Forum Discussion

jklemm2000's avatar
Icon for Nimbostratus rankNimbostratus
Apr 03, 2019

APM variable Assign Convert from HEX to original Format

I am doing an LDAP query which polls ldap for user attributes and I want to take the objectSid attribute and insert it in a header upon policy completion. The issue I am running into is the application only accepts the SID in a format like this "S-1-5-21-3151507965-1511538023-2697414875-1234567" and not the HEX encoded format that APM returns. I have attempted to get this to work a few different ways with my latest attached. Can someone help shed some light on this?


set var [mcget {session.ldap.last.attr.objectSid}] if { [string range $var 0 1 ] == "0x" } { return "[encoding convertfrom utf-8 [binary format H* [string range $var 2 [string length $var]]]]" } return "[mcget {session.ldap.last.attr.objectSid}]"


6 Replies

  • The problem is that the LDAP query response is in binary format, so it cannot be transformed only be decoding the HEX value, it has to be interpreted from binary format according to the LDAP specification.

    I've made a small TCL script to do this transformation that should be able to achieve this. Be aware it is my first TCL script so probably not as optimal as possible. Sharing it either way as it might be helpful for someone running into the same issue.

    set var [mcget {session.ldap.last.attr.objectSid}]
    set revision [expr [string range $var 2 3]]
    set countSubAuths [expr [string range $var 4 5]]
    set authority [expr [string range $var 6 17]]
    set objectsid "S-$revision-$authority"
    set start 18
    for {set i 0} {$i < $countSubAuths} {incr i} {
        set end [expr $start + 7]
        set subAuth [string range $var $start $end]
        set result ""
        for {set j 3} {$j > -1} {incr j -1} {
            set subAuthbit [string range $subAuth [expr $j * 2] [expr $j * 2 + 1]]
            set result [concat $result$subAuthbit]
        set subAuthDec [expr 0x$result]
        set objectsid [concat $objectsid-$subAuthDec]
        set start [expr $start + 8]
    return $objectsid

  • Hi,


    You can try this decoding code (you did not convert hex to unsigned integer in revision, countSubAuths and authority)

    # Sample binary SID
    set attr_objectSid 0x01050000000000050d000000653937086239386436083764370866383205016506630238060000
    #set attr_objectSid [mcget {session.ldap.last.attr.objectSid}] 
     if { [string range $attr_objectSid 0 1 ] == "0x" } { 
         set objectSid [binary format H* [string range $attr_objectSid 2 end]]
        # Exctract static data
        # - Revision (1 byte --> c )
        # - countSubAuths (1 byte --> c )
        # - authorityhex (48 bits Big Indian --> H12 ; binary scan only supports 1/2/4/8 bytes so a converstion to Hex is required)
        binary scan $objectSid ccH12 revision countSubAuths authorityhex
        # Convert signed values to unsigned
        set revision [expr {$revision & 0xff}]
        set countSubAuths [expr {$countSubAuths & 0xff}]
        # Convert authorityhex to unsigned Integer
        scan $authorityhex {%x} authority
        # Extract Sub authorities
        # - subauth : List of Sub authorities (4 bytes Little Indian --> i )
        binary scan $objectSid @8i${countSubAuths} subauth
        # Build a list of SID Elements
        set result [list "S" $revision $authority]
        foreach val $subauth {
            # Insert each Sub authority value as unsigned value
            lappend result [expr {$val & 0xffffffff}]
        # Return joined SID Elements list with dash separator
        puts [join $result "-"]
        #return [join $result "-"]


    • ebeng's avatar
      Icon for Nimbostratus rankNimbostratus

      Hi mate, 

      can you check your code, it seems to be all pasted in one line now, cant get it to work ­čś×

      What about if we need to have the ObjectGUID as well? 

      when we need to convert the base64, which the F5-retrieves, with an LDAP-search we do the following:

      echo <<>>|base64 -d -i|hexdump -e  '1/1 " %02x"'|awk '{print $4$3$2$1"-"$6$5"-"$8$7"-"$9$10"-"$11$12$13$14$15$16}'

      Any how we can do this? within the APM policy?

      I would like to get the ObjectGUID, as shown in the AD, to use it in the APM. 

      any help would be appreciated. 

      • BarrettK's avatar
        Icon for Nimbostratus rankNimbostratus

        Hi ebeng, did you happen to get this one figured out? I'm also needing to use the ObjectGUID in APM as a string to send it in a SAML assertion.