How to get objectSid value programmaticaly from Active Directory? - command-line

I'm searching for a way to get the objectSid value for an Active Directory Group programmaticaly.
I found a solution to get this value using powerShell :
Get-WMIObject win32_group -filter "name='WIKI_ADMIN'"|select sid
However what i want is to do is to get this value not from a windows machine, but from a distant Linux one.
I found a tool "adcli" that offer some fonctionnality on an AD (create user, group, ...) but no way to get the groupSid info.
Is there another tool, solution, script to get a such value ?
Thank you


Ok i found a solution using ldapsearch command line :
ldapsearch -x -LLL -h ldap_url -D 'cn=user name,OU=users,OU=myOU,DC=myou,DC=com' -w my_password -b 'CN=the_group_name,OU=users,OU=myOU,DC=myou,DC=com' -s sub '(objectClass=group)' | grep objectSid
And this gave me something like that :
objectSid:: AQUsAAAAAAUVAAAA5BLIGcudyeZ/J0pqbvoAxA==
However the value is in binary and base64 encoded, i found a script in another forum that decoded it successfully :
!/bin/bash
# Base-64 encoded objectSid
OBJECT_ID="AQUAAAAAAAUVAAAAPWW1S5rojK4mDAiG5BAAAA=="
OBJECT_ID=$1
# Decode it, hex-dump it and store it in an array
G=($(echo -n $OBJECT_ID | base64 -d -i | hexdump -v -e '1/1 " %02X"'))
# SID in HEX
# SID_HEX=${G[0]}-${G[1]}-${G[2]}${G[3]}${G[4]}${G[5]}${G[6]}${G[7]}-${G[8]}${G[9]}${G[10]}${G[11]}-${G[12]}${G[13]}${G[14]}${G[15]}-${G[16]}${G[17]}${G[18]}${G[19]}-${G[20]}${G[21]}${G[22]}${G[23]}-${G[24]}${G[25]}${G[26]}${G[27]}${G[28]}
# SID Structure: https://technet.microsoft.com/en-us/library/cc962011.aspx
# LESA = Little Endian Sub Authority
# BESA = Big Endian Sub Authority
# LERID = Little Endian Relative ID
# BERID = Big Endian Relative ID
BESA2=${G[8]}${G[9]}${G[10]}${G[11]}
BESA3=${G[12]}${G[13]}${G[14]}${G[15]}
BESA4=${G[16]}${G[17]}${G[18]}${G[19]}
BESA5=${G[20]}${G[21]}${G[22]}${G[23]}
BERID=${G[24]}${G[25]}${G[26]}${G[27]}${G[28]}
LESA1=${G[2]}${G[3]}${G[4]}${G[5]}${G[6]}${G[7]}
LESA2=${BESA2:6:2}${BESA2:4:2}${BESA2:2:2}${BESA2:0:2}
LESA3=${BESA3:6:2}${BESA3:4:2}${BESA3:2:2}${BESA3:0:2}
LESA4=${BESA4:6:2}${BESA4:4:2}${BESA4:2:2}${BESA4:0:2}
LESA5=${BESA5:6:2}${BESA5:4:2}${BESA5:2:2}${BESA5:0:2}
LERID=${BERID:6:2}${BERID:4:2}${BERID:2:2}${BERID:0:2}
LE_SID_HEX=${LESA1}-${LESA2}-${LESA3}-${LESA4}-${LESA5}-${LERID}
# Initial SID value which is used to construct actual SID
SID="S-1"
# Convert LE_SID_HEX to decimal values and append it to SID as a string
IFS='-' read -ra ADDR <<< "${LE_SID_HEX}"
for OBJECT in "${ADDR[#]}"; do
SID=${SID}-$((16#${OBJECT}))
done
echo ${SID}
and i got this :
S-1-48378511622149-21-432542436-3871972811-1783244671-3288398446
:)

