Reputation: 37106
Could I rely that PrimaryGroupToken is immutable?
Based on my investigtaion there are 2 things:
PrimaryGroupIdfrom User sidePrimaryGroupTokenoperational attribute from Group side
User references to group PrimaryGroupToken operational attribute using field PrimaryGroupId
There are 2 ways to to get PrimaryGroupToken
- Based on primaryGroupToken operation attribute
val entry = ldapConnectionPool.getEntry(groupDn, "*", "primaryGroupToken")
val primaryGroupToken = entry.getAttributeValue("PrimaryGroupToken")
- Based on
objectSidsuffix
val entry = ldapConnectionPool.getEntry(groupDn)
val domainSidBytes = entry.getAttributeValueBytes("objectSid")
val domainSidString = LdapUtils.convertBinarySidToString(domainSidBytes)
val primaryGroupToken = domainSidString.substringAfterLast("-")
I haven't found any direct way how I can get group entry by user primaryGroupId so I started to think about application level cache. But I expected that primaryGroupToken is a constant group identifier but this page confuses me.
https://learn.microsoft.com/en-us/windows/win32/adschema/a-primarygrouptoken
As you can see it is mentioned that this attribute could be updated. Based on my exeriments - I was not able to achieve it. Could you please clarify if this attribute is immutable or not ?
Upvotes: -1
Views: 66
Answers (1)
Reputation: 40988
In reality, the primaryGroupToken never changes. That said, it's not the best way to find a group since it's not indexed.
One way I've used to bind directly to a group from the user's primaryGroupId is to construct the SID of the group. The last portion of the SID is called the RID (Relative Identifier). It's a number that is incremented for each new object on the domain. Everything up to the last hyphen identifies your domain and is the same for every object on the domain.
You can construct the SID of the group by taking the user's SID, take everything up to the last hyphen, then add on the value of primaryGroupId.
For example, if we have a user with:
objectSid: 'S-1-5-21-1004336348-1177238915-682003330-12345'
primaryGroupId: 12346
Then the SID of the group is:
S-1-5-21-1004336348-1177238915-682003330-12346
Active Directory lets you bind directly to an object by the SID using this format:
LDAP://example.com/<SID=S-1-5-21-1004336348-1177238915-682003330-12346>
By default, the primaryGroupId will be 513 for all users, which is always the Domain Users group.
Upvotes: 1
Related Questions
- How to get all groups that a user is a member of?
- How to get group by primaryGroupId ? How to convert primaryGroupId to dn?
- LDAP access from dmz fails: : Information about the domain could not be retrieved (1355)
- LDAP Continuation Reference error in search results from Active Directory when using GSSAPI authentication in Java
- single line LDAP query that enumerates users from a group within a supergroup
- Ldap query in AD for user that have at least one group?
- ActiveDirectoryMembershipProvider "The specified domain or server could not be contacted."
- Active Directory LDAP query result always missing attributes that are known to exist
- ActiveDirectoryMembershipProvider "The specified domain or server could not be contacted" AFTER changing to Comcast