Resolving objectSid between domains

Thu, 05 May 2005 08:07:10 -0700 

We have 2 domains on our network, both using Active Directory.  Domain1 has 
Domain Local security groups that can contain groups or users from Domain2.  
The script that I have scans a group from Domain1 and if it finds an entry that 
resides in the ForeignSecurityPrincipals CN, it grabs the objectSid property 
from that ForeignSecurityPrincipals object.  Then I bind to Domain2 and try to 
do an LDAP search for that objectSid.  But this search always fails with the 
'Bad Filter' error and I don't know why.  Here is the relevant code.  Any ideas 
as to why my search keeps failing would be greatly appreciated.

#=========================START CODE=========================

$ldap = ldapBind ('my.domain.com', '[EMAIL PROTECTED]', 'password');

my @subMembers;

if ($ldap) {
        my $base = "$rootDN";
        #       filter by the foreign security principal SID from the first 
domain
        my $filter = "(objectSid=$fsp)";
        my $scope = 'sub';
        my $searchRes = $ldap->search(
                base => $base,
                filter => $filter,
                scope => $scope
        );
        if ($searchRes->code == 0) {
                foreach my $entry ($searchRes->entries) {
                        @subMembers = getGrpMem($ldap,$entry);
                        foreach my $member (@subMembers) {
                                my ($lastname,$firstname) = split /,\s/, 
$member;
                                print $firstname . " " . $lastname . "\n";
                        }
                }
        } else {
                print "Error with search in $base:\n" . $searchRes->error . 
"\n";
                print "\$fsp = $fsp\n";
                print "\$base = $base\n";
                print "\$filter = $filter\n";
        }
} else {
        print "Error making LDAP connection to second domain.\n";
}
$ldap->unbind();


#**********************************************************************
#       Takes:
#               $ldapConn - reference to an LDAP connection
#               $entry - reference to an LDAP entry that is a group
#       Returns:
#               Returns a list of all of the members of the group.
#**********************************************************************
sub getGrpMem {
        my $ldapConn = shift;
        my $entry = shift;
        my @retVal;
        my $count = 0;

        my $array = $entry->get_value('member',asref => 1);
        foreach my $arrayVal (@$array) {
                my $searchRes2 = $ldapConn->search(
                        base => $arrayVal,
                        filter => '(objectclass=*)',
                        scope => 'base',
                        attrs => 'name','cn','mail'
                );
                if ($searchRes2->code == 0) {
                        foreach my $entry2 ($searchRes2->entries) {
                                $retVal[$count++] = $entry2->get_value('cn');
                        }
                } else {
                        print "Error with search for $arrayVal:\n" . 
$searchRes2->error . "\n";
                }
        }

        return @retVal;
}



___________________________
Aaron Giuoco
e: [EMAIL PROTECTED]

Reply via email to