0

I can read user primaryGroupId: enter image description here val entry = ldapConnectionPool.getEntry(userDn) primaryGroupID = entry.getAttributeValue(PRIMARY_GROUP_ID.ldapFieldName)

it is a string which contains number. In my case it is always 513

As I understand user must have this group and it is setup during creation.

I want to get group DN based on primaryGroupId

I've tried to get primary group from group entry:

ldapConnectionPool.getEntry(groupDn)
val token = entry.getAttributeValue("PrimaryGroupToken")

But it always null

Another option I've found is suffix of objectSid:

enter image description here

But solutions from here don't work for me:

How to convert the SID to String and vice versa in Java?

If I use this answer https://stackoverflow.com/a/21818633/2674303

I get wrong suffix.

enter image description here enter image description here

Any ideas hwo to fix it ?

Update.

Based on answer user1686 I was able to understand that query like this works properly:

ldapConnectionPool.searchForEntry(baseDn, SearchScope.SUB, "objectSid=S-1-5-32-550")

But prefix (in my case "S-1-5-32") depends on folder.

1. enter image description here 2. enter image description here

And unfortunately query with wikd card return null:

ldapConnectionPool.searchForEntry(baseDn, SearchScope.SUB, "*-550")
gstackoverflow
  • 36,709
  • 117
  • 359
  • 710

1 Answers1

0

primaryGroupId is a RID (the last component of a SID). You need to suffix it to the domain SID in order to get the correct group SID.

  1. Read the objectSid attribute from the domain's root entry (dc=foo,dc=bar).
  2. Convert that to a string.
  3. Concatenate domain objectSid + "-" + user primaryGroupID, to obtain the group SID.

Although objectSid stores the SID in binary form, AD DC actually has a custom matching rule that allows you to search for a string SID.

  1. Search the directory for (objectSid= + the group SID + ).
  2. Use the DN of the entry you found.
user1686
  • 13,155
  • 2
  • 35
  • 54
  • Let me share my experience. 1. How to convert objectSid binary to string ``` val domainSidBytes = entry.getAttributeValueBytes("objectSid") val domainSidString = LdapUtils.convertBinarySidToString(domainSidBytes) ``` 2. Yes this quesry works properly: ``` ldapConnectionPool.searchForEntry(baseDn, SearchScope.SUB, "objectSid=S-1-5-32-550") ``` The problem here that all my groups have different prefixes – gstackoverflow Aug 22 '23 at 09:42
  • you can take a look here for more details: https://github.com/pingidentity/ldapsdk/issues/151 – gstackoverflow Aug 22 '23 at 10:14
  • Also. please read topic update – gstackoverflow Aug 22 '23 at 11:01
  • The primary group always has the domain SID as its base, that's how primaryGroupId is defined. The groups that have a `S-1-5-32-` SID prefix are a distraction – they only apply to domain controllers themselves (i.e. they're basically the "local groups" of DCs) and cannot _be set_ as a user's "primary" group – so they can be ignored for the purposes of this question. – user1686 Aug 22 '23 at 11:12
  • Looks like the common rule is working here: http://dl4.joxi.net/drive/2023/08/22/0005/3037/338909/09/0917048cbe.jpg It takes sid of closest parent entry which has objectSid. Isn't it ? – gstackoverflow Aug 22 '23 at 11:25
  • How can I filter groups which could be set as user primary group ? – gstackoverflow Aug 22 '23 at 11:27
  • No, that's not how SIDs work. – user1686 Aug 22 '23 at 11:30
  • Sorry i didn't get what question have you answered - there are 2 questions – gstackoverflow Aug 22 '23 at 11:47
  • Looks like you are right. I just tried to change user primaryGroupId. And when I tried to change to group whose objectSid started from `S-1-5-32` - I've got an ldap error although I was able to add user to that group via member field. Where I can read about it ? – gstackoverflow Aug 22 '23 at 16:55