Develop Reference

LDAP query to get account name from SID

So I have a SID of a FSP: S-1-5-21-2127521184-1604012920-1887927527-72713.
Translation worked in powershell but I would like to do the ldap query by myself, like here but have a little trouble with proper SID conversion.
Could you help me with query that give me a corresponding account name based on SID ?

You can bind directly to an object using the SID using LDAP://<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>. Then get the username after that.
In PowerShell, it would look something like:
$account = [adsi]"LDAP://<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>"
$username = $account.Properties["sAMAccountName"]
If the computer you run this from is on a different domain than the account, you may have to specify the domain:
$account = [adsi]"LDAP://domain.com/<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>"

If you have Java available you can query the ObjectSID directly.
We show an Example with code
I am able to use an ldapsearch like:
ldapsearch -h example.net -D "EXAMPLE\myID" -b "OU=Accounts,DC=EXAMPLE,DC=NET" -s sub -a search -z 1000 "(ObjectSID=S-1-5-21-333675845-1535931152-1111140340-22234762)" "objectClass"
And get results.
# extended LDIF
# LDAPv3
# base <OU=Accounts,DC=EXAMPLE,DC=NET> with scope subtree
# filter: (ObjectSID=S-1-5-21-333675845-1535931152-1111140340-22234762)
# requesting: objectClass samAccountName
#
# userid, sales, Accounts, EXAMPLE.NET
dn: CN=userid,OU=sales,OU=Accounts,DC=EXAMPLE,DC=NET
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
sAMAccountName: userid
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This search is done from a Linux machine and done by a user that is not represented by the ObjectSID.

How to add an attribute to an LDAP schema

I am trying to add a new attribute named sAMAccountName to an already existing LDAP schema definition which is read by IM-LDAP using UnboundID LDAP SDK.
I have added an attributeTypes entry and sAMAccountName to matchingRuleUse.
attributeTypes: ( 2.5.18.11 NAME 'sAMAccountName' DESC 'MS Sec Principal User' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ ... $ sAMAccountName ) )
For every previously existing attribute a call to com.unboundid.ldap.sdk.schema.Schema.getAttributeType("attrName") returns the attribute type. But not for my new attribute.
What am I missing?
Edited 10/11/18 after #jwilleke comment:
What I am trying to achieve is a mock using IM-LDAP for a very limited functionality of an Active Directory server.
In the actual AD production environment, there are entries representing users with objectClass: person, organizationalPerson,simulatedMicrosoftSecurityPrincipal.
In AD these entries contain sAMAccountName and memberof attributes.
But they are not there in the schema that comes with IM-LDAP.
The authentication Java code first performs a search on
(&(objectClass=user)(sAMAccountName=userAccountName)
Then if an entry in found, it checks whether a given security group name is present in the multivalued attribute memberof.
An entry exported from the production AD server looks like this :
dn: cn=Smith\,John,ou=User Accounts,dc=ACME,dc=CORE,dc=INT
changetype: add
objectClass: person
objectClass: organizationalPerson
objectClass: simulatedMicrosoftSecurityPrincipal
cn: Smith,John
sn: JohnS
sAMAccountName: JohnS
userPassword: johnspasswd
memberof: ou=Service Accounts,dc=ACME,dc=CORE,dc=INT
The two new attributes are added to objectClass simulatedMicrosoftSecurityPrincipal in the schema by adding:
objectClasses: ( 2.5.6.24 NAME 'simulatedMicrosoftSecurityPrincipal' DESC 'MSSecurityPrincipal' SUP top AUXILIARY MUST sAMAccountName MAY memberof )
But when I try to import these entries into the LDAP mock I get an error telling me that sAMAccountName and memberof are not defined.
EDIT 2:
attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Wokrked for adding sAMAccountName, but still trying to figure out how to add memeberOf
Here is the complete .ldif file.

