Merge pull request #618 from xxpopygaixx/ldap_active_directory_style_objectsid_search

support AD style objectSid search

Author: marle3003

examples/ldap/active_directory_user.ldif

@@ -0,0 +1,32 @@
+# Simple diffinition of AD domain user
+
+# Root DSE.
+dn:
+namingContexts: dc=example_domain_name
+subschemaSubentry: cn=schema
+
+# Schema definition
+dn: cn=schema
+objectClass: top
+objectClass: subschema
+# 'activeDirectoryObjectSidMatch' is a custom logic which allows filtering by (objectSid=S-1-...).
+# Such filtering is AD only feature so we should specify that objectSid can be found by either (objectSid=S-1-...) or (objectSid=\00\01\AB...).
+# Custom objectClass 'myUser' make it possible to attach 'activeDirectoryObjectSidMatch' to entry.
+attributeTypes: ( 1.2.3.4.5.6.7.8 NAME 'objectSid' DESC 'objectSid' EQUALITY activeDirectoryObjectSidMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+objectClasses: ( 1.2.3.4.5.6.7.9 NAME 'myUser' SUP top STRUCTURAL MUST ( cn ) MAY ( objectSid ) )
+
+# Example domain
+dn: dc=example_domain_name
+objectClass: top
+objectClass: domain
+dc: example_domain_name
+
+# Example user
+dn: uid=example_user_name,dc=example_domain_name
+objectClass: myUser
+objectClass: user
+cn: example_user_name
+mail: [email protected]
+# SID in binary form (Base64 encoded).
+# S-1-5-21-1234567890-1234567890-1234567890-1001
+objectSid:: AQUAAAAAAAUVAAAA0gKWSdIClknSApZJ6QMAAA==

providers/directory/search.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/base64"
+	"encoding/binary"
 	"fmt"
 	"github.com/brianvoe/gofakeit/v6"
 	log "github.com/sirupsen/logrus"
@@ -373,6 +374,12 @@ func (p *parser) equal(name, value string) (predicate, error) {
 					s = strings.ReplaceAll(v, "-", "")
 					return v == s
 				}
+			case "activeDirectoryObjectSidMatch", "0.0.0.0":
+				v, _ := sidToBytes(value)
+				f = func(s string) bool {
+					b := []byte(s)
+					return bytes.Equal(b, v) || value == s
+				}
 			default:
 				return nil, fmt.Errorf("unsupported equality type: %v", t)
 			}
@@ -536,3 +543,46 @@ func levenshtein(a, b string) int {
 	// Return the final Levenshtein distance
 	return matrix[len(a)][len(b)]
 }
+
+// Converts sddl Sid to []byte
+func sidToBytes(sid string) ([]byte, error) {
+	sid = strings.ReplaceAll(sid, "S-", "")
+	parts := strings.Split(sid, "-")
+
+	if len(parts) < 3 {
+		return nil, fmt.Errorf("invalid sid string format %v", sid)
+	}
+
+	var result []byte
+
+	// Revision
+	rev, revErr := strconv.ParseUint(parts[0], 10, 32)
+	if revErr != nil {
+		return nil, fmt.Errorf("invalid uint value %v at position: %v", parts[0], 0)
+	}
+	result = append(result, byte(rev))
+
+	// SubAuthorityCount
+	result = append(result, byte(len(parts)-2))
+
+	// IdentifierAuthority
+	for range 5 {
+		result = append(result, 0)
+	}
+	authId, authIdErr := strconv.ParseUint(parts[1], 10, 32)
+	if authIdErr != nil {
+		return nil, fmt.Errorf("invalid uint value %v at position: %v", parts[1], 1)
+	}
+	result = append(result, byte(authId))
+	for i, part := range parts[2:] {
+		val, valErr := strconv.ParseUint(part, 10, 32)
+		if valErr != nil {
+			return nil, fmt.Errorf("invalid uint value %v at position: %v", part, i)
+		}
+		b := make([]byte, 4)
+		binary.LittleEndian.PutUint32(b, uint32(val))
+		result = append(result, b...)
+	}
+
+	return result, nil
+}

providers/directory/search_test.go

@@ -243,6 +243,41 @@ func TestSearch_Schema(t *testing.T) {
 				require.Len(t, res.Results, 1)
 			},
 		},
+		{
+			name:  "ldap filter objectSid using AD style",
+			input: `{ "files": [ "./users.ldif" ] }`,
+			reader: &dynamictest.Reader{Data: map[string]*dynamic.Config{
+				"file:/users.ldif": {Raw: []byte(`
+dn:
+namingContexts: dc=example_domain_name
+subschemaSubentry: cn=schema
+
+dn: cn=schema
+objectClass: top
+objectClass: subschema
+attributeTypes: ( 1.2.3.4.5.6.7.8 NAME 'objectSid' DESC 'objectSid' EQUALITY activeDirectoryObjectSidMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+
+dn: cn=user1
+objectSid:: AQUAAAAAAAUVAAAA0gKWSdIClknSApZJ6QMAAA==
+
+dn: cn=user2
+objectSid:: AQUAAAAAAAUVAAAAF8sUcR3r8QcekDXQw9wAAA==
+`)},
+			}},
+			test: func(t *testing.T, h ldap.Handler, err error) {
+				require.NoError(t, err)
+
+				rr := ldaptest.NewRecorder()
+				h.ServeLDAP(rr, ldaptest.NewRequest(0, &ldap.SearchRequest{
+					Scope:  ldap.ScopeWholeSubtree,
+					Filter: fmt.Sprintf("(objectSid=S-1-5-21-1234567890-1234567890-1234567890-1001)"),
+				}))
+				res := rr.Message.(*ldap.SearchResponse)
+
+				require.Len(t, res.Results, 1)
+				require.Equal(t, "cn=user1", res.Results[0].Dn)
+			},
+		},
 	}
 
 	t.Parallel()