Reputation: 515
Resolving ForeignSecurityPrincipals in Active Directory with UnboundID LDAP SDK for Java
I am trying to resolve ForeignSecurityPrincipals to User objects in an Active Directory Server network using exclusively the LDAP Interface via the UnboundID LDAP SDK for Java (https://www.ldap.com/unboundid-ldap-sdk-for-java).
What I am trying to do is the following:
- Import a Group
- Import all users in that Groups
- Resolve all ForeignSecurityPrincipals contained as members
Importing the group is easily done, but the group contains some ForeignSecurityPrincipals as members. These first have to be resolved to "real" User objects using the principals objectSID.
As far as I understand, the ForeignSecurityPrincipal points to another object resident on a different server, which has to be resolved. According to the guide here (https://community.oracle.com/message/4697183#4697183) I should be collecting all trust parents and then iterate over them to search for the User object. Unfortunately in our case, this doesn't result in any users being found.
Because of additional information I have, I know in which server the specific user I am using for testing is resident in, but I can not even find that server in the trust parent list of my original server. I am accessing my server as a global Catalog, therefor, as far as I understand, I should be able to find everything resident on the entire network. Correct?
Note that the group and the user referenced by the principal are resident in two completely distinct trees, not subtrees of each other. (e.g. the group is in the foo.com domain and the user in the acme.net domain).
Does anyone have experience with the lookup of ForeignSecurityPrincipals in Active Directory and can provide any guidance as to which step I might be missing or which problems I might be overlooking?
Thanks!
Upvotes: 1
Views: 11558
Answers (1)
Reputation: 1749
ForeignSecurityPrincipals (FSP) represents security principals external to current forest. So in most cases, it's expected you cannot resolved FSP using GC in current forest, as GC contains all objects only in its forest.
To my knowledge, the only hints in FSP to get back the security principals is the SID in objectSid attribute. There seems no easy way to get back the containing forest/domain using the SID from foreign forest.
A not-so-easy way is to build a domain SID to domain map.
Accessing Foreign Security Principals
But it's in PowerShell (i have no knowledge on SDK you mentioned). General concept is walk through each domain in trusted forests and build the domain SID map. After that you know where the SID come from, then you can do a search on the target domain to get back the account. You may try understand the code and port to your preferred language.
Upvotes: 2
Related Questions
- LDAP query doesn't return correct data from Active Directory
- Authenticate an Active Directory user with UnboundID using username
- OpenDJ with UnboundId LDAP SDK for Java
- Bind to Active Directory via SSL using unbound id
- Anonymous Bind using UnboundID LDAP sdk
- UnboundID LDAP - how to set flags in userAccountControl attribute
- UnboundID, LDAP jdk migration
- Unboundid not returning requested LDAP attributes. Why?
- Password Reset Enforcing Directory Policies with UnboundID
- how to get DN in LDAP with user ID using UnboundID LDAP SDK