Reputation: 3359
PHP LDAP get user SID
I don't know how to get users unique identifier (SID) in AD. Code fragment:
...
$filter="(&(samaccountname=".$this->username.")(memberOf:1.2.840.113556.1.4.1941:=CN=GROUP_NAME,OU=Security,DC=something,DC=something))";
$attribute = array("cn","objectsid","description", "group", "member", "samaccountname");
$sr=ldap_search($this->conn_ldap, $this->ldap_dn, $filter, $attribute);
if ($sr)
{
$this->info = ldap_get_entries($this->conn_ldap, $sr);
if ($this->info["count"] == 1){
ldap_close($this->conn_ldap);
return true;
}
...
i can pull information with:
echo $this->info[0]["cn"][0];
or
echo $this->info[0]["objectsid"][0];
In first output i can see users name in secound something like 0�@�d^�WL7�U
I believe sid should be like S-......?
Upvotes: 3
Views: 6064
Answers (4)
Reputation: 6668
Is old post but I do some combination what I find useful and this function is the ultimate function for binary to SID translations:
// Binary to SID
function bin_to_str_sid($binary_sid) {
$sid = NULL;
/* 64bt PHP */
if(strlen(decbin(~0)) == 64)
{
// Get revision, indentifier, authority
$parts = unpack('Crev/x/nidhigh/Nidlow', $binary_sid);
// Set revision, indentifier, authority
$sid = sprintf('S-%u-%d', $parts['rev'], ($parts['idhigh']<<32) + $parts['idlow']);
// Translate domain
$parts = unpack('x8/V*', $binary_sid);
// Append if parts exists
if ($parts) $sid .= '-';
// Join all
$sid.= join('-', $parts);
}
/* 32bit PHP */
else
{
$sid = 'S-';
$sidinhex = str_split(bin2hex($binary_sid), 2);
// Byte 0 = Revision Level
$sid = $sid.hexdec($sidinhex[0]).'-';
// Byte 1-7 = 48 Bit Authority
$sid = $sid.hexdec($sidinhex[6].$sidinhex[5].$sidinhex[4].$sidinhex[3].$sidinhex[2].$sidinhex[1]);
// Byte 8 count of sub authorities - Get number of sub-authorities
$subauths = hexdec($sidinhex[7]);
//Loop through Sub Authorities
for($i = 0; $i < $subauths; $i++) {
$start = 8 + (4 * $i);
// X amount of 32Bit (4 Byte) Sub Authorities
$sid = $sid.'-'.hexdec($sidinhex[$start+3].$sidinhex[$start+2].$sidinhex[$start+1].$sidinhex[$start]);
}
}
return $sid;
}
Now you can chillout and use this function in any PHP version.
Upvotes: 2
Reputation: 11
This works on 64bit systems and I think is more succinct.
function bin_to_str_sid($binsid) {
$parts = unpack('Crev/x/nidhigh/Nidlow', $binsid);
$ssid = sprintf('S-%u-%d', $parts['rev'], ($parts['idhigh']<<32) + $parts['idlow']);
$parts = unpack('x8/V*', $binsid);
if ($parts) $ssid .= '-';
$ssid .= join('-', $parts);
return $ssid;
}
Upvotes: 1
Reputation: 2869
As an alternative example, this can be done completely using PHP's unpack function. The objectSid binary structure is best documented on this MSDN doc:
Revision (1 byte): An 8-bit unsigned integer that specifies the revision level of the SID. This value MUST be set to 0x01.
SubAuthorityCount (1 byte): An 8-bit unsigned integer that specifies the number of elements in the SubAuthority array. The maximum number of elements allowed is 15.
IdentifierAuthority (6 bytes): A SID_IDENTIFIER_AUTHORITY structure that indicates the authority under which the SID was created. It describes the entity that created the SID. The Identifier Authority value {0,0,0,0,0,5} denotes SIDs created by the NT SID authority.
SubAuthority (variable): A variable length array of unsigned 32-bit integers that uniquely identifies a principal relative to the IdentifierAuthority. Its length is determined by SubAuthorityCount.
/**
* Decode the binary SID into its readable form.
*
* @param string $value
* @return string
*/
function decodeSID($value)
{
# revision - 8bit unsigned int (C1)
# count - 8bit unsigned int (C1)
# 2 null bytes
# ID - 32bit unsigned long, big-endian order
$sid = @unpack('C1rev/C1count/x2/N1id', $value);
$subAuthorities = [];
if (!isset($sid['id']) || !isset($sid['rev'])) {
throw new \UnexpectedValueException(
'The revision level or identifier authority was not found when decoding the SID.'
);
}
$revisionLevel = $sid['rev'];
$identifierAuthority = $sid['id'];
$subs = isset($sid['count']) ? $sid['count'] : 0;
// The sub-authorities depend on the count, so only get as many as the count, regardless of data beyond it
for ($i = 0; $i < $subs; $i++) {
# Each sub-auth is a 32bit unsigned long, little-endian order
$subAuthorities[] = unpack('V1sub', hex2bin(substr(bin2hex($value), 16 + ($i * 8), 8)))['sub'];
}
# Tack on the 'S-' and glue it all together...
return 'S-'.$revisionLevel.'-'.$identifierAuthority.implode(
preg_filter('/^/', '-', $subAuthorities)
);
}
Upvotes: 1
Reputation: 3359
I found a solution on another website (see below). Basically this function is converter and makes SID visible:
public static function SIDtoString($ADsid)
{
$sid = "S-";
//$ADguid = $info[0]['objectguid'][0];
$sidinhex = str_split(bin2hex($ADsid), 2);
// Byte 0 = Revision Level
$sid = $sid.hexdec($sidinhex[0])."-";
// Byte 1-7 = 48 Bit Authority
$sid = $sid.hexdec($sidinhex[6].$sidinhex[5].$sidinhex[4].$sidinhex[3].$sidinhex[2].$sidinhex[1]);
// Byte 8 count of sub authorities - Get number of sub-authorities
$subauths = hexdec($sidinhex[7]);
//Loop through Sub Authorities
for($i = 0; $i < $subauths; $i++) {
$start = 8 + (4 * $i);
// X amount of 32Bit (4 Byte) Sub Authorities
$sid = $sid."-".hexdec($sidinhex[$start+3].$sidinhex[$start+2].$sidinhex[$start+1].$sidinhex[$start]);
}
return $sid;
}
https://www.null-byte.org/development/php-active-directory-ldap-authentication/
Upvotes: 4
Related Questions
- Getting user readable name via LDAP with PHP by having only the login credentials
- Find user in AD LDAP
- How to get list of users from LDAP directory using PHP?
- Get user's name from LDAP PHP
- How to retrieve user info fra a Active Directory Security Group using LDAP and PHP
- PHP LDAP Get user details of member which is a member of a group
- LDAP Authenticating user in PHP
- LDAP: How to get all users and groups from Active Directory
- can bind successfully to the ldap server, but needs to know how to find user w/i AD
- Getting all the users from LDAP