-1

Based on my investigtaion there are 2 things:

  1. PrimaryGroupId from User side
  2. PrimaryGroupToken operational attribute from Group side

User references to group PrimaryGroupToken operational attribute using field PrimaryGroupId

There are 2 ways to to get PrimaryGroupToken

  1. Based on primaryGroupToken operation attribute
val entry = ldapConnectionPool.getEntry(groupDn, "*", "primaryGroupToken") 
val primaryGroupToken = entry.getAttributeValue("PrimaryGroupToken")
  1. Based on objectSid suffix
val entry = ldapConnectionPool.getEntry(groupDn)
val domainSidBytes = entry.getAttributeValueBytes("objectSid")
val domainSidString = LdapUtils.convertBinarySidToString(domainSidBytes)
val primaryGroupToken = domainSidString.substringAfterLast("-")

I haven't found any direct way how I can get group entry by user primaryGroupId so I started to think about application level cache. But I expected that primaryGroupToken is a constant group identifier but this page confuses me.

https://learn.microsoft.com/en-us/windows/win32/adschema/a-primarygrouptoken

enter image description here

As you can see it is mentioned that this attribute could be updated. Based on my exeriments - I was not able to achieve it. Could you please clarify if this attribute is immutable or not ?

gstackoverflow
  • 36,709
  • 117
  • 359
  • 710

1 Answers1

1

In reality, the primaryGroupToken never changes. That said, it's not the best way to find a group since it's not indexed.

One way I've used to bind directly to a group from the user's primaryGroupId is to construct the SID of the group. The last portion of the SID is called the RID (Relative Identifier). It's a number that is incremented for each new object on the domain. Everything up to the last hyphen identifies your domain and is the same for every object on the domain.

You can construct the SID of the group by taking the user's SID, take everything up to the last hyphen, then add on the value of primaryGroupId.

For example, if we have a user with:

objectSid: 'S-1-5-21-1004336348-1177238915-682003330-12345'
primaryGroupId: 12346

Then the SID of the group is:

S-1-5-21-1004336348-1177238915-682003330-12346

Active Directory lets you bind directly to an object by the SID using this format:

LDAP://example.com/<SID=S-1-5-21-1004336348-1177238915-682003330-12346>

By default, the primaryGroupId will be 513 for all users, which is always the Domain Users group.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Sorry but what is the relation of `bind` by sid and getting entry by `primaryGroupToken` ? For me `bind` is authentification operation P.S. I am specifically interested in unboundId ldap sdk solution. – gstackoverflow Aug 24 '23 at 08:23
  • Binding to an entry is the same as "getting" an entry. So in this case, you're getting the entry using the SID rather than by the `primaryGroupToken`. – Gabriel Luci Aug 24 '23 at 12:42
  • Could you provide UnboundId request for that stuff ? I suppose it should single line code – gstackoverflow Aug 24 '23 at 13:22
  • I'm not a Java developer and I've never used UnboundID, but based on the documentation, you can probably get the group with `ldapConnectionPool.getEntry("")` (using the SID you constructed). – Gabriel Luci Aug 24 '23 at 13:58