support AD style objectSid search

xxpopygaixx · xxpopygaixx · commit 498933bcaccd · 2025-07-21T17:04:04.000+03:00
diff --git a/examples/ldap/active_directory_user.ldif b/examples/ldap/active_directory_user.ldif
@@ -0,0 +1,32 @@
+# Simple diffinition of AD domain user
+
+# Root DSE.
+dn:
+namingContexts: dc=example_domain_name
+subschemaSubentry: cn=schema
+
+# Schema definition
+dn: cn=schema
+objectClass: top
+objectClass: subschema
+# 'activeDirectoryObjectSidMatch' is a custom logic which allows filtering by (objectSid=S-1-...).
+# Such filtering is AD only feature so we should specify that objectSid can be found by either (objectSid=S-1-...) or (objectSid=\00\01\AB...).
+# Custom objectClass 'myUser' make it possible to attach 'activeDirectoryObjectSidMatch' to entry.
+attributeTypes: ( 1.2.3.4.5.6.7.8 NAME 'objectSid' DESC 'objectSid' EQUALITY activeDirectoryObjectSidMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+objectClasses: ( 1.2.3.4.5.6.7.9 NAME 'myUser' SUP top STRUCTURAL MUST ( cn ) MAY ( objectSid ) )
+
+# Example domain
+dn: dc=example_domain_name
+objectClass: top
+objectClass: domain
+dc: example_domain_name
+
+# Example user
+dn: uid=example_user_name,dc=example_domain_name
+objectClass: myUser
+objectClass: user
+cn: example_user_name
+mail: example_user_name@example.com
+# SID in binary form (Base64 encoded).
+# S-1-5-21-1234567890-1234567890-1234567890-1001
+objectSid:: AQUAAAAAAAUVAAAA0gKWSdIClknSApZJ6QMAAA==
diff --git a/providers/directory/search.go b/providers/directory/search.go
@@ -373,6 +373,12 @@ func (p *parser) equal(name, value string) (predicate, error) {
 					s = strings.ReplaceAll(v, "-", "")
 					return v == s
 				}
+			case "activeDirectoryObjectSidMatch", "0.0.0.0":
+				v, _ := sidToBytes(value)
+				f = func(s string) bool {
+					b := []byte(s)
+					return bytes.Equal(b, v) || value == s
+				}
 			default:
 				return nil, fmt.Errorf("unsupported equality type: %v", t)
 			}
@@ -536,3 +542,46 @@ func levenshtein(a, b string) int {
 	// Return the final Levenshtein distance
 	return matrix[len(a)][len(b)]
 }
+
+// Converts sddl Sid to []byte
+func sidToBytes(sid string) ([]byte, error) {
+	sid = strings.ReplaceAll(sid, "S-", "")
+	parts := strings.Split(sid, "-")
+
+	if len(parts) < 3 {
+		return nil, fmt.Errorf("invalid sid string format %v", sid)
+	}
+
+	var result []byte
+
+	// Revision
+	rev, revErr := strconv.ParseUint(parts[0], 10, 32)
+	if revErr != nil {
+		return nil, fmt.Errorf("invalid uint value %v at position: %v", parts[0], 0)
+	}
+	result = append(result, byte(rev))
+
+	// SubAuthorityCount
+	result = append(result, byte(len(parts)-2))
+
+	// IdentifierAuthority
+	for range 5 {
+		result = append(result, 0)
+	}
+	authId, authIdErr := strconv.ParseUint(parts[1], 10, 32)
+	if authIdErr != nil {
+		return nil, fmt.Errorf("invalid uint value %v at position: %v", parts[1], 1)
+	}
+	result = append(result, byte(authId))
+	for i, part := range parts[2:] {
+		val, valErr := strconv.ParseUint(part, 10, 32)
+		if valErr != nil {
+			return nil, fmt.Errorf("invalid uint value %v at position: %v", part, i)
+		}
+		b := make([]byte, 4)
+		binary.LittleEndian.PutUint32(b, uint32(val))
+		result = append(result, b...)
+	}
+
+	return result, nil
+}
