Create `ntSecurityDescriptor` utilities

[stevebauman]

@kbisignani was able to utilize LdapTool's ntSecurityDescriptor to be able to update them in LdapRecord.

#678 (reply in thread)

$sd = new SecurityDescriptor($user->getAttribute('ntsecuritydescriptor')[0]);

// Flip the Everyone ACE type to deny for the 'WD' SID ('WD' is the SID short name for "Everyone").
foreach ($sd->getDacl()->getAces() as $ace) {
   if ((string) $ace->getTrustee() === SID::SHORT_NAME['WD'] && (string) $ace->getObjectType() === AceRights::EXTENDED['CHANGE_PASSWORD']) {
	   $ace->setType('OD');
   }
}

// OD is short for an object deny ace type...
$ace = (new Ace('OD'))
    // The SID of the user being granted the right ('PS' is the SID short name for "Principal Self").
    ->setTrustee('PS')
    // This is an extended access right for "User cannot change password"...
    ->setObjectType(AceRights::EXTENDED['CHANGE_PASSWORD'])
    // This sets the ACE with the "Control Access" right...
    ->setRights(new AceRights(AceRights::SHORT_NAME['CR']));
$sd->getDacl()->addAce($ace);

// Now set the new Security Descriptor value and save it
$user->setAttribute('ntSecurityDescriptor', $sd->toBinary());
$user->save();

LdapTools is MIT so we can port some of these utilities over and maintain credit to the original author with an @author tag.

[joeknex]

Hi @stevebauman, do you know when this will be released? I'm currently trying to set PASSWD_CANT_CHANGE Account Control and facing the same problems.

[stevebauman]

Hi @joeknex, I haven't begun work on it yet. I personally haven't had a need for it. Would accept a PR though!