Related

How to pass values from csv into az cli deployment as parameters

I don't have much experience with PowerShell and this simple issue has been driving me up the wall. I'm hoping someone can point me in the right direction.
I have a CSV-file with IP-range values
I wish to pass these IP values as a parameter to a Bicep template
The parameter is of type array, see code snippets below
CSV-file:
IP,Comment
10.0.0.1, Comment blabla
10.0.0.52, Comment more blabla
I wish to pass the IP-values into a Azure Bicep template with the following parameter:
param ipArray array
The cli command is as follows:
az deployment group validate -g test-rg -f .\main.bicep -p ipArray=$ipRange
I am unable to populate $ipRange properly. I have tested the following and know it works:
az deployment group validate -g test-rg -f .\main.bicep -p ipArray="['10.0.0.1','10.0.0.52']"
So I need to figure out how to build my Powershell variable according to above syntax
$ipRange = ((Get-Content .\ip_list.csv) | ConvertFrom-Csv).IP
Failed to parse string as JSON:
10.0.0.1 10.0.0.52
Error detail: Extra data: line 1 column 6 (char 5)
Any nudge in the right direction will be greatly appreciated
Thanks!

This code will convert the ip range as you asked for:
$ipRange = ((Get-Content C:\Temp\ip.csv) | ConvertFrom-Csv).IP | ConvertTo-Json
$ipRange = $ipRange.ToString() -replace '"',"'"
$ipRange
one final thing, in your param, it is mentioned as vlkIpArray and in deployment it is mentioned as ipArray. is this a typo error?
param vlkIpArray array and
az deployment group validate -g test-rg -f .\main.bicep -p ipArray="['10.0.0.1','10.0.0.52']"

