As you have have noticed, today is catchup day in joe’s personal life. I am trying to get various things done that I haven’t been able to previously. While going through the mailbag I ran into the following email…
Subject: -binenc question
I am trying to use the following to return the samAccountName from a SID:
adfind -b -binenc dc=xyz,dc=com -f (objectSID={{SID:S-1-5-21-33307682-239368645-1341851483-1055}}) sAMAccountName
The transformed filter result is
Transformed Filter: (objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\22\3C\FC\01\C5yD\0E\5B\07\FBO\1F\04\00\00)
Error ——————————————————————————————————————-^———————-^———————-
And the result fails. The transformed filter does not appear to be outputting correctly.
Copying the contents of objectSID and converting it manually and then inserting it into the query works
adfind -b dc=xyz,dc=com -f (objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\22\3c\fc\01\c5\79\44\0e\5b\07\fb\4f\1f\04\00\00) sAMAccountName
AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009
Using server: server.xyz.com:389
Directory: Windows Server 2003
dn:CN=User\, Some,OU=Parent,DC=ctsnet,DC=com
>sAMAccountName: Someu
1 Objects returned
Is there a different way I should be approaching this?
Thank you for making these tools available.
Right off I knew that the formatting that AdFind used for the binary encoding of the filters is ok and long time readers will recall a post on this functionality from several years ago, that post being http://blog.joeware.net/2005/12/17/173/.
Admittedly though I was confused at first. Then I saw the ordering of the parameters on the command line. This is actually pretty common and I am unsure how I can help with this (don’t say it Bwandon…). I think it is due to people not being truly sure about what they are sticking on the command line. I have watched people use the command line before and they view it as a foreign language at best. They really don’t logically put together what is happening when you put the switches down and don’t realize that the switches can have their own parameters and those have to follow the switch.
Anyway, here is my response.
Subject: RE: -binenc question
That encoded format is perfectly fine and acceptable to Active Directory. Your query isn’t failing because of that, it is failing due to a typo in the command you typed.
The encoding is all controlled by the ldap_escape_filter_element function which is what AdFind uses… See http://blog.joeware.net/2005/12/17/173/ for a little bit of discussion about it.
The issue with your command is that the ordering of the switches is mixed up… Many of the switches take an additional parameter and that parameter needs to follow the switch itself. In this specific case, the -b switch requires the actual Base DN to follow it. In your command below you insert the -binenc switch right smack between the -b switch and its parameter.
So you have
-b -binenc dc=xyz,dc=com
When it should be more like
-binenc -b dc=xyz,dc=com
Your command was telling AD to search at the root of the directory which you can’t do on the LDAP port unless you specify the phantom root switch. In fact, you probably got an error of “No Such Object” (best match of: ‘’) instead of “0 Objects returned” which would be expected if the base were correct but no object matched the filter.
You could actually make your command work with the incorrect sequencing of the parameters and switches by adding -pr (the phantom root enabling switch) or -gc (use a GC) which redirects the query to the GC port and allows “invalid” bases so you can search disjointed forests.
So you ask… what happens to the base parameter specified when it is preceded by the –b switch? It is interpreted simply as an attribute parameter… So your query, if you looked at it in a network sniffer would have been a query for the given objectsid and requesting the dc=xyz,dc=com attribute.
joe
Back to discussion on how I could solve this. Off the top of my head I can think of two mechanisms, neither of which I like.
1. Change the switch system so that if a parameter is needed for a given switch, it is specified after some delimiter in the switch… Such as –b:dc=test,dc=loc. I don’t like doing switches that way because I think it makes the commands less readable and more prone to mistakes.
2. Read the schema from the DC and look at all the arguments (i.e. parameters that aren’t prefixed by a switch that takes additional data) and flag out any that don’t match the schema. I don’t like this because it is slower and because not all attributes you can ask for are in the schema… look at the rootdse for some examples such as validFSMOs.
