This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
ObjectSID
ObjectSID

Version management

Difference between version and

At line 1 added 139 lines
!!! Overview
In [Microsoft Active Directory] the [{$pagename}] contains the value for the [Security Identifier] ([SID]) of the entry.
!! [{$pagename}] Trouble
[{$pagename}] is painful to work with from [LDAP].
The binary data is in the form:
* [byte](0) - - The revision level of the [SID] structure
* [byte](1) - count of sub-authorities
* [byte](2-7) - A 48-bit identifier authority value that identifies the authority that issued this [SID] (in [Big-Endian] format)
* A variable number of [Relative IDentifier] ([RID]) values that uniquely identify the [trustee] __''relative''__ to the authority that issued this [SID]
Then you end up with something like:\\
(1,5,0,0,0,0,0,5,21,0,0,0,37,-20,73,58,97,-107,0,-80,109,-55,112,10,47,-24,5,0)
The last sub-authority of a [SID] is known as the [Relative IDentifier] ([RID]), and it is this [RID] that differentiates objects from within the same [AD DOMAIN]. This basically means that by replacing the [RID] in an [SID] you can generate the S[I]D for a different object. The '[primaryGroupID]' attribute from the 'user' class is a [RID]. So, we can take the [SID] of the user, and replace the [RID] part with the [primaryGroupID], we can then lookup the group in [LDAP] using this [SID] as the key.
A [binary] [SID] can be decoded into a [string], which is both easier to understand and can also be used for subsequent queries within [Microsoft Active Directory] [LDAP]. The specifics of the SID string format can be found here.
!! [LDAP SearchFilters]
The objectSid attribute is binary-valued, so to search on it, you have to
use the binary value of the SID. Binary values are represented in LDAP
search filters as \xx, where "xx" are two hexadecimal digits. The details
of LDAP search filters are covered in RFC 2254 (available at
http://www.ietf.org/rfc/rfc2254.txt).
For example, suppose your SID in string form was
S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is:
{{{01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00}}}
so the LDAP search filter would be:
{{{(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)}}}
!! [SID] [String]
The string expression of a SID has the following format:\\
“S-{Revision}-{Authority}-{SubAuthority1}-{SubAuthority2}...-{SubAuthorityN}”
or:
\\“S-1-5-21-977923109-2952828257-175163757-387119”
In [Java] you can do this with:
%%prettify
{{{
/**
* The String value is: S-Revision-Authority-SubAuthority[n]...
*
* Based on code from here - http://forums.oracle.com/forums/thread.jspa?threadID=1155740&tstart=0
*/
public static String decodeSID(byte[] sid) {
final StringBuilder strSid = new StringBuilder("S-");
// get byte(0) - revision level
final int revision = sid[0];
strSid.append(Integer.toString(revision));
//next byte byte(1) - count of sub-authorities
final int countSubAuths = sid[1] & 0xFF;
//byte(2-7) - 48 bit authority ([Big-Endian])
long authority = 0;
//String rid = "";
for(int i = 2; i <= 7; i++) {
authority |= ((long)sid[i]) << (8 * (5 - (i - 2)));
}
strSid.append("-");
strSid.append(Long.toHexString(authority));
//iterate all the sub-auths and then countSubAuths x 32 bit sub authorities ([Little-Endian])
int offset = 8;
int size = 4; //4 bytes for each sub auth
for(int j = 0; j < countSubAuths; j++) {
long subAuthority = 0;
for(int k = 0; k < size; k++) {
subAuthority |= (long)(sid[offset + k] & 0xFF) << (8 * k);
}
// format it
strSid.append("-");
strSid.append(subAuthority);
offset += size;
}
return strSid.toString();
}
}}}
/%
!! [LDAP] Attribute Definition
The [{$pagename}] [AttributeTypes] is defined as:
* [OID] of [1.2.840.113556.1.4.146]
* schemaIdGuid: bf9679e8-0de6-11d0-a285-00aa003049e2
* NAME: [{$pagename}]
* DESC:
* [EQUALITY]: []
* [ORDERING]: []
* SYNTAX: [2.5.5.17]
* [SINGLE-VALUE]
* [NO-USER-MODIFICATION]
* USAGE [DirectoryOperation]
* systemFlags:
** [FLAG_SCHEMA_BASE_OBJECT]
** [FLAG_ATTR_REQ_PARTIAL_SET_MEMBER]
* schemaFlagsEx
** [FLAG_ATTR_IS_CRITICAL]
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [LDAP query for Active Directory User's Primary Group|http://www.adamretter.org.uk/blog.xql?tag=SID|target='_blank'] - based on information obtained 2018-03-28-
* [#2] - [How to search a user by object SID in ldap|https://www.pcreview.co.uk/threads/re-objectsid-ldap-search.1458615/|target='_blank'] - based on information obtained 2016-05-28
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop