Announcement Announcement Module
No announcement yet.
Trying to retrieve binary attrib 'objectGUID' from ActiveDirectory using userSearch? Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trying to retrieve binary attrib 'objectGUID' from ActiveDirectory using userSearch?

    I get gibberish (not surprising) - 14 chars of mostly unprintable chars (for example: � 4��DhO���.]��)

    I understand that the attrib is binary and that this is most likely the problem, can I get some clues of which dark hole to go down in order to retrieve this attrib in such a way that I can create a UUID from it?

    I did do some googling and found nothing (yet). I searched the forums and there seems to be a few clues. One might be that I set some property so that the attrib is recognized as binary instead a string?

    Another is to use a different search technique and/or a different context mapper?

    Should I drop down to a lower level and use Spring LDAPTemplate instead of the LdapUserSearch (FilterBasedLdapUserSearch) I am using now? I have a need to retrieve Active Dir info we keep in our AD instance, that is not populated in the typical UserDetails (like the phone number, email addy, etc.). I also wanted the object guid.

    I use this:

    DirContextOperations context = _userSearch.searchForUser(userAccountName_);
    Attributes attribs = context.getAttributes();

    And then I get the various properties I want from the attribs table and stick them in my own bean. Until I hit the binary attribs this worked fine.

    I am not asking for a solution here (unless you want to volunteer one) - just some clues as there seems to be a number of different areas where I could look.

    I am getting up to speed with Spring Security, but Spring LDAP is still kind of a mystery to me and seems to be lower level stuff, so I would like to stay more abstract if I could, but if I have to dive into the LDAP layer then a clue as to where to look would be nice.

    If not clues then just some yays or nays about whether this can be done at the Spring Security level or whether I have to go into the LDAP layer, before I spend a lot of time spelunking would be nice.

    Thanks for any help.

  • #2
    In general if you have problems with LDAP, I would write a simple JNDI-based test to try and do what you want (retrieve a particular attribute in this case). I.e. don't use Spring Security or Spring LDAP until you are sure that the API they are built on work as you expect. Spring Security uses Spring LDAP which uses the JDK's LDAP support. So have a go with basic LDAP/JNDI code and see what that returns.


    • #3
      Might this be relevant?


      • #4
        Originally posted by dortman View Post
        It is certainly interesting and it looks like it might have some clues about how to have a binary object read using an environment setting.



        • #5
          The last post is most relevant. I used it to write a class which stored a binary attribute into a string. I haven't used it for a while; but it worked at the time.

          			byte[] SID = (byte[]) attributes.get(OBJECTSID).get();
          			String strSID = getSIDasStringOfBytes(SID);
          	private static String getSIDasStringOfBytes(byte[] sid) {
          		String strSID = "";
          		int version;
          		long authority;
          		int count;
          		String rid = "";
          		strSID = "S";
          		// get version
          		version = sid[0];
          		strSID = strSID + "-" + Integer.toString(version);
          		for (int i = 6; i > 0; i--) {
          			rid += byte2hex(sid[i]);
          		// get authority
          		authority = Long.parseLong(rid);
          		strSID = strSID + "-" + Long.toString(authority);
          		// next byte is the count of sub-authorities
          		count = sid[7] & 0xFF;
          		// iterate all the sub-auths
          		for (int i = 0; i < count; i++) {
          			rid = "";
          			for (int j = 11; j > 7; j--) {
          				rid += byte2hex(sid[j + (i * 4)]);
          			strSID = strSID + "-" + Long.parseLong(rid, 16);
          		return strSID;
          	private static String byte2hex(byte b) {
          		String ret = Integer.toHexString((int) b & 0xFF);
          		if (ret.length() < 2)
          			ret = "0" + ret;
          		return ret;


          • #6
            Originally posted by dortman View Post
            The last post is most relevant. I used it to write a class which stored a binary attribute into a string. I haven't used it for a while; but it worked at the time.
            Well, the SID info may be interesting from a security perspective - although I haven't deciphered the meaning of it yet (still reading) and I don't think that is how Spring Security populates its authorities.

            But if I can read the GUID as a 128 bit integer or two 64 bit ints, then I can create a UUID from it and write it out as a string with just the UUID class in Java. Mainly I want to use this as an unique key to the object.


            • #7
              Okay, I am on the right track I think now. I set the env var in the context:

              <bean id="securityContextSource" class="">
                   		<constructor-arg value="ldap://" />
                   		<property name="authenticationSource" ref="authenticationSource"/>
                   		<property name="baseEnvironmentProperties">
                   				<entry key="com.sun.jndi.ldap.connect.timeout" value="60000" />
                   				<entry key="java.naming.ldap.attributes.binary" value="objectGUID"/>

              And now I am getting all 16 bytes instead of just 14. I should be able to convert those into a UUID:

                      DirContextOperations context = (DirContextOperations)ctx;
                      if (ctx != null)
                      	byte[] guidBytes = (byte[]) context.getObjectAttribute("objectguid");
                              ... and so on ...
              Last edited by Developer Dude; Jun 3rd, 2009, 04:11 PM.