Can't add over 15 ACEs to an ACL using WebDAV?

Can't add over 15 ACEs to an ACL using WebDAV?

Post by Ryan Patrid » Thu, 23 Aug 2001 02:24:08



I've created a little VB app that allows me to automatically create
generic appointment items in an E2K public folder, and automatically
manipulate the ACLs of those items, all using WebDAV.  I'm doing this
so I can attempt to measure/quantify E2K's capacity to serve folders
containing large numbers of items (1000+ items), each with a long and
unique ACL (containing 100+ ACEs).

The application seems to work great, except I get an "HTTP 400: Bad
Request" error whenever I attempt to add more than 15 ACEs to an
item's ACL at one time  (using WebDAV).  I have no problem useing
WebDAV to add more than 15 ACEs to an item's ACL, so long as I do it
15 or less ACEs at a time.  I imagine this "only up to 15 ACEs at a
time" limitation has something to do with how E2K/WSS is programmed to
handle incoming WebDAV commands, but I'm not sure.  I can't find
documentation about this anywhere.

Can anyone confirm that this is indeed a "limitation" with Exchange
2000 or the web storage system?  Could you point me to documentation
that discusses this?  Does anyone know if there is an upper limit to
the number of ACEs an item's ACL can have, or an upper limit to the
number of items a folder can have?  Does anyone happen to have
quantifiable data about how well E2K handles folders with large
numbers of items with long and (somewhat) unique ACLs?  Thanks for any
information!

Ryan Patridge
Motorola
Collaboration Tools Development

 
 
 

Can't add over 15 ACEs to an ACL using WebDAV?

Post by Benjamin Binfor » Fri, 24 Aug 2001 04:35:54


I ran into a similiar problem setting Exchange Role membership using the xml
format. ie properties like
http://schemas.microsoft.com/mapi/proptag/x3d250000 (xml)rather than
http://schemas.microsoft.com/mapi/proptag/x3d250102 (binary) . If you don't
know what I'm talking about with roles hit
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnme...
l/secroles.asp to give you a pretty good tutorial. Using webdav to set the
xml format seemed to work correctly until I got up to around 50 users in the
role, at which point it broke down completely and I started getting 400 bad
request errors. The good news is that I was able to work around it, so I
suspect you will be able to as well. The bad news is you have to give up
setting the nice xml format, and start using the binary format.

You can hit the binary descriptor directly using the property
http://schemas.microsoft.com/exchange/ntsecuritydescriptor. You'll also need
some facility with C/C++, as most of the Security api's for dealing with
descriptors do not deal with vb or j++ all that well.

As far as performace goes, I haven't noticed any problems using large
numbers of users in my roles. Since the an ACE is spliced into the ACL at
runtime for each user in the role, I suspect that Exchange handles large
numbers of unique ace's extremely well. I've also noticed that dealing
directly with the binary formats for these kinds of things is a significant
performance win.


Quote:> I've created a little VB app that allows me to automatically create
> generic appointment items in an E2K public folder, and automatically
> manipulate the ACLs of those items, all using WebDAV.  I'm doing this
> so I can attempt to measure/quantify E2K's capacity to serve folders
> containing large numbers of items (1000+ items), each with a long and
> unique ACL (containing 100+ ACEs).

> The application seems to work great, except I get an "HTTP 400: Bad
> Request" error whenever I attempt to add more than 15 ACEs to an
> item's ACL at one time  (using WebDAV).  I have no problem useing
> WebDAV to add more than 15 ACEs to an item's ACL, so long as I do it
> 15 or less ACEs at a time.  I imagine this "only up to 15 ACEs at a
> time" limitation has something to do with how E2K/WSS is programmed to
> handle incoming WebDAV commands, but I'm not sure.  I can't find
> documentation about this anywhere.

> Can anyone confirm that this is indeed a "limitation" with Exchange
> 2000 or the web storage system?  Could you point me to documentation
> that discusses this?  Does anyone know if there is an upper limit to
> the number of ACEs an item's ACL can have, or an upper limit to the
> number of items a folder can have?  Does anyone happen to have
> quantifiable data about how well E2K handles folders with large
> numbers of items with long and (somewhat) unique ACLs?  Thanks for any
> information!

> Ryan Patridge
> Motorola
> Collaboration Tools Development


 
 
 

Can't add over 15 ACEs to an ACL using WebDAV?

Post by Ryan Patrid » Sat, 25 Aug 2001 23:55:22


Very helpful Benjamin, thanks for the information. I wonder why yours
started erroring at 50 ACEs and mine at 15.  Anyone have any idea?
Maybe it's not the number of users, but the size of the WebDAV XML
string that matters?

I guess it's time to bring it back to the old skool binary
descriptors.  I was beginning to feel wrong about using the XML
descriptors anyway...they were way too easy to work with!

 
 
 

1. adding an ace to an AD property acl

I need to give users the ability to update specific properties on AD objects
but am having trouble retrieving security descriptors on individual AD
object attributes.

I am using ADSI (of course) and ADsSecurity.dll to do this.  My best attempt
thus far (which failed with a "catastrophic failure") is below.

A pointer would be greatly appreciated.

thanks,
bob

---------------------------------------------
Public Sub grant ( ByVal iadObj As IADs, _
                             ByVal dnTrustee As String, _
                             ByVal strAttribute as String )

    Dim sd As IADsSecurityDescriptor
    Dim dacl As IADsAccessControlList
    Dim ace As AccessControlEntry

    Dim propList As IADsPropertyList
    Dim propEntry As IADsPropertyEntry

    ' create new ace
    Set ace = New AccessControlEntry
    With ace
        .AceType = ADS_ACETYPE_ACCESS_ALLOWED
        .Trustee = dnTrustee
        .AccessMask = ADS_RIGHT_GENERIC_WRITE
    End With

    ' retrieve the attribute object
    Set propList = iadObj
    propList.GetInfo
    Set propEntry = propList.GetPropertyItem ( _
                        strAttribute, _
                        ADSTYPE_CASE_IGNORE_STRING )

    ' set the acl on that property
    Set sd = ADsSecure.GetSecurityDescriptor(propEntry)    ' BOOM!!!
    Set dacl = sd.DiscretionaryAcl
    dacl.AddAce ace
    Set sd.DiscretionaryAcl = dacl
    ADsSecure.SetSecurityDescriptor sd

End Sub
---------------------------------------------

2. General Mailbox to receive all domain messages ???

3. Can't enter >15 character domain name when authenticating from OL2000

4. Mac Outlook 8.1 freezes Macintosh

5. Howto add an attachment to an email using webdav

6. .AutoSignature Doesn't Work

7. WebDAV, Public Folders, Updating ACL Help Needed

8. Retrieval of mail account armed with assoc-nt-account

9. Using WebDAV to search any user's Exchange 2000 mailbox

10. Adding an ACE to the XML Security Descriptor through ADO

11. prob's with replica of public folders and acl's

12. Document ACL Checking via CDO/ACL.DLL

13. Operation Failed when adding group to ACL