Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Get objectSID from AD (LDAP)

Go to solution
brandonbollin
Active Participant

on ‎2017 Sep 20 7:03 PM

0 Likes
4,144

Fellow experts,
I'm trying to create a From LDAP pass, or maybe even use the uGetUserSid internal function, to get the objectSID attribute from a given entry in my target repository. I'm not having any success with uGetUserSid but I was able to bring something back on the From LDAP pass method. Problem is, when I pull up the results that show up in the SQL temp table, it's all mumbo-jumbo. The attribute is stored in LDAP as a binary attribute so what comes into IDM isn't the pretty looking S-1-5-21-xxxxxx-xxxxx format you see when you look at the attribute in an LDAP browser or ADUC.

I looked through my environment to see if there was an SAP supplied global script that would convert the binary format to text but alas, nothing. Any suggestions?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
brandonbollin
Active Participant
‎2017 Sep 25 6:44 PM
0 Likes

To get the SID in plain text on the IDM side, you first need a From LDAP pass. When you bring in the objectSid from AD, you need to preface the source column with an exclamation point as seen here:

Next, you see the script I have in this pass. Here's the text of that script:

// Main function: z_custom_ad_convertObjectSID


function z_custom_ad_convertObjectSID(Par){
	// Input : {HEX}010500000000000515000000561400C443528306533A02202F970000
	// Output : S-1-5-21-3288339542-109269571-537016915-38703
	// Based on the algorithm of the link https://blogs.msdn.microsoft.com/oldnewthing/20040315-00/?p=40253
	// For easy tests on Object SiD conversion you can download this tool  https://sidtranslator.codeplex.com/
	
	var OutString = uHexToByte(Par);
	var bSid=OutString;
    var binarySid = bSid;
   
	if (bSid.length < 8) return "";
    
	var revision = binarySid[0];
    var nrSubAuth = binarySid[1];
    var identifierAuth = binarySid[2] + binarySid[3] + binarySid[4] + binarySid[5] + binarySid[6] + binarySid[7];
    var returnString = "S-";
    returnString = returnString + revision + "-";
    returnString = returnString + identifierAuth;
 
    for (var subAuthCount = 0; subAuthCount < nrSubAuth; subAuthCount++) {
        var longInt = (getUnsignedByte(binarySid,7+(subAuthCount*4)+4) << 24) |(getUnsignedByte(binarySid,7+(subAuthCount*4)+3) << 16) |(getUnsignedByte(binarySid,7+(subAuthCount*4)+2) << 8)|(getUnsignedByte(binarySid,7+(subAuthCount*4)+1));
        if (longInt < 0) longInt += 4294967296;
            returnString = returnString + "-" + longInt
                }
		
		
        return returnString;


}


function getUnsignedByte(inputbSid,position) {
    var toReturn = inputbSid[position];
    if (toReturn < 0) {
            return (toReturn+256);
    } else {
        return toReturn;
    }
}

Now in your temp table, you'll have an SID that looks like it looks when you pull up the attribute in an LDAP browser like Softerra or ADUC. Any questions? 🙂

Show replies
Show replies
Ask a Question