Einzelnen Beitrag anzeigen

Benutzerbild von TigerLilly
TigerLilly

Registriert seit: 24. Mai 2017
Ort: Wien, Österreich
1.241 Beiträge
 
Delphi 12 Athens
 
#10

AW: Active Directory und Trusted Domain

  Alt 23. Nov 2023, 11:31
This is the Code to get the SID for an user and a domain:
Code:
function GetSIDFromAD(sDomain, sUSername: string; var sError: string): string;
var
  adoConnectionData: TADOConnection;
  i:     integer;
  n:     integer;
  nDim:  integer;
  nUpper: integer;
  qQuery: TAdoQuery;
  s:     string;
  sName: string;
  sResult: string;
  sSql:  string;
  v:     variant;
  oSID:  PSID;
begin
  Result := '';
  sError := '';
  try
    adoConnectionData := TADOConnection.Create(nil);
    qQuery := TADOQuery.Create(nil);
    qQuery.Connection := adoConnectionData;
    adoConnectionData.Name := 'adoConnectionData';
    adoConnectionData.ConnectionString := 'Mode=Read;';
    adoConnectionData.LoginPrompt := False;
    adoConnectionData.Provider := 'ADsDSOObject';
    adoConnectionData.Connected := True;
    o_Log.Log('SID aus dem AD' + ' - verbunden', llDebug);

    sSql := 'select objectSID from ''LDAP://' + sDomain + ''' where objectClass=''person'' and sAMAccountName=' +
      QuotedStr(sUSername);
    o_Log.Log(sSql, llDebug);
    qQuery.SQL.Text := sSql;
    qQuery.Open;
    o_Log.Log('SID aus dem AD' + ' - Abfrage erfolgreich geöffnet', llDebug);
    if (qQuery.EOF) then begin
      o_Log.Log('SID aus dem AD' + ' - kein Datensatz vorhanden', llDebug);
      s := '';
    end else begin
      o_Log.Log('SID aus dem AD' + ' - Datensatz vorhanden', llDebug);
      o_Log.Log('SID aus dem AD' + ' - Daten konvertieren - zuweisen', llDebug);
      v := qQuery.Fields[0].Value;
      o_Log.Log('SID aus dem AD' + ' - Daten konvertieren - Lock Array', llDebug);
      oSID := VarArrayLock(v);
      o_Log.Log('SID aus dem AD' + ' - Daten konvertieren - SID --> String', llDebug);
      s := SIDToString(oSID);
      o_Log.Log('SID aus dem AD' + ' - Daten konvertieren - Unlock Array', llDebug);
      VarArrayUnlock(v);
    end;
    Result := s;
    o_Log.Log('SID aus dem AD:' + s, llDebug);
  except
    on e: Exception do begin
      sError := e.Message;
      o_Log.Log('SID aus dem AD ' + 'Fehler: ' + sError, llDebug);
    end;
  end;
end;
These are the SQL statements for retrieving the groups for a user and for retrieving groups via a wildcard for a given domain:
Code:
  sSql := 'select memberof from ''LDAP://' + sDomain + ''' where objectClass=''person'' and sAMAccountName=' +
        QuotedStr(sUSername);

  sSQL := 'select sAMAccountName,member from ''LDAP://' + sDomain +
        ''' where objectClass=''group'' and sAMAccountName = ''*' + sGroupBase + '*''';
And this is the core loop, iterating of the users/groups and outputting attributes, even the enumerating ones:
Code:
    while not qQuery.EOF do begin
      o_Log.Log('>>> neue Zeile <<<', llDebug);
      for i := 0 to qQuery.FieldCount - 1 do begin
        o_Log.Log('Feld Nr: ' + IntToStr(i), llDebug);
        o_Log.Log('Name  : ' + qQuery.Fields[i].FieldName, llDebug);
        try
          v := qQuery.Fields[i].Value;
          o_Log.Log('Typ : ' + VarTypeAsText(VarType(v)), llDebug);
          nDim := VarArrayDimCount(v);
          if (nDim = 0) then begin
            o_Log.Log('Als String:' + VarToStr(v), llDebug);
          end else begin
            nUpper := VarArrayHighBound(v, 1);
            nLower := VarArrayLowBound(v, 1);
            o_Log.Log('Lower: ' + IntToStr(nLower), llDebug);
            o_Log.Log('Upper: ' + IntToStr(nUpper), llDebug);
            s1 := '';
            for n := nLower to nUpper do begin
              try
                s := s + ', ' + v[n];
                s1 := s1 + ', ' + v[n];
              except
                on e: Exception do begin
                  o_Log.Log(e.message, llDebug);
                end;
              end;
            end;
            o_Log.Log('Feldinhalt: ' + s1, llDebug);
          end;
        except
          on e: Exception do begin
            o_Log.Log(e.message, llDebug);
          end;
        end;
      end;
      o_Log.Log('Satzinhalt gesamt: ' + s, llDebug);
The last step is to extract CN= entries to get the names and compare either the name of the group or the name or the SID (if trusted domain) of the members.
  Mit Zitat antworten Zitat