Re: Need help with DirectorySearcher FILTER using SID.
- From: Pucca <Pucca@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 16 Nov 2006 12:09:02 -0800
I use the " bool sidValidate = sdSID.IsAccountSid();" in my code and it is a
validate SID. I also did the search in ldp and got the following result of 0
found
ldap_search_s(ld, "CN=Computers,DC=unity,DC=windev,DC=symark,DC=com", 2,
"(objectSid=\\01\\05\\00\\00\\00\\00\\00\\05\\15\\00\\00\\00\\0B\\75\\D9\\76\\B4\\7B\\73\\34\\07\\E5\\3B\\2B\\30\\0A\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00)", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 0 entries:
-----------
I also tried searcing with the SDDL format but it didn't work either:
***Searching...
ldap_search_s(ld, "CN=Computers,DC=unity,DC=windev,DC=symark,DC=com", 1,
"(objectSid=S-1-5-21-1993962763-879983540-725345543-2608)", attrList, 0,
&msg)
Result <0>: (null)
Matched DNs:
Getting 0 entries:
The problem is obviously my SID format in the search filter. This is what I
did to get the above format:
1. I have a SDDL SID
2. I took its length and converted it to byte array (but I got bunch of
//00 at the end)
byte[] bArray = new byte[childSidKey.Length];
sdSID.GetBinaryForm(bArray, 0);
3. I used the code form the book to convert result from step 2 to an octet
string but result is not found.
searchSid = BuildFilterOctetString(bArray);
Can you see what I've done wrong in my step? Here is my new code:
public static string GetWinName(DirectoryEntry de, DirectoryEntry
deParent)
{
string searchSid = null, childSidKey = null;
childSidKey = de.Properties["cn"].Value.ToString();
SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey);
bool sidValidate = sdSID.IsAccountSid();
byte[] bArray = new byte[childSidKey.Length];
sdSID.GetBinaryForm(bArray, 0);
searchSid = BuildFilterOctetString(bArray);
de.AuthenticationType = AuthenticationTypes.FastBind |
AuthenticationTypes.Secure;
DirectorySearcher dsFindADObject = new
DirectorySearcher(deParent);
dsFindADObject.Filter = "(objectSid=" + searchSid + ")";
dsFindADObject.PropertiesToLoad.Add("sAMAccountName");
SearchResult sr = dsFindADObject.FindOne();
string sAMAccountName = null;
if (sr != null)
{
sAMAccountName = sr.Properties["sAMAccountName"].ToString();
return sAMAccountName;
}
else
return null;
--
Thanks.
"Joe Kaplan" wrote:
It should work as long as you are searching at the right scope in the.
domain.
Whenever you are having trouble with a query, try it by hand in ldp and see
what is happening. You should be able to copy and paste the filter into ldp
and use the DN of the search root object for the search root in ldp. That
should give you some equivalence.
Also, the escape character should be a single backslash in the filter. You
would obviously supply that as "\\" in a string literal, but make sure the
actual string doesn't contain \\. That would break the code. I assume you
are using the method BuildFilterOctetString from our book since it has the
same method name. If not, grab our source from the book's website and use
that. It definitely works fine.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Pucca" <Pucca@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:14B2CEE9-1534-4E41-88D9-C716FA6BF809@xxxxxxxxxxxxxxxx
Hi Joe, Sorry for not giving a bit more backgroup information about my
question here. We are storing our data in AD using the "meeting" class.
In
this class object, we store sid in sddl format in the "Common-Name" field
("cn" is the attribute name).
After I retrive this sid from meeting class, I need to use it as the
filter
to search for the "matching sid" AD object , which can be acomputer,a
group
or a user. The parent container indicates to search in perspective
container
like: "LDAP://CN=COMPUTERS, DC=X,DC=Y,DC=COM"
The application needs to run on Win 2000 server and up. So there is no
ADAM
availabe and SDDL is also not an option. Based on what I just describe,
can
you see why my code isn't working? I use the SecurityIdentifier to get
the
byte array which can then be transform to Octet string for search filter.
