How to get group by primaryGroupId ? How to convert primaryGroupId to dn?

Question

I can read user primaryGroupId: val entry = ldapConnectionPool.getEntry(userDn) primaryGroupID = entry.getAttributeValue(PRIMARY_GROUP_ID.ldapFieldName)

it is a string which contains number. In my case it is always 513

As I understand user must have this group and it is setup during creation.

I want to get group DN based on primaryGroupId

I've tried to get primary group from group entry:

ldapConnectionPool.getEntry(groupDn)
val token = entry.getAttributeValue("PrimaryGroupToken")

But it always null

Another option I've found is suffix of objectSid:

But solutions from here don't work for me:

How to convert the SID to String and vice versa in Java?

If I use this answer https://stackoverflow.com/a/21818633/2674303

I get wrong suffix.

Any ideas hwo to fix it ?

Update.

Based on answer user1686 I was able to understand that query like this works properly:

ldapConnectionPool.searchForEntry(baseDn, SearchScope.SUB, "objectSid=S-1-5-32-550")

But prefix (in my case "S-1-5-32") depends on folder.

1. 2.

And unfortunately query with wikd card return null:

ldapConnectionPool.searchForEntry(baseDn, SearchScope.SUB, "*-550")

Answer 1

primaryGroupId is a RID (the last component of a SID). You need to suffix it to the domain SID in order to get the correct group SID.

1. Read the objectSid attribute from the domain's root entry (dc=foo,dc=bar).
2. Convert that to a string.
3. Concatenate domain objectSid + "-" + user primaryGroupID, to obtain the group SID.

Although objectSid stores the SID in binary form, AD DC actually has a custom matching rule that allows you to search for a string SID.

4. Search the directory for (objectSid= + the group SID + ).
5. Use the DN of the entry you found.