objectSID and LdapTemplate

Let's say we want to write a filter for the following SID, here represented as a byte[]:

Code:

---

0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00,
0xe9, 0x67, 0xbb, 0x98, 0xd6, 0xb7, 0xd7, 0xbf, 0x82, 0x05, 0x1e, 0x6c,
0x28, 0x06, 0x00, 0x00

---

A Java String representation using Unicode escaping is:

Code:

---

"\u0001\u0005\u0000\u0000\u0000\u0000\u0000\u0005\u0015\u0000\u0000\u0000\u00e9\u0067\u00bb\u0098\u00d6\u00b7\u00d7\u00bf\u0082\u0005\u001e\u006c\u0028\u0006\u0000\u0000"

---

If you run this through LdapEncoder.filterEncode, you'll get:

Code:

---


\00\00\00\00\00\00\00\00ég»˜Ö·×¿‚l\28\00\00

---

Now, ignoring the fact that this is pretty much unreadable, the question is: does this represent the binary data in the server? Do you get a hit when you search using a filter like:

Code:

---

"(objectSID=\u0001\u0005\u0000\u0000\u0000\u0000\u0000\u0005\u0015\u0000\u0000\u0000\u00e9\u0067\u00bb\u0098\u00d6\u00b7\u00d7\u00bf\u0082\u0005\u001e\u006c\u0028\u0006\u0000\u0000)"

---

If the answer is no, we need to find out where in the escaping chain the data gets corrupted.

If the answer is yes, then we might benefit---mainly from a readability standpoint---from escaping more control characters than just NUL. Here is the same output where I've escaped all characters up to 0x1f:

Code:

---

\01\05\00\00\00\00\00\05\15\00\00\00ég»˜Ö·×¿‚\05\1el\28\06\00\00

---

It's slightly more readable, but still impossible to correlate to the original byte[]. So we probably need:

1. a Filter that takes a byte[] and constructs a Unicode-escaped String
2. a way of printing a Filter containing binary data in a readable way

I am trying to use Spring LDAP and specifically convertBinarySidToString to get objectSids in Strings (and then parse out the last bit to get the primary group ID).

However, I am getting really strange results. I am getting the same objectSID string for many groups, and it's not even the right SID. Also, some groups ARE getting the right objectSID.

Here's my code:

Code:

---

public class LdapGroup {
        private String[] members;
        private String dn;
       
        public void setMembers(String[] members) {
                this.members = members;
        }
        public String[] getMembers() {
                return this.members;
        }
        public void setDn(String dn) {
                this.dn = dn;
        }
        public String getDn () {
                return this.dn;
        }
}

//now in a different part of the code

ldapGroups = new HashMap<String,LdapGroup>();
List groups = ldapTemplate.search("", "(objectclass=group)", new GroupContextMapper());
Iterator itr = groups.iterator();
while (itr.hasNext()) {
        LdapGroup grp = (LdapGroup) itr.next();
        ldapGroups.put(grp.getDn(), grp);
}


//the custom ContextMapper that assigns the results to the LdapGroup object

private static class GroupContextMapper implements ContextMapper {
    public Object mapFromContext(Object ctx) {
      DirContextAdapter context = (DirContextAdapter)ctx;
      LdapGroup g = new LdapGroup();
      Attributes a = context.getAttributes();

      //byte[] binSid = null;
                       
      String binSid = null;
      String sid = null;
      String dn = null;

      try {
          binSid = (String) a.get("objectSid").get();        //I was previously trying to cast this to (byte[]) but it was complaining about doing the cast...                       
          sid = LdapUtils.convertBinarySidToString(binSid.getBytes());
      } catch (NamingException e) {
          // TODO Auto-generated catch block
          e.printStackTrace();
      }
                       
      g.setMembers(context.getStringAttributes("member"));
                   
      g.setDn(context.getStringAttribute("distinguishedName"));                       
      System.out.println("GROUP: " + g.getDn() + ", Sid: " + sid);
   
      return g;
  }
}

---

Then I get results like this:

Code:

---

GROUP: CN=HelpServicesGroup,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488
GROUP: CN=TelnetClients,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488
GROUP: CN=Administrators,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-544
GROUP: CN=Users,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-545
GROUP: CN=Guests,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-546
GROUP: CN=Print Operators,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-550
GROUP: CN=Backup Operators,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-551
GROUP: CN=Replicator,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-552
GROUP: CN=Remote Desktop Users,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-555
GROUP: CN=Network Configuration Operators,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-556
GROUP: CN=Performance Monitor Users,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-558
GROUP: CN=Performance Log Users,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-559
GROUP: CN=Distributed COM Users,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-562
GROUP: CN=Domain Computers,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488
GROUP: CN=Domain Controllers,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488
GROUP: CN=Schema Admins,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488
GROUP: CN=Enterprise Admins,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488
GROUP: CN=Cert Publishers,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488

---

For some reason it looks like the builtin groups are working correctly and the domain groups are not. Note that the objectSID is identical for all the domain groups. Also, I compared this to results viewed from using Microsoft's LDP tool and these domain group results are just wrong. I can't see why the code above would come up with the SAME WRONG objectSid for every domain group but different (and correct) objectSids for the builtin groups.

Thoughts?

OK, I think I figured this out. I discovered this post:
http://forum.springsource.org/showthread.php?t=55874

about binary attributes in general. The advice there made me think about adding the property mentioned into my Bean config file and it worked. This is the contextSource bean I defined (with the baseEnvironmentProperties property being what I just added to make this work):

Code:

---

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="url" value="ldap://ldapserver.domain.com:389" />
        <property name="base" value="dc=domain,dc=com" />
        <property name="userDn" value="cn=binduser,cn=Users,dc=domain,dc=com" />
        <property name="password" value="bindpwd"/>
        <property name="baseEnvironmentProperties">
            <map>
            <entry key="java.naming.ldap.attributes.binary">
                <value>objectSid</value>
            </entry>
            </map>
        </property>
    </bean>

---

Now it appears as though all the SIDs are coming back right. I still need to do a thorough check, though.