snmpget : Unknown user name

I am trying to install net-snmp from scratch to make snmpv3 to work on my computer.
I did install net-snmp and create the user, but when I want to make snmpget it reject me with snmpget: Unknown user name
To install net-snmp I followed the official guide
I did install the packages libperl-dev, snmp-mibs-downloader and snmp too using sudo apt-get install
Here is my /usr/local/share/snmp configuration where you can find the particular line rouser neutg
###############################################################################
#
# EXAMPLE.conf:
# An example configuration file for configuring the Net-SNMP agent ('snmpd')
# See the 'snmpd.conf(5)' man page for details
#
# Some entries are deliberately commented out, and will need to be explicitly activated
#
###############################################################################
#
# AGENT BEHAVIOUR
#
# Listen for connections from the local system only
# agentAddress udp:127.0.0.1:161
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:161,udp6:[::1]:161
###############################################################################
#
# SNMPv3 AUTHENTICATION
#
# Note that these particular settings don't actually belong here.
# They should be copied to the file /var/lib/snmp/snmpd.conf
# and the passwords changed, before being uncommented in that file *only*.
# Then restart the agent
# createUser authOnlyUser MD5 "remember to change this password"
# createUser authPrivUser SHA "remember to change this one too" DES
# createUser internalUser MD5 "this is only ever used internally, but still change the password"
# If you also change the usernames (which might be sensible),
# then remember to update the other occurances in this example config file to match.
###############################################################################
#
# ACCESS CONTROL
#
# system + hrSystem groups only
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
# Full access from the local host
#rocommunity public localhost
# Default access to basic system info
rocommunity public default -V systemonly
# rocommunity6 is for IPv6
rocommunity6 public default -V systemonly
# Full access from an example network
# Adjust this network address to match your local
# settings, change the community string,
# and check the 'agentAddress' setting above
#rocommunity secret 10.0.0.0/16
# Full read-only access for SNMPv3
rouser authOnlyUser
# Full write access for encrypted requests
# Remember to activate the 'createUser' lines above
#rwuser authPrivUser priv
# It's no longer typically necessary to use the full 'com2sec/group/access' configuration
# r[ow]user and r[ow]community, together with suitable views, should cover most requirements
###############################################################################
#
# SYSTEM INFORMATION
#
# Note that setting these values here, results in the corresponding MIB objects being 'read-only'
# See snmpd.conf(5) for more details
sysLocation Sitting on the Dock of the Bay
sysContact Me <me#example.org>
# Application + End-to-End layers
sysServices 72
#
# Process Monitoring
#
# At least one 'mountd' process
proc mountd
# No more than 4 'ntalkd' processes - 0 is OK
proc ntalkd 4
# At least one 'sendmail' process, but no more than 10
proc sendmail 10 1
# Walk the UCD-SNMP-MIB::prTable to see the resulting output
# Note that this table will be empty if there are no "proc" entries in the snmpd.conf file
#
# Disk Monitoring
#
# 10MBs required on root disk, 5% free on /var, 10% free on all other disks
disk / 10000
disk /var 5%
includeAllDisks 10%
# Walk the UCD-SNMP-MIB::dskTable to see the resulting output
# Note that this table will be empty if there are no "disk" entries in the snmpd.conf file
#
# System Load
#
# Unacceptable 1-, 5-, and 15-minute load averages
load 12 10 5
# Walk the UCD-SNMP-MIB::laTable to see the resulting output
# Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file
###############################################################################
#
# ACTIVE MONITORING
#
# send SNMPv1 traps
trapsink localhost public
# send SNMPv2c traps
#trap2sink localhost public
# send SNMPv2c INFORMs
#informsink localhost public
# Note that you typically only want *one* of these three lines
# Uncommenting two (or all three) will result in multiple copies of each notification.
#
# Event MIB - automatically generate alerts
#
# Remember to activate the 'createUser' lines above
iquerySecName internalUser
rouser internalUser
# generate traps on UCD error conditions
defaultMonitors yes
# generate traps on linkUp/Down
linkUpDownNotifications yes
###############################################################################
#
# EXTENDING THE AGENT
#
#
# Arbitrary extension commands
#
extend test1 /bin/echo Hello, world!
extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35
#extend-sh test3 /bin/sh /tmp/shtest
# Note that this last entry requires the script '/tmp/shtest' to be created first,
# containing the same three shell commands, before the line is uncommented
# Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable, nsExtendOutput1Table
# and nsExtendOutput2Table) to see the resulting output
# Note that the "extend" directive supercedes the previous "exec" and "sh" directives
# However, walking the UCD-SNMP-MIB::extTable should still returns the same output,
# as well as the fuller results in the above tables.
#
# "Pass-through" MIB extension command
#
#pass .1.3.6.1.4.1.8072.2.255 /bin/sh PREFIX/local/passtest
#pass .1.3.6.1.4.1.8072.2.255 /usr/bin/perl PREFIX/local/passtest.pl
# Note that this requires one of the two 'passtest' scripts to be installed first,
# before the appropriate line is uncommented.
# These scripts can be found in the 'local' directory of the source distribution,
# and are not installed automatically.
# Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see the resulting output
#
# AgentX Sub-agents
#
# Run as an AgentX master agent
master agentx
# Listen for network connections (from localhost)
# rather than the default named socket /var/agentx/master
#agentXSocket tcp:localhost:705
rouser neutg
Here is my persistant configuration file /var/net-snmp/snmpd.conf
createUser neutg SHA "password" AES passphrase
The command I run is :
snmpget -u neutg -A password -a SHA -X 'passphrase'
-x AES -l authPriv localhost -v 3 1.3.6.1.2.1.1
I don't understand why it do not take in count my user. (I did restart the snmpd after entering the user - multiple times!)
The version of net-snmp I use :
Thanks in advance :)

