Difference between revisions of "Working with Active Directory encoded LDAP values"

(Added LDAP filter to search disabled accounts)
(Added dnsRecord attribute)
Line 31: Line 31:
 
timeSince1970=$((( $timeInSeconds - $interval1601to1970 )))
 
timeSince1970=$((( $timeInSeconds - $interval1601to1970 )))
 
echo $(date --date @"$timeSince1970")</nowiki>
 
echo $(date --date @"$timeSince1970")</nowiki>
 +
 +
= dnsRecord =
 +
 +
Base64 binary blobs containing many informations, such as IP address, expiration time...: https://msdn.microsoft.com/en-us/library/ee898781.aspx
 +
 +
<nowiki>
 +
#!/usr/bin/perl
 +
 +
# Prints data from "dnsRecord" AD attribute
 +
 +
# adapted from script by natxo, VinsWorldcom and choroba
 +
# found on http://perlmonks.org/index.pl?node_id=1152619
 +
# not much tested
 +
 +
use strict;
 +
use warnings;
 +
use Socket;
 +
use MIME::Base64;
 +
 +
my $blob = $ARGV[0];
 +
 +
$blob = decode_base64($blob);
 +
 +
my (
 +
    $dataLength,    # 2 bytes
 +
    $type,          # 2 bytes
 +
    $version,      # 1 byte
 +
    $rank,          # 1 byte
 +
    $flags,        # 2 bytes
 +
    $serial,        # 4 bytes
 +
    $ttl,          # 4 bytes
 +
    $reserved,      # 4 bytes
 +
    $timestamp,    # 4 bytes
 +
    $data ) = unpack( 'S S C C S L N L L a*', $blob );
 +
 +
print $dataLength, "\n";
 +
print "$type\n";
 +
print "$version\n";
 +
print "$rank\n";
 +
print "$flags\n";
 +
print "$serial\n";
 +
print "$ttl\n";
 +
print "$reserved\n";
 +
print "$timestamp\n";
 +
print inet_ntoa($data) . "\n";</nowiki>
  
 
= userAccountControl =
 
= userAccountControl =

Revision as of 20:00, 19 March 2016

Many values in Active Directory LDAP are not stored in a human-friendly format: this page is meant to provide basic tools to encode / decode theses values.

accountExpires

Expiration date/time of an account: https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx

#!/bin/bash

# Returns an input date in the "accountExpires" format
# Input Date format can be something like "2016-03-19 11:58 UTC+1"

inputDate="$1"

# since 1601 to 1970
interval1=$((( 0 - $(date --date=1601-01-01 +%s) )))
# since 1970 to input date
interval2=$(date --date="$inputDate" +%s)
# total * 10 000 000
echo $((( ( interval1 + interval2 ) * 10000000 )))
#!/bin/bash

# Converts an encoded "accountExpires" value to a human-readable one 

accountExpires="$1"

timeInSeconds=$((( accountExpires / 10000000 )))
interval1601to1970=$((( 0 - $(date --date=1601-01-01 +%s) )))
timeSince1970=$((( $timeInSeconds - $interval1601to1970 )))
echo $(date --date @"$timeSince1970")

dnsRecord

Base64 binary blobs containing many informations, such as IP address, expiration time...: https://msdn.microsoft.com/en-us/library/ee898781.aspx

#!/usr/bin/perl

# Prints data from "dnsRecord" AD attribute

# adapted from script by natxo, VinsWorldcom and choroba
# found on http://perlmonks.org/index.pl?node_id=1152619
# not much tested

use strict;
use warnings;
use Socket;
use MIME::Base64;

my $blob = $ARGV[0];

$blob = decode_base64($blob);

my (
    $dataLength,    # 2 bytes
    $type,          # 2 bytes
    $version,       # 1 byte
    $rank,          # 1 byte
    $flags,         # 2 bytes 
    $serial,        # 4 bytes 
    $ttl,           # 4 bytes 
    $reserved,      # 4 bytes 
    $timestamp,     # 4 bytes
    $data ) = unpack( 'S S C C S L N L L a*', $blob );

print $dataLength, "\n";
print "$type\n";
print "$version\n";
print "$rank\n";
print "$flags\n";
print "$serial\n";
print "$ttl\n";
print "$reserved\n";
print "$timestamp\n";
print inet_ntoa($data) . "\n";

userAccountControl

Contains many account properties: https://msdn.microsoft.com/en-us/library/ms680832%28v=vs.85%29.aspx

ADS_UF_ACCOUNTDISABLE

If the account is disabled or not: bit of value "2".

LDAP filter to search disabled accounts:

UserAccountControl:1.2.840.113556.1.4.803:=2