DO NOT REPLY [Bug 49633] New: Handle AD primary groups in mod_authnz_ldap

Wed, 21 Jul 2010 12:26:46 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=49633

           Summary: Handle AD primary groups in mod_authnz_ldap
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_authz_ldap
        AssignedTo: [email protected]
        ReportedBy: [email protected]


In an AD environment a user's primary group is not stored in the member
attribute.  Instead, the group's RID value is stored in the primaryGroupID
attribute of the user.  To find the user's primary group name you need to find
the domain SID and then search for the group that has the SID value <domain
SID>-<group RID> in their objectSid attribute.  The following is an example in
Python using py-ldap for doing this:

---
def sid2str(self,sid):
 srl = ord(sid[0])
 number_sub_id = ord(sid[1])
 iav = struct.unpack('!Q','\x00\x00'+sid[2:8])[0]
 sub_ids = [
 struct.unpack('<I',sid[8+4*i:12+4*i])[0]
 for i in range(number_sub_id)
 ]
 return 'S-%d-%d-%s' % (
 srl,
 iav,
 '-'.join([str(s) for s in sub_ids]),
 )

# Get RID of primary group
>>> pri_grp_rid = l.search_s('cn=users,dc=example,dc=com', ldap.SCOPE_SUBTREE, 
>>> 'sAMAccountName=tmclaughlin', ['primaryGroupID'])[0][1]['primaryGroupID'][0]
# Get domain SID
>>> domain_sid = l.search_s('dc=example,dc=com', 
>>> ldap.SCOPE_BASE)[0][1]['objectSid'][0]
# Convert domain SID to string form
>>> domain_sid_s = sid2str(domain_sid)
# Search for group with <domain SID>-<group RID> objectSid value
>>> pprint.pprint(l.search_s('ou=groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, 
>>> 'objectSid=%s-%s' % (domain_sid_s, pri_grp_rid), ['cn']))

[('CN=Domain Users,OU=Groups,DC=example,DC=com',
 {'cn': ['Domain Users']})]
---

I have some more on AD primary groups here:
http://blogs.freebsdish.org/tmclaugh/2010/07/21/finding-a-users-primary-group-in-ad/

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to