LDAP SID Binding

LDAP SID Binding

Post by Marc Scheune » Sat, 08 Jun 2002 04:50:45



Folks,

Given a SID in its usual string representation S-1-5-......, how can I
convert that so that I can use it for the LDAP SID binding?? The LDAP
path has to be something like:

        LDAP://<SID=xxxxxxxxxxxxxxxxxxx>

where xxxxxxxxxxxx is a long string of hexadecimal numbers - how can I
get from the regular string format to this separate SID string format
for binding? Is this documented anywhere? (I coudn't find anything in
MSDN).

Marc

 
 
 

LDAP SID Binding

Post by Max L. Vaug » Wed, 12 Jun 2002 22:21:11


You need to convert the SDDL SID ( S-1-5-.....) into its hex string form for the bind string.

Take a look at the VB code below....

Sincerely,
Max Vaughn [MS]
Microsoft Developer Support

Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.
'
' Declare the necessary Win32 APIs to obtain the SID for the NT user
' LookupAccountName -> Does the real work once it is remoted to the
appropriated DC
' NetGetDcName -> Obtains the DC for the local box, used to obtain a DC name
for
'                 LookUpAccountName
' NetApiBufferFree-> used to cleanup after NetGetDcName.  The Net* APIs manage
memory
'                    memory for you, this function is used to free the memory
allocated
'                    NetGetDcName
' lstrcpyW -> used to copy the NetGetDcName buffer into a buffer VB can work
with
' GetLengthSid -> used to help convert the raw SID into a hexstring SID
'
Private Declare Function LookupAccountName Lib "advapi32.dll" _
       Alias "LookupAccountNameA" _
       (ByVal IpSystemName As String, _
        ByVal IpAccountName As String, _
        pSid As Byte, _
        cbSid As Long, _
        ByVal ReferencedDomainName As String, _
        cbReferencedDomainName As Long, _
        peUse As Integer) As Long

Private Declare Function NetGetDCName Lib "NETAPI32.DLL" _
       (ServerName As Byte, _
        DomainName As Byte, _
        DCNPtr As Long) As Long

Private Declare Function NetApiBufferFree Lib "NETAPI32.DLL" _
       (ByVal Ptr As Long) As Long

Private Declare Function PtrToStr Lib "kernel32" _
       Alias "lstrcpyW" (RetVal As Byte, ByVal Ptr As Long) As Long

Private Declare Function GetLengthSid Lib "advapi32.dll" _
       (pSid As Byte) As Long

'
' Converts binary SID into a hexstring SID
'
Sub Get_Exchange_Sid(strNTDomain As String, strNTAccount As String, rbSID() As Byte, rbLen As Long, sbSID As String)

Dim pSid(512) As Byte
Dim pDomain(512) As Byte
Dim IReturn As Long
Dim I As Integer
    '
    ' Get the SID for the user's account, targetting a local PDC
    '
    IReturn = LookupAccountName(Get_Primary_DCName("", strNTDomain), strNTAccount, pSid(0), 512, pDomain, 512, 1)
    '
    ' Convert the raw sid into an array of ascii hex values
    '
    For I = 0 To GetLengthSid(pSid(0)) - 1
        rbSID(2 * I) = AscB(Hex$(pSid(I) \ &H10))
        rbSID(2 * I + 1) = AscB(Hex$(pSid(I) Mod &H10))
    Next I
    sbSID = ""
    '
    ' Convert the array of ASCII hex values into a VB String type
    '
    For I = 0 To rbLen
      If (rbSID(I) <> 0) Then
        sbSID = sbSID + Chr(rbSID(I))
      Else
        Exit For
      End If
    Next
End Sub
'
' Converts SDDL SID into a binary SID: on Win2k, use:  ConvertStringSIDToSID API see the link below:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secu...
'
-------------------------- More code to wade through.... interesting stuff, on VB 6 in Win2k, can use ConvertStringSIDTo ------------------------------
The SDDL form of the SID returned in the IADsAccessControlEntry::Trustee must be converted into a Raw SID, then the LookupAccountName API must be
called, targeting the remote system.

Section 1.0 of Additional Information contains the VB source code to convert a SDDL SID into a SAM Account name.