But it's not working. Thanks.
--
Thanks.
"Joe Kaplan" wrote:
The code below makes no sense to me.
What is this supposed to do?
childSidKey = de.Properties["cn"].Value.ToString();
SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey);
It looks like you are reading an object's CN attribute and then trying to
build a SecurityIdentifier object with it. That would only make sense if
the object is a foreign security principal, but would not work in
general.
Is that what you are doing?
If that is the case, why would you bother doing a search for it? You
already have a DirectoryEntry for the object.
In general, you can locate objects by their SID using a filter like you
specified. If the directory is AD2003 or ADAM, it also supports filters
that use the SDDL format:
(objectSid=S-1-5-20-xxx)
You would want to make sure you did the search at the domain root scope
or
at the forest scope with the GC if you want to search the whole forest.
It
isn't easy to tell from your code what the DE that is used as the
SearchRoot
actually points to.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Pucca" <Pucca@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:41E2995E-5011-45F2-BE3A-2592F008A731@xxxxxxxxxxxxxxxx
Hi, I'm using vs2005, .net 2.0. I have the following method that
retrieves
the AD object's current login name. The search is returnning null when
it
shouldn't. I think there's problem with my byte array's allocation.
Or
maybe there's another way to do this? I saw 2.5.5.17 SID format in a
book
but wonder how can I use this format in my search filter string?
The childKeySid is in SDDL format: S-15-76D9750B-34737BB4-2B3BE507-A30
I allocated byte array length to be 44 and got the following:
searchSid =
"\\01\\05\\00\\00\\00\\00\\00\\05\\15\\00\\00\\00\\0B\\75\\D9\\76\\B4\\7B\\73\\34\\07\\E5\\3B\\2B\\30\\0A\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00"
Can someone tell me how to correct my search here? Many thanks.
public static string GetWinName(DirectoryEntry de,
DirectoryEntry
deParent)
{
string sidKey = null, childSidKey = null, sid = null,
displayName=null, searchSid;
int lastDash = 0;
childSidKey = de.Properties["cn"].Value.ToString();
SecurityIdentifier sdSID = new
SecurityIdentifier(childSidKey);
byte[] bArray = new byte[childSidKey.Length];
sdSID.GetBinaryForm(bArray, 0);
searchSid = BuildFilterOctetString(bArray);
de.AuthenticationType = AuthenticationTypes.FastBind |
AuthenticationTypes.Secure;
DirectorySearcher dsFindADObject = new
DirectorySearcher(deParent);
dsFindADObject.Filter = "(objectSid=" + childSidKey + ")";
dsFindADObject.PropertiesToLoad.Add("objectSid");
SearchResult sr = dsFindADObject.FindOne();
string foundSid = null;
if (sr != null)
{
foundSid = sr.Properties["objectSid"].ToString();
return foundSid;
}
else
return null;
--
Thanks.
- Follow-Ups:
- Re: Need help with DirectorySearcher FILTER using SID.
- From: Joe Kaplan
- Re: Need help with DirectorySearcher FILTER using SID.
- References:
- Re: Need help with DirectorySearcher FILTER using SID.
- From: Joe Kaplan
- Re: Need help with DirectorySearcher FILTER using SID.
- From: Pucca
- Re: Need help with DirectorySearcher FILTER using SID.
- From: Joe Kaplan
- Re: Need help with DirectorySearcher FILTER using SID.
- Prev by Date: Re: Need help with DirectorySearcher FILTER using SID.
- Next by Date: Digital Signatures (over PKCS7)
- Previous by thread: Re: Need help with DirectorySearcher FILTER using SID.
- Next by thread: Re: Need help with DirectorySearcher FILTER using SID.
- Index(es):
Relevant Pages
|
