none
System.DirectoryServices SID search

    Question

  • Hello,

    from a WindowsIdentity we obtain the SID bytes and convert them to their hex string representation.

    We then try to bind AD with the SID information to get the Ad conteiner for the specified user.

    Since we have a AD tree like this:

    COMPANY.COM
       SERVERS.COMPANY.COM
       EMEA.COMPANY.COM
       US.COMPANY.COM

    if we use serverless binding  the server binds to the ldap server in SERVERS.COMPANY.COM and does not find anything
    (sample: DirectoryEntry de = new DirectoryEntry(">LDAP://<SID=sidHexString>)

    If we namely bind to EMEA.COMPANY.COM server (because we know that the SID is for an EMEA user), it works fine (sample:DirectoryEntry de = new DirectoryEntry(">LDAP://emealdap.emea.company.com/<SID=sidHexString>)

    If we try to bind the global catalog as case 1 (sample: GC://<SID=sidHexString), no result.

    What is the correct process to bind to a user knowing its SID without "cabling" the single LDAP servers in a search?


    Thanks for support


    Giovanni Lanaro





    Thursday, August 25, 2005 2:04 PM

Answers

  • 1) In the article about SID binding Microsoft states that the byte[] must be converted to an Hex string representation; the reported example works fine only for direct binding
    i.e. DirectoryEntry de = new DirectoryEntry(">LDAP://<SID=00111a...>)

    This solution has 2 counter effects when you search an object in a tree

    1) Serverless binding connects you to the default ldap server given your "location". If the ldap server is not "owner" of the SID returns an object not found

    2) If you used "named server" binding you need to know wich branch the SID belongs to, and bind to an appropriate server having a catalog for the issue

    To be sure to find an object by SID in a TREE or FOREST not knowing which branch or subtree it belongs to, i suggest:

    BIND TO GLOBAL CATALOG
    DirectoryEntry gCatalog = new DirectoryEntry("GC:",username,password);

    DEFINE A SEARCH RESULT
    SearchResult sResult = null;

    foreach(DirectoryEntry rootForest in de.Children)
    {
       DirectorySearcher ds = new DirectorySearcher(rootForest,@"(objectSid=\00\11\1a.....")
       sResult = ds.FindOne();
       if (sResult!=null)
          return;
    }


    Please note that when performing a sid based search, differently from directly binding, a \ (backslash) must preceed each byte string representation.

    Maybe this is obvious or well know to you, but to me it was not so I got mad trying to have it working based on the string representation in the direct binding sample provided by MS.

    ANy comments welcome

    Thursday, August 25, 2005 6:50 PM