Section 2.0 of Additonal Information contains the VC source code to convert a SDDL SID into a SAM account name

Additional Information
Section 1.0 VB Source to convert a SDDL SID into a SAM account name

'
' This code is meant to be used as an example of how one could convert
' the SDDL form of a SID into the SAM Account Name form.
' The class module defines two functions,
' ConvertSDDLtoSam which takes an SDDL form of a SID along with a target server
' and returnes the Domain\user (SAM Account Name ) form of the SID.
'
' GetSubAuthorityFromSDDL, a helper function that walks the sub authorities.
'
Option Explicit

Private SidCount As Integer
Private Osid As New ADsSID
Const LMEM_ZEROINIT = &H40
'
' Declare the APIs needed to manipulate the RAW SID
'
Private Declare Function InitializeSid Lib "advapi32.dll" (ByVal Sid As Long, pIndentifierAuthority As Any, ByVal nSubAuthorityCount As Byte) As Long
Private Declare Function GetSidSubAuthority Lib "advapi32.dll" (ByVal Sid As Long, ByVal nSubAuthority As Long) As Long
Private Declare Function GetSidLengthRequired Lib "advapi32.dll" (ByVal nSubAuthorityCount As Byte) As Long
Private Declare Function LookupAccountSid Lib "advapi32.dll" Alias "LookupAccountSidA" _
    (ByVal lpSystemName As String, Sid As Any, ByVal name As String, cbName As Long, _
    ByVal ReferencedDomainName As String, cbReferencedDomainName As Long, peUse As Integer) As Long
'
' Declare the memory managment functions.
' Notice there are two definitions for RtlMoveMemory, one takes a value as  Any, the other takes a value ByVal as long
' this is necessary so memory can be copied as follows:
'  From a variable containing a 32 bit value that represents a memory location
'  From a variable that represents a VB alocated memory location
'  (ie: Dim bByte(6) as Byte type of declaration).
'
' LocalAlloc and LocalFree are used to allocate and free memory from the heap,
' respectively.
'
Private Declare Sub CopyByValMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, ByVal Source As Long, ByVal Length As Long)
Private Declare Sub CopyByRefMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal Destination As Long, Source As Any, ByVal Length As Long)
Private Declare Function LocalAlloc Lib "kernel32" (ByVal wFlags As Long, ByVal wBytes As Long) As Long
Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Long) As Long

