Bug 49633 - Handle AD primary groups in mod_authnz_ldap
Summary: Handle AD primary groups in mod_authnz_ldap
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_authz_ldap (show other bugs)
Version: 2.2.3
Hardware: PC Linux
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: MassUpdate
Depends on:
Reported: 2010-07-21 15:18 UTC by Tom McLaughlin
Modified: 2018-11-07 21:09 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Tom McLaughlin 2010-07-21 15:18:47 UTC
In an AD environment a user's primary group is not stored in the member attribute.  Instead, the group's RID value is stored in the primaryGroupID attribute of the user.  To find the user's primary group name you need to find the domain SID and then search for the group that has the SID value <domain SID>-<group RID> in their objectSid attribute.  The following is an example in Python using py-ldap for doing this:

def sid2str(self,sid):
 srl = ord(sid[0])
 number_sub_id = ord(sid[1])
 iav = struct.unpack('!Q','\x00\x00'+sid[2:8])[0]
 sub_ids = [
 for i in range(number_sub_id)
 return 'S-%d-%d-%s' % (
 '-'.join([str(s) for s in sub_ids]),

# Get RID of primary group
>>> pri_grp_rid = l.search_s('cn=users,dc=example,dc=com', ldap.SCOPE_SUBTREE, 'sAMAccountName=tmclaughlin', ['primaryGroupID'])[0][1]['primaryGroupID'][0]
# Get domain SID
>>> domain_sid = l.search_s('dc=example,dc=com', ldap.SCOPE_BASE)[0][1]['objectSid'][0]
# Convert domain SID to string form
>>> domain_sid_s = sid2str(domain_sid)
# Search for group with <domain SID>-<group RID> objectSid value
>>> pprint.pprint(l.search_s('ou=groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, 'objectSid=%s-%s' % (domain_sid_s, pri_grp_rid), ['cn']))

[('CN=Domain Users,OU=Groups,DC=example,DC=com',
 {'cn': ['Domain Users']})]

I have some more on AD primary groups here:
Comment 1 Eric Covener 2010-07-23 12:33:45 UTC
So are you saying AD can't find member=tmclaughlin under "Domain Users"?  Or just that one can't find "Domain Users" under cn=tmclaughlin?

Doesn't require ldap-group only care about the former?  Are you using other require types to get a the group info?
Comment 2 Tom McLaughlin 2010-07-23 13:01:06 UTC
With AD neither of those exist.  Here's both my user and the Domain Users group as they're stored in AD.  (Pulled this with py-ldap.)

  {'accountExpires': ['129278192266610000'],
   'adminCount': ['1'],
   'badPasswordTime': ['129242031791197715'],
   'badPwdCount': ['0'],
   'cn': ['TMCLAUGHLIN'],
   'codePage': ['0'],
   'countryCode': ['0'],
   'dSCorePropagationData': ['20100412182352.0Z',
   'description': ['Systems Administrator'],
   'displayName': ['McLaughlin,Thomas'],
   'distinguishedName': ['CN=TMCLAUGHLIN,CN=Users,DC=example,DC=com'],
   'gidNumber': ['10002'],
   'instanceType': ['4'],
   'lastLogoff': ['0'],
   'lastLogon': ['129243748272588172'],
   'lastLogonTimestamp': ['129243298494895070'],
   'loginShell': ['/bin/bash'],
   'logonCount': ['65535'],
   'logonHours': ['\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\
   'memberOf': ['CN=Employee,OU=Groups,DC=example,DC=com',
                'CN=Radius Admins,OU=Groups,DC=example,DC=com',
                'CN=Domain Server Admin,OU=Groups,DC=example,DC=com',
                'CN=Schema Admins,OU=Groups,DC=example,DC=com',
                'CN=Domain Admins,OU=Groups,DC=example,DC=com',
                'CN=Enterprise Admins,OU=Groups,DC=example,DC=com'],
   'msSFU30Name': ['TMCLAUGHLIN'],
   'msSFU30NisDomain': ['example'],
   'name': ['TMCLAUGHLIN'],
   'objectCategory': ['CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com'],
   'objectClass': ['top', 'person', 'organizationalPerson', 'user'],
   'objectGUID': ['\xa4~\x932\x86\x85vC\x8f\x13\xda\x96a\\\x0b\xc0'],
   'objectSid': ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x007~;e\xa0\x07\x
   'primaryGroupID': ['513'],
   'pwdLastSet': ['129234992266771052'],
   'sAMAccountName': ['TMCLAUGHLIN'],
   'sAMAccountType': ['805306368'],
   'scriptPath': ['Default.bat'],
   'uSNChanged': ['99938168'],
   'uSNCreated': ['30981'],
   'uid': ['tmclaughlin'],
   'uidNumber': ['10000'],
   'unixHomeDirectory': ['/home/tmclaughlin'],
   'userAccountControl': ['512'],
   'whenChanged': ['20100723033758.0Z'],
   'whenCreated': ['20070304152704.0Z']})]

[('CN=Domain Users,OU=Groups,DC=example,DC=com',
  {'cn': ['Domain Users'],
   'dSCorePropagationData': ['20100412182218.0Z',
   'description': ['All domain users'],
   'distinguishedName': ['CN=Domain Users,OU=Groups,DC=example,DC=com'],
   'gidNumber': ['10002'],
   'groupType': ['-2147483646'],
   'instanceType': ['4'],
   'isCriticalSystemObject': ['TRUE'],
   'memberOf': ['CN=Users,CN=Builtin,DC=example,DC=com'],
   'msSFU30Name': ['Domain Users'],
   'msSFU30NisDomain': ['example'],
   'name': ['Domain Users'],
   'objectCategory': ['CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com'],
   'objectClass': ['top', 'group'],
   'objectGUID': ['[\x1b>Jo\x12\x1bB\xb2\xe6\x8b[\rV\xf4S'],
   'objectSid': ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x007~;e\xa0\x07\x
   'sAMAccountName': ['Domain Users'],
   'sAMAccountType': ['268435456'],
   'uSNChanged': ['81880376'],
   'uSNCreated': ['7589'],
   'whenChanged': ['20100205162639.0Z'],
   'whenCreated': ['20070304152927.0Z']})]

The only reliable way to get the user's primary group is to get the group RID from the user's PrimaryGroupID and then search for the group using 'objectSid=<Domain SID>-<RID>'
Comment 3 Boris 2017-07-28 07:45:32 UTC
Is there a fix planned for this issue?
Comment 4 Eric Covener 2017-07-28 11:54:47 UTC
(In reply to Boris from comment #3)
> Is there a fix planned for this issue?

Based on the age, it doesn't appear anyone is working on it
Comment 5 William A. Rowe Jr. 2018-11-07 21:09:54 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.