Tag Archives: SID

LDAP Search – Base DN Formats

Active Directory support a number of different formats for the Base DN field, these are Distinguished Name, GUID and SID 

Distinguished Name is based on RFC 4514 e.g. CN=user1,CN=users,DC=domain,DC=com

GUID provides the GUID of an object which will be used as the base for searches, i.e <GUID=01f04883-d68e-4367-8ad1-a2faa79a2e5a>

SID format is the same as GUID but the entry is based on a SID i.e. <SID=S-1-5-21-2816452191-2840564649-4223122534-1000>

The SID and GUID option with the Search Scope set to Base Level can be used as quick search for users or other objects in the AD based on the GUID or SID.  The SIDs and GUIDs are entered in standard readable format.

LDAP Search Substitution

NetTools supports a number of Inline substitution options, that enables different data types to be entered in a user friendly formats, without the need to remember complicated data formats.  These can be used in the filter to simplify filter entry or convert data format for attribute updates with Update Queries.

There are two types of substitutions available, data converters, and matching rule converters.

Data Converters
Data converters have the following format {<type>:[data]}

-1: int64 const of -1 e.g. (pwdlastset={-1:}) which will be replaced with 9223372036854775807
anr: Create an ANR filter based on the input string e.g. {anr:john smith}
getdn: return the DN for the specified samaccountname e.g. {getdn: domain admins} {getdn:user1}
guid: object guids e.g. (objectguid={guid:00AD5B16-8E22-49D5-B83A-BFDEA6DFF7DE})
hex: hexadecimal value e.g. (&(objectclass=group)(grouptype={hex:0x8000002}))
idate: 64bit Time e.g. (lastlogontimestamp={idate:31/12/2011})
ip: IP address in windows order e.g. (ipaddress={ip:10.12.45.254})
ipn: IP address in network order e.g. (ipaddress={ipn:10.12.45.254})
oid: oid identifiers e.g. (omobjectclass={oid:1.3.12.2.1011.28.0.702})
sdate: returns the date in dd/mm/yyyy format, when used in conjunction with Now constant e.g. {sdate:now}
sdatetime: returns the date in dd/mm/yyyy hh:mm:ss format, when used in conjunction with Now constant
sid: object sid e.g. (objectsid={sid: S-1-5-21-3499964120-3315823391-1593708255-164234})
unicode: return the specified string as escape hex string {unicode:new}
userinput: request user input e.g. {userinput:Date} responses are cached against the label, if the same label is used again the cached response is used
zdate: Generalized Time Format e.g. (whencreated={zdate:30/12/2011})

zdate, idate, sdate, and sdatetime types also support a number of constants 'Now', StartofDay, EndofDay, and can be used with with optional plus and minus days.
e.g. {zdate:now}, {zdate:now-365}, {idate:now+5}, {sdate:now}
{zdate:startofday}, {zdate:endofday}, {idate:startofday-5}

Nesting is supported on a number of the substitutions to convert from one format to another or converting a user input e.g  {idate:{usernput:enter date}}

Matching Rules Converters
Matching rule converters use a single character as a substitute for the matching rule OIDs for LDAP filters, these are |  & % $

|= is the Or bit logic operator e.g. (!useraccountcontrol |= 2)  - expands to (!useraccountcontrol:1.2.840.113556.1.4.802:=2)

&= is the And bit logic operator e.g. (useraccountcontrol &= 2)  - expands to (useraccountcontrol:1.2.840.113556.1.4.803:=2)

%= is the chain operator e.g. (memberof %= (cn=Group1,OU=groupsOU,DC=test,DC=com)) - expands to (memberof:1.2.840.113556.1.4.1941:= (cn=Group1,OU=groupsOU,DC=test,DC=com))

$= is the DN-Binary or DN-String search e.g. (msDS-HasInstantiatedNCs$=B:8:0000000D:CN=Configuration,DC=corp) - expands to (msDS-HasInstantiatedNCs:1.2.840.113556.1.4.2253:=B:8:0000000D:CN=Configuration,DC=corp)