'
' ConvertSDDLtoSAM, see above comments for a description.
'
Public Function ConvertSDDLtoSAM(strSDDL As String, Target As String) As String
  Dim stInt As Integer, strEnd As Integer
  Dim iEndPosition As Integer, AuthorityCount As Integer
  Dim AuthorityStrings(15) As String
  Dim Authority As String, lngSSubAuthority As Long
  Dim mByte() As Byte, str As String
  Dim lngSid As Long, clssid As Long
  Dim One As Integer, bRelValue As Long
  Dim strUser As String * 255, strDomain As String * 255
  Dim Retval As Integer, Counter As Integer
  Dim lngRid As Long, cbSidLength As Long
  Dim bIdentifier(1 To 6) As Byte
  '
  ' Fill the AuthorityStrings array with the appropriate values.
  ' AuthorityStrings(1) - The SID revision level
  ' AuthroityStrings(2) - The issuing authority
  ' AuthorityStrings(3) - 0th sub authority RID
  ' .
  ' .
  ' .
  ' AuthorityStrings(n) - Nth sub authority RID
  '
  AuthorityCount = 1
  Authority = GetSubAthorityFromSDDL(strSDDL, 1, iEndPosition)
  AuthorityStrings(AuthorityCount) = Authority
  '
  ' Walk the rest of the sub authorities and place them into
  ' the string array
  '
  Do
    Authority = GetSubAthorityFromSDDL(strSDDL, iEndPosition, iEndPosition)
    If (Len(Authority) > 0) Then
      AuthorityCount = AuthorityCount + 1
      AuthorityStrings(AuthorityCount) = Authority
    End If
  Loop While (iEndPosition > 0)
  '
  ' Initialize the security identifier.  AuthorityCount - 2 should be total
  ' number of sub authorities that need to be added to the
  ' the SID.  Use InitializeSid to create a SID using the proper authority ( stored
  ' in the second location of AuthorityStrings) and add the appropriate number of sub
  ' authorities.
  '
  ' Retrieve the SubAuthority count
  '
    Retval = CInt(AuthorityStrings(2))
  '
  ' Place that value into the appropriate Identifier array position.
  ' Just by coincidance, the Issueing Authority array and the
  ' issueing authority portion of the SDDL SID are the same number, so
  ' the structure ends up 0,0,0,0,0,CInt(AuthorityStrings(2))
  '
    bIdentifier(6) = Retval
  '
  ' Get a total SubAuthority count
  '
    SidCount = AuthorityCount - 2
  '
  ' Retreive the overall required size for the sid
  ' We must know how many bytes will be needed to build the raw
  ' sid, GetSidLengthRequired will return that information
  '
    cbSidLength = GetSidLengthRequired(SidCount)
    ReDim mByte(cbSidLength)
  '
  ' Allocate Memory for the raw SID
  '
    clssid = LocalAlloc(LMEM_ZEROINIT, cbSidLength)
  '
  ' Its time to Initialize the SID.
  ' Call InitializeSid to populate sid buffer. InitializeSid
  ' properly initializes the issuing authority and revision sections
  ' of the raw sid
  '
    lngSid = InitializeSid(clssid, bIdentifier(1), SidCount)
  '
  ' Build the raw sid using GetSidSubAuthoriy API.  The API
  ' returns an pointer to the location for the Sub Authority rid.
  ' Sub authority RIDs are stored in location 3 - AuthorityCount
  ' in the AuthorityStrings array.  Simply convert the string form of
  ' the RID into a long and copy the memory into the pointer returned
  ' by GetSidSubAuthority
  '
    For Counter = 3 To AuthorityCount
        lngSSubAuthority = GetSidSubAuthority(clssid, Counter - 3)
        lngRid = CLng(AuthorityStrings(Counter))
        CopyByRefMemory lngSSubAuthority, lngRid, LenB(lngRid)
        CopyByValMemory mByte(0), clssid, cbSidLength
    Next Counter
  '
  ' We need to copy the raw SID into a byte buffer so we can pass it to
  ' the LookupAccountSid API.  This API is targeted to a particular server
  ' Copying the memory allows us to veiw the contents of the raw sid in the
  ' watch window of our VB application.
  '
    ReDim mByte(cbSidLength)
    CopyByValMemory mByte(0), clssid, cbSidLength
  '
  ' Use LookAccountSid to resolve the  Domain\Username of the
  ' SID.
  '
    bRelValue = LookupAccountSid(Target, mByte(0), strUser, Len(strUser), strDomain, Len(strDomain), 1)
  '
  ' Clean up the domain and userID strings.  the return value of LookupAccountSid should be
  ' checked to be sure that the functions completed successfully
  '
    strUser = Left(strUser, InStr(strUser,
...

read more »

 
 
 

LDAP SID Binding

Post by Jeff Overal » Sat, 22 Jun 2002 10:17:01


Please explain why are you trying to do this?
Are you trying to bind as the "current user"?


Quote:> Folks,

> Given a SID in its usual string representation S-1-5-......, how can I
> convert that so that I can use it for the LDAP SID binding?? The LDAP
> path has to be something like:

> LDAP://<SID=xxxxxxxxxxxxxxxxxxx>

> where xxxxxxxxxxxx is a long string of hexadecimal numbers - how can I
> get from the regular string format to this separate SID string format
> for binding? Is this documented anywhere? (I coudn't find anything in
> MSDN).

> Marc

 
 
 

1. SID binding with the WinNT provider

The code

Set x = GetObject("LDAP://<SID=01020000000000052000000020020000>")

will connect you to the Administrators group on a DC using the well known
SID (S-1-5-32-544) of the group.

Does anyone know how to get this working on a workstation? I want to bind to
the local Administrators group on a workstation using the well known sid. I
can't use the name 'Administrators' as the code must run on workstations
installed in many different languages.

This...
Set x = GetObject("WinNT://<SID=01020000000000052000000020020000>")

will not work. I've tried changing the identifier authority but that makes
no difference.

Alternatively, if anyone knows how I can bind to the local administrators
group on a workstation in a language independent manner I would love to hear
from you...

Thanks

Trevor

2. Japanese sites w/ Windows CE Software

3. Binding to builtin groups using SID

4. Eiffel Compiler Optimisations (Was Virtual Destructors)

5. Binding to an AD object using SID

6. IDL and FITSIO library

7. Convert readable SID to format required by LDAP query

8. RecycleBin Folder[files aren't Visible in...]

9. LDAP Users SID??

10. LDAP Bind using ASP - Please help

11. Binding to an LDAP Server

12. IADsUser/LDAP Bind Authentication Problem

13. Unable to bind to LDAP with multivalued RDNs using ADSI