objectSID and LdapTemplate

**ulsa** · Aug 4th, 2009, 05:05 PM

Let's say we want to write a filter for the following SID, here represented as a byte[]:

Code:

0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00,
0xe9, 0x67, 0xbb, 0x98, 0xd6, 0xb7, 0xd7, 0xbf, 0x82, 0x05, 0x1e, 0x6c,
0x28, 0x06, 0x00, 0x00

A Java String representation using Unicode escaping is:

Code:

"\u0001\u0005\u0000\u0000\u0000\u0000\u0000\u0005\u0015\u0000\u0000\u0000\u00e9\u0067\u00bb\u0098\u00d6\u00b7\u00d7\u00bf\u0082\u0005\u001e\u006c\u0028\u0006\u0000\u0000"

If you run this through LdapEncoder.filterEncode, you'll get:

Code:

\00\00\00\00\00\00\00\00ég»˜Ö·×¿‚l\28\00\00

Now, ignoring the fact that this is pretty much unreadable, the question is: does this represent the binary data in the server? Do you get a hit when you search using a filter like:

Code:

"(objectSID=\u0001\u0005\u0000\u0000\u0000\u0000\u0000\u0005\u0015\u0000\u0000\u0000\u00e9\u0067\u00bb\u0098\u00d6\u00b7\u00d7\u00bf\u0082\u0005\u001e\u006c\u0028\u0006\u0000\u0000)"

If the answer is no, we need to find out where in the escaping chain the data gets corrupted.

If the answer is yes, then we might benefit---mainly from a readability standpoint---from escaping more control characters than just NUL. Here is the same output where I've escaped all characters up to 0x1f:

Code:

\01\05\00\00\00\00\00\05\15\00\00\00ég»˜Ö·×¿‚\05\1el\28\06\00\00

It's slightly more readable, but still impossible to correlate to the original byte[]. So we probably need:

a Filter that takes a byte[] and constructs a Unicode-escaped String
a way of printing a Filter containing binary data in a readable way

**davetbo** · Jun 17th, 2010, 10:14 AM

I am trying to use Spring LDAP and specifically convertBinarySidToString to get objectSids in Strings (and then parse out the last bit to get the primary group ID).

However, I am getting really strange results. I am getting the same objectSID string for many groups, and it's not even the right SID. Also, some groups ARE getting the right objectSID.

Here's my code:

Code:

public class LdapGroup {
	private String[] members;
	private String dn;
	
	public void setMembers(String[] members) {
		this.members = members;
	}
	public String[] getMembers() {
		return this.members;
	}
	public void setDn(String dn) {
		this.dn = dn;
	}
	public String getDn () {
		return this.dn;
	}
}

//now in a different part of the code

ldapGroups = new HashMap<String,LdapGroup>();
List groups = ldapTemplate.search("", "(objectclass=group)", new GroupContextMapper());
Iterator itr = groups.iterator();
while (itr.hasNext()) {
	LdapGroup grp = (LdapGroup) itr.next();
        ldapGroups.put(grp.getDn(), grp);
}


//the custom ContextMapper that assigns the results to the LdapGroup object

private static class GroupContextMapper implements ContextMapper {
    public Object mapFromContext(Object ctx) {
       DirContextAdapter context = (DirContextAdapter)ctx;
       LdapGroup g = new LdapGroup();
       Attributes a = context.getAttributes();

       //byte[] binSid = null;
                        
       String binSid = null;
       String sid = null;
       String dn = null;

       try {
	  binSid = (String) a.get("objectSid").get();	//I was previously trying to cast this to (byte[]) but it was complaining about doing the cast...			
          sid = LdapUtils.convertBinarySidToString(binSid.getBytes());
       } catch (NamingException e) {
  	// TODO Auto-generated catch block
 	  e.printStackTrace();
       }
			
       g.setMembers(context.getStringAttributes("member"));
		    
       g.setDn(context.getStringAttribute("distinguishedName"));			
       System.out.println("GROUP: " + g.getDn() + ", Sid: " + sid);
    
       return g;
   }
}

Then I get results like this:

Code:

GROUP: CN=HelpServicesGroup,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488
GROUP: CN=TelnetClients,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488
GROUP: CN=Administrators,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-544
GROUP: CN=Users,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-545
GROUP: CN=Guests,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-546
GROUP: CN=Print Operators,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-550
GROUP: CN=Backup Operators,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-551
GROUP: CN=Replicator,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-552
GROUP: CN=Remote Desktop Users,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-555
GROUP: CN=Network Configuration Operators,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-556
GROUP: CN=Performance Monitor Users,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-558
GROUP: CN=Performance Log Users,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-559
GROUP: CN=Distributed COM Users,CN=Builtin,DC=domain,DC=com, Sid: S-1-5-32-562
GROUP: CN=Domain Computers,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488
GROUP: CN=Domain Controllers,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488
GROUP: CN=Schema Admins,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488
GROUP: CN=Enterprise Admins,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488
GROUP: CN=Cert Publishers,CN=Users,DC=domain,DC=com, Sid: S-1-5-21-834519023-4022190063-37797311-3183472488

For some reason it looks like the builtin groups are working correctly and the domain groups are not. Note that the objectSID is identical for all the domain groups. Also, I compared this to results viewed from using Microsoft's LDP tool and these domain group results are just wrong. I can't see why the code above would come up with the SAME WRONG objectSid for every domain group but different (and correct) objectSids for the builtin groups.

Thoughts?

**davetbo** · Jun 17th, 2010, 12:13 PM

OK, I think I figured this out. I discovered this post:
http://forum.springsource.org/showthread.php?t=55874

about binary attributes in general. The advice there made me think about adding the property mentioned into my Bean config file and it worked. This is the contextSource bean I defined (with the baseEnvironmentProperties property being what I just added to make this work):

Code:

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="url" value="ldap://ldapserver.domain.com:389" />
        <property name="base" value="dc=domain,dc=com" />
        <property name="userDn" value="cn=binduser,cn=Users,dc=domain,dc=com" />
        <property name="password" value="bindpwd"/>
        <property name="baseEnvironmentProperties">
            <map>
            <entry key="java.naming.ldap.attributes.binary">
                <value>objectSid</value>
            </entry>
            </map>
        </property>
    </bean>

Now it appears as though all the SIDs are coming back right. I still need to do a thorough check, though.

Thread: objectSID and LdapTemplate

Thread Tools

Display

convertBinarySidToString problems

RE: objectSid and ldapTemplate

Tags for this Thread

Posting Permissions