS Active Directory environment, LAM sends an LDAP
modifyRequest
with theobjectClass
attribute andsecurityPrincipal
value even though the original account is not directly associated with this class.This results in issues for users who have permissions to edit basic LDAP properties (such as telephone or address) but are not allowed to add the
objectClass
, thereby preventing any modification of such AD accounts.The default objectClasses for users created (via PowerShell
New-ADUser
or GUI) in our environment are:The
securityPrincipal
is an auxiliary class and therefore not included.Steps to Reproduce
objectClass
does not containsecurityPrincipal
(PowerShellGet-ADUser -LDAPFilter "(objectClass=securityPrincipal)"
).modifyRequest
is sent with theobjectClass
attribute andsecurityPrincipal
value.This behavior can be confirmed by observing the request in a running Wireshark session.
Affected Versions