This is what finally worked for me
objectClasses: ( 1.2.840.113556.1.5.6 NAME 'microsoftSecurityPrincipal' DESC 'MS SecurityPrincipal' SUP top AUXILIARY MUST ( sAMAccountName $ memberOf ) )
attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
attributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

SSSD - LDAP group based access - ldap schema rfc2307bis

I'm having trouble setting up access_provider = ldap in SSSD. Problem is with the ldap_access_filter.
LDAP side looks like this:
USER:
# username, users, location, dc1.dc2
dn: uid=username,ou=users,l=location,dc=dc1,dc=dc2
shadowExpire: 17507
shadowLastChange: 17494
shadowMin: 0
shadowMax: 0
shadowInactive: 0
shadowFlag: 0
shadowWarning: 0
loginShell: /bin/bash
homeDirectory: /home/username
gidNumber: 2341
uidNumber: 6432
uid: username
mail: username#company.com
sn: Name
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
cn: User Name
title: User Title
mobile: xxxxxxxxx
manager: uid=usermanager,ou=users,l=location,dc=dc1,dc=dc2
GROUP:
# allowed-group, groups, location, dc1.dc2
dn: cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc2
cn: allowed-group
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
gidNumber: 2140
description: Group description
uniqueMember: uid=username,ou=users,l=location,dc=dc1,dc=dc2
I've tried to set ldap_access_filter = uniqueMember=cn=allowed-group but it will always deny access with following message:
(Tue Dec 5 18:22:44 2017) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=username)(objectclass=posixAccount)(uniqueMember=cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc1))][uid=username,ou=users,l=location,dc=dc1,dc=dc2].
(Tue Dec 5 18:22:44 2017) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0100): User [username#ldap] was not found with the specified filter. Denying access.
sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,nagios
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_uri = ldap://uri
ldap_schema = rfc2307bis
ldap_search_base = l=location,dc=dc1,dc=dc2
ldap_group_object_class = groupOfUniqueNames
ldap_group_member = uniqueMember
ldap_access_order = filter, expire
ldap_account_expire_policy = shadow
ldap_access_filter = uniqueMember=cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc1
cache_credentials = true
enumerate = true
debug_level = 8
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/pki/tls/cacert.pem
is anyone able to point how to create correct ldap_access_filter for that ldap schema ?

You need sssd to be looking at the user's attributes, not the group's list of users, e.g.
ldap_access_filter = memberOf=cn=allowed-group,ou=groups,l=location,dc=dc1,dc=dc1
To get that memberOf attribute into your users' records you need to use the memberof overlay (assuming your LDAP server is running OpenLDAP).

Alternatively, for group-based access control, you can use access_provider=simple and then list the allowed groups.

Active Directory / multi-valued RDN

Question:
How to handle DNs like this in Active Directory:
"myAttribute1=val1 + myAttribute2=val2 + myAttribute3=val3,
OU=instance1, DC=adtest"
Note: I don't have a CN here, the RDN is solely defined by custom defined classes myAttribute1, myAttribute2 and myAttribute3.
Details:
I have a schema description that I have to migrate vom OpenDS to Active Directory.
But it seems that multi-valued RDNs are a problem in Active Directory.
A lookup with the DN mentioned above works fine in OpenDS. But when I do the same lookup in Active Directory, I get this exception:
javax.naming.InvalidNameException: "myAttribute1=val1 +
myAttribute2=val2 myAttribute3=val3": [LDAP: error code 34 -
0000208F: LdapErr: DSID-0C090715, comment: Error processing name, data
0, v1db1 ];
Here are my schema definitions. First in OpenDS:
objectClasses: ( 1.3.6.1.4.1.99.2
NAME 'myNewClass'
SUP top STRUCTURAL
MUST ( myAttribute1 $ myAttribute2 $ myAttribute3 )
MAY someOtherAttribute
)
And this is what I did for Active Directory:
# Class: myNewClass
dn: cn=myNewClass,cn=Schema,cn=Configuration,dc=X
changetype: add
objectClass: classSchema
governsID: 1.3.6.1.4.1.99.2
ldapDisplayName: myNewClass
adminDisplayName: myNewClass
objectClassCategory: 0
systemOnly: FALSE
# subclassOf: top
subclassOf: 2.5.6.0
# rdnAttId: myAttribute1
rdnAttId: 1.3.6.1.4.1.99.1
# mustContain: myAttribute2
mustContain: 1.3.6.1.4.1.99.2
# mustContain: myAttribute3
mustContain: 1.3.6.1.4.1.99.3
# mayContain: someOtherAttribute
mayContain: 1.3.6.1.4.1.99.4
# possSuperiors: organizationalUnit
possSuperiors: 2.5.6.5
# defaultObjectCategory: myNewClass
defaultObjectCategory: cn=myNewClass,cn=Schema,cn=Configuration,dc=X
I assume the problem is related to rdnAttId - I'm not sure which value I should put there. First I've tried to put CN there -> did not work. Second I've tried to use any of my custom defined attributes (myAttribute1) -> did not work either.

