DEVHIDE
Login Or Sign up

Could I rely that PrimaryGroupToken is immutable?

51 Views Asked by At

Based on my investigtaion there are 2 things:

  1. PrimaryGroupId from User side
  2. PrimaryGroupToken operational attribute from Group side

User references to group PrimaryGroupToken operational attribute using field PrimaryGroupId

There are 2 ways to to get PrimaryGroupToken

  1. Based on primaryGroupToken operation attribute
val entry = ldapConnectionPool.getEntry(groupDn, "*", "primaryGroupToken") 
val primaryGroupToken = entry.getAttributeValue("PrimaryGroupToken")
  1. Based on objectSid suffix
val entry = ldapConnectionPool.getEntry(groupDn)
val domainSidBytes = entry.getAttributeValueBytes("objectSid")
val domainSidString = LdapUtils.convertBinarySidToString(domainSidBytes)
val primaryGroupToken = domainSidString.substringAfterLast("-")

I haven't found any direct way how I can get group entry by user primaryGroupId so I started to think about application level cache. But I expected that primaryGroupToken is a constant group identifier but this page confuses me.

https://learn.microsoft.com/en-us/windows/win32/adschema/a-primarygrouptoken

enter image description here

As you can see it is mentioned that this attribute could be updated. Based on my exeriments - I was not able to achieve it. Could you please clarify if this attribute is immutable or not ?

active-directory ldap unboundid-ldap-sdk activedirectorymembership
Original Q&A
1

There are 1 best solutions below

4
Gabriel Luci On

In reality, the primaryGroupToken never changes. That said, it's not the best way to find a group since it's not indexed.

One way I've used to bind directly to a group from the user's primaryGroupId is to construct the SID of the group. The last portion of the SID is called the RID (Relative Identifier). It's a number that is incremented for each new object on the domain. Everything up to the last hyphen identifies your domain and is the same for every object on the domain.

You can construct the SID of the group by taking the user's SID, take everything up to the last hyphen, then add on the value of primaryGroupId.

For example, if we have a user with:

objectSid: 'S-1-5-21-1004336348-1177238915-682003330-12345'
primaryGroupId: 12346

Then the SID of the group is:

S-1-5-21-1004336348-1177238915-682003330-12346

Active Directory lets you bind directly to an object by the SID using this format:

LDAP://example.com/<SID=S-1-5-21-1004336348-1177238915-682003330-12346>

By default, the primaryGroupId will be 513 for all users, which is always the Domain Users group.

Related Questions in ACTIVE-DIRECTORY

Related Questions in LDAP

Related Questions in UNBOUNDID-LDAP-SDK

Related Questions in ACTIVEDIRECTORYMEMBERSHIP

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.