Alex Stockwell

UX, DevOps, Fatherhood, Miscellany. Not in that order.

Querying by Active Directory objectGUID, in Ruby and Python

Each example that follows includes a Ruby snippet first, followed by a Python snippet. See the gist for the complete files.

1. Setup your connections

Start off with some secure LDAP connections:

# conn.rb
require 'net/ldap'

@ldap = Net::LDAP.new(
    :host => '10.0.0.101',
    :port => 636,
    :encryption => :simple_tls,
    :auth => {
        :method   => :simple,
        :username => 'user',
        :password => 'password'
    }
)
raise "LDAP Bind failed to ldap" unless @ldap.bind

# conn.py
# after `pip install ldap3`
from ldap3 import Server, Connection, SIMPLE, SYNC, ASYNC, SUBTREE, ALL

s = Server('10.0.0.101', port = 636, use_ssl = True)
c = Connection(s, auto_bind = True, client_strategy = SYNC, user='user', password='password', authentication=SIMPLE)

Note: Remeber to unbind all LDAP connections when you’re done!

2. Parsing the GUID: Some background on objectGUID

Many LDAP browsers will display the objectGUID as an Octet String. We’ll choose the AD group GroupXYZ to use as an example: it’s objectGUID is {27E13532-C68A-46DB-989D-9FACED3A4E7F}.

However, when you query an object and display it’s objectGUID, it comes across as a bytearray/binary (BER) representation:

# query.rb
query = "(&(objectClass=group)(cn=GroupXYZ))"

results = @ldap.search(
    :filter => Net::LDAP::Filter.construct(query),
    :base => "DC=company,DC=com",
    :attributes => [:cn, :objectGUID],
)

p results.first.objectguid.first
# => "25\xE1'\x8A\xC6\xDBF\x98\x9D\x9F\xAC\xED:N\x7F"

# query.py
search_filter = '(&(objectClass=group)(cn={0}))'.format("GroupXYZ")

c.search(
    search_base = 'DC=company,DC=com',
    search_filter = search_filter,
    attributes = ['cn', 'objectGUID']
)

group = c.response
print(group[0]['attributes']['objectGUID'][0])
# => b"25\xe1'\x8a\xc6\xdbF\x98\x9d\x9f\xac\xed:N\x7f"

To further complicate things, these GUIDs are stored in Oracle Raw16 format, which is a binary storage structure that changes the byte order somewhat. So we’ll need some conversion helpers:

# guid_splitter.rb
module GuidSplitter
    def self.to_oracle_raw16(string, strip_dashes=true, dashify_result=false)
        oracle_format_indices = [3, 2, 1, 0, 5, 4, 7, 6, 8, 9, 10, 11, 12, 13, 14, 15]
        string = string.gsub("-"){ |match| "" } if strip_dashes
        parts = split_into_chunks(string)
        result = oracle_format_indices.map { |index| parts[index] }.reduce("", :+)
        if dashify_result
            result = [result[0..7], result[8..11], result[12..15], result[16..19], result[20..result.size]].join('-')
        end
        return result
    end

    def self.split_into_chunks(string, chunk_length=2)
        chunks = []
        while string.size >= chunk_length
            chunks << string[0, chunk_length]
            string = string[chunk_length, string.size]
        end
        chunks << string unless string.empty?
        return chunks
    end

    def self.pack_guid(string)
        [to_oracle_raw16(string)].pack('H*')
    end

    def self.unpack_guid(hex)
        to_oracle_raw16(hex.unpack('H*').first, true, true)
    end
end

# guid_splitter.py
def split_into_chunks(string, chunk_length=2):
    chunks = []
    while len(string) > 0:
        chunks.append(string[:chunk_length])
        string = string[chunk_length:]
    return chunks

def to_oracle_raw16(string, strip_dashes=True, dashify_result=False):
    oracle_format_indices = [3, 2, 1, 0, 5, 4, 7, 6, 8, 9, 10, 11, 12, 13, 14, 15]
    if strip_dashes:
        string = string.replace("-", "")
    parts = split_into_chunks(string)
    result = ""
    for index in oracle_format_indices:
        result = result + parts[index]
    if dashify_result:
        result = result[:8] + '-' + result[8:12] + '-' + result[12:16] + '-' + result[16:20] + '-' + result[20:]
    return result

def pack_guid(string):
    return bytearray.fromhex(to_oracle_raw16(string))

def unpack_guid(ba):
    hex_s = "".join("%02x" % b for b in ba)
    return to_oracle_raw16(hex_s, True, True)

These functions return the actual GUID’s of the objects in question:

# query.rb
# ...snip...
p GuidSplitter::unpack_guid(results.first.objectguid.first)
# => "27e13532-c68a-46db-989d-9faced3a4e7f"

# query.py
# ...snip...
print(unpack_guid(group[0]['attributes']['objectGUID'][0]))
# => 27e13532-c68a-46db-989d-9faced3a4e7f

Apologies the python code is not as polished, it wasn’t the end goal. Fortunately ldap3 comes with a handy function escape_bytes() that saves us some time also, so I’d encourage pythonistas to review that documentation.

3. Querying via objectGUID

So to go the other direction and query based on the GUID:

# query.rb
target_group_guid = "27e13532-c68a-46db-989d-9faced3a4e7f"

query = "(&(objectClass=group)(objectGUID=#{ GuidSplitter::pack_guid(target_group_guid) }))"

results = @ldap.search(
    :filter => Net::LDAP::Filter.construct(query),
    :base => "DC=company,DC=com",
    :attributes => [:cn, :objectGUID],
)
p results.first.cn.first
# => "GroupXYZ"

# query.py
from ldap3.utils.conv import escape_bytes

target_group_guid = "27e13532-c68a-46db-989d-9faced3a4e7f"
packed = pack_guid(target_group_guid)

search_filter = '(&(objectClass=group)(objectGUID={0}))'.format(escape_bytes(packed))

c.search(
    search_base = 'DC=company,DC=com',
    search_filter = search_filter,
    attributes = ['cn', 'objectGUID']
)

group = c.response
print(group[0]['attributes']['cn'][0])
# => "GroupXYZ"

Using the code and techniques above, you can also go directly from one query to the next, using the values returned from AD to feed subsequent queries.

Happy coding!

Posted on June 25, 2015