After some research: It seems to be not possible to use/define multivalued RDNs in Active Directory.
See: http://msdn.microsoft.com/en-us/library/cc223237.aspx
Quote: "... [RFC2253] section 2 defines the following grammar rule for RelativeDistinguishedName, which explicitly allows RDNs to contain multiple attributes and values:
RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
AttributeTypeAndValue
Active Directory is conformant with this rule, with the restriction that MAX equals 1 within the scope of the rule. ...".
LOL ( -> "MAX equals 1").

LDIF for creating Active Directory users and groups in OpenLDAP?

I have a web application that uses Active Directory to authenticate users, and I'm trying to replace AD with OpenLDAP.
The documentation says that I need to log on the domain controller as administrator, open the user management window, click on the appropriate organizational unit and add the userids to the proper groups (these groups should have scope "Global" and group type "Security").
I need to create the equivalent entries on my OpenLDAP server. Can someone provide an example LDIF for this? I don't know the class nor the attributes I should use, and I don't have access to a domain controller. The most problematic items seems to be group type and scope, because they seem to be binary values, not strings.
Please note that I don't want to replace Active Directory completely - I just need userids and groups. I've tried adding microsoft.schema to OpenLDAP, but it doesn't work. I've found some information about modifying the schema for Microsoft Outlook; I need something similar but simpler.

It's almost impossible to convert the entire ActiveDirectory schema to OpenLDAP, it's huge. However, we can add only the needed attributes and classes:
attributetype ( 1.2.840.113556.1.4.750 NAME 'groupType'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE
)
attributetype ( 1.3.114.7.4.2.0.33 NAME 'memberOf'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
)
objectclass ( 1.2.840.113556.1.5.9 NAME 'user'
DESC 'a user'
SUP organizationalPerson STRUCTURAL
MUST ( cn )
MAY ( userPassword $ memberOf ) )
objectclass ( 1.2.840.113556.1.5.8 NAME 'group'
DESC 'a group of users'
SUP top STRUCTURAL
MUST ( groupType $ cn )
MAY ( member ) )
Then it's easy to create an LDIF file for inserting the users and groups:
dn: dc=myCompany
objectClass: top
objectClass: dcObject
objectClass: organization
dc: myCompany
o: LocalBranch
dn: ou=People,dc=myCompany
objectClass: top
objectClass: organizationalUnit
ou: People
description: Test database
dn: cn=Users,dc=myCompany
objectClass: groupOfNames
objectClass: top
cn: Users
member: cn=Manager,cn=Users,dc=myCompany
dn: cn=Manager,cn=Users,dc=myCompany
objectClass: person
objectClass: top
cn: Manager
sn: Manager
userPassword:: e1NIQX1tc0lKSXJCVU1XdmlPRUtsdktmV255bjJuWGM9
dn: cn=ReadWrite,ou=People,dc=myCompany
objectClass: group
objectClass: top
cn: ReadWrite
groupType: 2147483650
member: cn=sysconf,ou=People,dc=myCompany
dn: cn=sysopr,ou=People,dc=myCompany
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: sysopr
sn: team
memberOf: cn=ReadOnly,ou=People,dc=myCompany
userPassword:: e1NIQX1jUkR0cE5DZUJpcWw1S09Rc0tWeXJBMHNBaUE9

Ok, here is the begining of an answer :
Once you installed your OPENLdap
A - Edit your slapd.conf to :
1) Modify the schemas included
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetperson.schema
2) Modifiy schema files as explained in this FAQ
3) Modify your naming context (personaly I'am using HDB as backend)
database hdb
suffix "dc=dom,dc=com"
rootdn "cn=Manager,dc=dom,dc=com"
rootpw secret
directory /usr/local/var/openldap-hdb
4) Then restart your directory
B - Insert your root
Here is the LDIF file (root.ldif)
dn: dc=dom,dc=com
objectclass: dcObject
objectclass: organization
o: Company name
dc: dom
Here is the command line
ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f root.ldif
C - Insert a user
Here is the LDIF file (user.ldif)
dn: cn=user1,dc=dom,dc=com
objectClass: inetOrgPerson
sn: users
cn: user1
telephoneNumber: 9999
Here is the command line
ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f user.ldif
D - An advice
Apache directory studio, is for me, a VERY good LDAP Browser, it's Open Source, it works on the top of java on Linux and Windows. Using it you can graphicaly browse AD and OpenLdap and do parts B and C just clicking.
Active-Directory Schema (Classes and attributes) are documented in the MSDN. For example here are the information about groupType. Is it what you expect?