Enumerating AD domains with PHP

Question

We have a domain with over 80 other "Trusted" domains attached. This means that some of our groups are cross linked, with users from one domain, in groups on another domain, etc. I have written a script that creates lists of users from a certain set of groups on one of the domains, but some of them are from other domains so I just get the Foreign Identifier. I need to link this to the other domains, but I need the SID of each domain.

Is there a PHP equivalent of Win32's DsEnumerateDomainTrusts? I don't want to have to write out all the SIDs by hand, and then keep updating them manually when new domains are added, or old ones are removed.

Answer 1

You can do an LDAP query for trustedDomain objects in the System container of the domain. For me, the domain's sid is in the securityIdentifier attribute.

Answer 2

Here is my solution to it:

function ldap_sidconvert($ldapbytes)
{
    $d_proc=unpack("H*",$ldapbytes);
    $d_proc['hex1']=str_split(substr($d_proc[1],-24),2);
    foreach ($d_proc['hex1'] as $key=>$value)
    {
        $d_proc['hex2'][floor($key/4)][]=$value;
    }
    foreach ($d_proc['hex2'] as $key=>$value)
    {
        $d_proc['hex3'][$key]=hexdec(implode(array_reverse($d_proc['hex2'][$key],FALSE)));
    }
    return implode("-",$d_proc['hex3']);
}

And then you can call it by passing the value of the securityidentifier field to it:

ldap_sidconvert($domains[0]['securityidentifier'][0])

In this example, it is just looking at the first domain in the list, replace the first 0 with 1,2,3... etc as required. This only converts the last 24 hex digits, I am not sure how to process the first 24, but I believe they are not unique anyway so they shouldn't be required.

This may not be the best way to do it, so I am happy to accept criticism for my coding, but hopefully it will help someone in the future.

This may be a useful reference: http://en.wikipedia.org/wiki/Security_Identifier#Machine_SIDs