Re: How to get the correct SID format so I can search with it?
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 18 Aug 2006 09:35:46 -0500
Ok, now I'm totally confused. Why on earth are you trying to build a SID
based on an object's CN? That doesn't make any sense to me at all.
Can you back up a little bit and explain what data you actually have and
what you are trying to do?
If you look at my SIDconverter tool from the website, you can easily see
what all of the equivalent versions of a SID might look like in the LDAP
world (SDDL, binary, octet string binary, LDAP filter, translated name,
etc.).
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Pucca" <Pucca@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:278607FB-D4B1-4490-A0AC-296D1E7A3D73@xxxxxxxxxxxxxxxx
I forgot to describe what I've done so far but it's not working. It's not
finding the AD object in the Users folder. I can see the object there
too.
1. I got the domain sid in the SDDL format
2. I got the objectSid (the last component after the last -) in decimal
format in a string.
3. I convert the objectSid into a byte[] and append it to the domain sid,
prefix with a '-'.
4. I now call the BuildFilterOctetString method with the complete sid in
bye[] format.
5. The returned string form BuildFilterOctetString is then used as the
filter for the DirectorySearch.
string objSid = child.Properties["cn"].Value.ToString();
byteSid = CUnityDS.AppendToBuffer(byteDomainSid, objSid);
searchSid = CUnityDS.BuildFilterOctetString(byteSid);
dsFindADObject.Filter = "(objectSid=" + searchSid + ")";
--
Thanks.
"Joe Kaplan (MVP - ADSI)" wrote:
It is on the book's website (link below) in the files section. That's
also
where the code samples for the book are, where you can grab that function
from ch 4. SIDConverter is something I wrote, not an MS tool. :)
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Pucca" <Pucca@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:944AA2C3-A9E1-4398-A5ED-164CB274FE81@xxxxxxxxxxxxxxxx
Thanks Joe. Now I really can't wait to receive the book.
I'm not sure where to download the utility SIDConverter. I seached for
it
on MSDN but didn't find aything. Can you please tell me where to find
this
tool to download? Many thanks.
--
Thanks.
"Joe Kaplan (MVP - ADSI)" wrote:
Our book contains a function called BuildFilterOctetString that can be
used
for converting arbitrary binary data in a byte[] to an LDAP filter
format.
The format just looks like this:
\xx\xx\xx\xx
Where each xx is a hex pair (padded with a leading 0 if needed)
representing
each byte and the "\" is just a prefix character. There isn't much to
the
function. You could write it easily yourself.
There is also a handy utility on the file downloads for the website
called
SIDConverter that demonstrates what all of the different
representations
of
a SID might look like in the LDAP world.
Finally, AD 2003 accepts a special undocumented version of the SID for
LDAP
filters, which is just the SDDL format:
(objectSid=S-1-5-20-xxxx)
HTH,
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Pucca" <Pucca@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:130241F2-BB4F-47FE-9970-64C7E30C83FD@xxxxxxxxxxxxxxxx
Hi, I'm using vs2005, net 2.0 on Windows 2000. With the following
code,
I'm
getting back SID looking like a decimal format. But when I do a
search
with
this value it doesn't find the AD object which I verify for user
that
it
is
there. I think I'm not using the correct SID format. Doesn anyone
know
how
to put his in the correct SID format so I can serach with it?
Thanks.
DirectoryContext dc = new
DirectoryContext(DirectoryContextType.Domain, DNSDomain);
Domain curDom = Domain.GetDomain(dc);
DirectoryEntry de = curDom.GetDirectoryEntry();
SecurityIdentifier si = new SecurityIdentifier
((byte[])de.Properties["objectSid"].Value,
0);
sid = si.Value.ToString();
DirectoryEntry deRoot = new DirectoryEntry("LDAP://CN="; + split[1] +
"," +
curDomain);
string sid = domainSID + "-" +
child.Properties["cn"].Value.ToString();
DirectorySearcher dsFindADObject = new DirectorySearcher(deRoot);
dsFindADObject.Filter = "(objectSid=" + sid + ")";
dsFindADObject.PropertiesToLoad.Add("objectSid");
SearchResult sr = dsFindADObject.FindOne();
string foundSid = null;
if(sr != null)
foundSid = sr.Properties["objectSid"].ToString();
--
Thanks.
.
- References:
- Re: How to get the correct SID format so I can search with it?
- From: Joe Kaplan \(MVP - ADSI\)
- Re: How to get the correct SID format so I can search with it?
- From: Pucca
- Re: How to get the correct SID format so I can search with it?
- From: Joe Kaplan \(MVP - ADSI\)
- Re: How to get the correct SID format so I can search with it?
- From: Pucca
- Re: How to get the correct SID format so I can search with it?
- Prev by Date: RE: Is fix for 818173 present in win-xp sp2?
- Next by Date: NTLM vs NEGOTIATE in HTTP
- Previous by thread: Re: How to get the correct SID format so I can search with it?
- Next by thread: LsaRetrievePrivateData fails withSTATUS_UNKNOWN_REVISION
- Index(es):
Relevant Pages
|
