如何通过ldap中的对象SID搜索用户
[英]How to search a user by object SID in ldap
问题描述
We have this design when a SID from a scanned and synced with Azure AD local LDAP v3. 
当扫描来自Azure AD本地LDAP v3的SID并与之同步时,我们采用这种设计。 comes back in as a part of a JWT token. 作为JWT令牌的一部分返回。 I need to find the user in the local LDAP for authorization purposes. 我需要出于授权目的在本地LDAP中找到用户。 The SID comes in a well known serialized form supported by the Microsoft tools used for initial synchronization. SID以众所周知的序列化形式出现,该序列由用于初始同步的Microsoft工具支持。 Here's the LDAP environment: 这是LDAP环境:
"java.naming.provider.url" -> "ldap://AD2012.local:389"
"java.naming.factory.initial" -> "com.sun.jndi.ldap.LdapCtxFactory"
"com.sun.jndi.ldap.connect.timeout" -> "0"
"java.naming.security.principal" -> "CN=Administrator,CN=Users,DC=AD2012,DC=local"
"java.naming.security.authentication" -> "simple"
"java.naming.security.credentials" -> "Password1"
"java.naming.referral" -> "follow"
Please note the last one as I think it is important. 请注意最后一个,因为我认为这很重要。
In my test I first run a search to get the user using the following string: 在测试中,我首先运行搜索以使用以下字符串获取用户:
(&(|(objectClass=User)(objectClass=userProxy))(cn=Administrator*))
It works fine and lets me obtain the SID for this user that, after the String conversion, looks like 它工作正常,并且让我获得了此用户的SID,在进行String转换后,它看起来像
S-1-5-21-1061109567-1712144220-1378238271-319
But when I construct the second search string: 但是当我构造第二个搜索字符串时:
(&(|(objectClass=User)(objectClass=userProxy))(objectSid=S-1-5-21-1061109567-1712144220-1378238271-319))
the search result is empty. 搜索结果为空。 However, there's a clue: examining the result object with the debugger reveals that it has the following properties: 但是,有一个线索:使用调试器检查结果对象将发现它具有以下属性:
refEx.handleReferrals = 1
refEx.nextReferralEx = LdapReferralException: Continuation Reference ...
refEx.nextReferals.referrals[0] = ldap://DomainDnsZones.AD2012.local/DC=DomainDnsZones,DC=AD2012,DC=local
Here's the question: why does the server not follow the referrals in the second - by the SID - search? 问题是:为什么服务器在第二个查询中不遵循引用(通过SID)搜索? I know it does in the first as the search fails if I remove the "follow" environment property. 我知道它首先会这样做,因为如果删除“关注”环境属性,搜索将失败。 Any input is greatly appreciated. 任何输入,不胜感激。
1 个解决方案
解决方案1
-1 2019-05-28 09:55:27
ObjectSID is painful to work with from LDAP. 从LDAP使用ObjectSID十分麻烦 。
ObjectSID is a binary value that needs to be converted to be used for LDAP Search Filters : ObjectSID是一个二进制值,需要转换以用于LDAP搜索过滤器 :
For example, suppose your SID in string form was S-1-5-21-2562418665-3218585558-1813906818-1576. 例如,假设您的字符串形式的SID是S-1-5-21-2562418665-3218585558-1813906818-1576。 In binary form, this is: 以二进制形式,这是:
01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00
so the LDAP search filter would be: 因此LDAP搜索过滤器为:
(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.