After many research I've found what the problem is.
snmpd was not taking in count my configuration files. I saw it using the command :
snmpd -Dread_config -H 2>&1 | grep "Reading" | sort -u
Which tells you which configurations files are loaded by snmpd.
You can see it as well looking at the configuration file /var/lib/snmp/snmpd.conf. When snmpd handle your users it creates special lines in the file. It looks like :
usmUser 1 3 0x80001f888074336938f74f7c5a00000000 "neutg" "neutg" NULL .1.3.6.1.6.3.10.1.1.3 0xf965e4ab0f35eebb3f0e3b30\
6bc0797c025821c5 .1.3.6.1.6.3.10.1.2.4 0xe277044beccd9991d70144c4c8f4b672 0x
usmUser 1 3 0x80001f888074336938f74f7c5a00000000 "myuser" "myuser" NULL .1.3.6.1.6.3.10.1.1.2 0x2223c2d00758353b7c3076\
236be02152 .1.3.6.1.6.3.10.1.2.2 0x2223c2d00758353b7c3076236be02152 0x
setserialno 1424757026
So if you do not see any usmUser it's probably that your badly added your users.
The soluce
sudo /usr/local/sbin/snmpd -c /var/net-snmp/snmpd.conf -c /usr/local/share/snmp/snmpd.conf

Want to call Progress 4GL 91.D procedure through Ajax call

I want to create web service for my Phonegap Android application which will further call progress 4GL 91.D procedure.
Does any one knowy idea how to create web service for this.

That will be a struggle. You CAN create a server that listens to a socket but you will have to handle everything yourself!
Look at this example.
However, you are likely better off writing the webservice in a language with a better support and then finding another way of getting the data out of the DB. If youre really stuck with a 10+ year old version you really should consider migrating to something else.

You don't have to upgrade everything -- you could just obtain a license for a version 10 client. V10 clients can connect to v9 databases (the rule is that the client can be up to one major release higher) so you could use that to build a SOAP service. Or you could get a v10 "webspeed" license.
Or you could write a simple enough CGI wrapper to some 4GL code if you have those sorts of skills. I occasionally toss together something like this:
#!/bin/bash
#
LOGFILE=/tmp/myservice.log
SVC=sample
# if a FIFO does not exist for the specified service then create it in /tmp
#
# $1 = direction -- in or out
# $2 = unique service name
#
pj_fifo() {
if [ ! -p /tmp/$2.$1 ]
then
echo `date` "Creating FIFO $2.$1" >> ${LOGFILE}
rm -f /tmp/$2.$1 >> ${LOGFILE} &2>&1
/bin/mknod -m 666 /tmp/$2.$1 p >> ${LOGFILE} &2>&1
fi
}
if [ "${REQUEST_METHOD}" = "POST" ]
then
read QUERY_STRING
fi
# header must include a blank line
#
# we're returning XML
#
echo "Content-type: text/xml" # or text/html or text/plain
echo
# debugging echo...
#
# echo $QUERY_STRING
#
# echo "<html><head><title>Sample CGI Interface</title></head><body><pre>QUERY STRING = ${QUERY_STRING}</pre></body></html>"
# ensure that the FIFOs exist
#
pj_fifo in $SVC
pj_fifo out $SVC
# make the request
#
echo "$QUERY_STRING" > /tmp/${SVC}.in
# send the response back to the requestor
#
cat /tmp/${SVC}.out
# all done!
#
echo `date` "complete" >> ${LOGFILE}
Then you just arrange for a background session to be reading /tmp/sample.in:
/* sample.p
*
* mbpro dbname -p sample.p > /tmp/sample.log 2>&1 &
*
*/
define variable request as character no-undo.
define variable result as character no-undo.
input from value( "/tmp/sample.in" ).
output to value( "/tmp/sample.out" ).
do while true:
import unformatted request.
/* parse it and do something with it... */
result = '<?xml version="1.0"?>~n<status>~n'.
result = result + "ok". /* or whatever turns your crank... */
result = result + "</status>~n".
end.
When input arrives parse the line and do whatever. Spit the answer back out to /tmp/sample.out and loop. It's not very fancy but if your needs are modest it is easy to do. If you need more scalability, robustness or security then you might ultimately need something more sophisticated but this will at least let you get started prototyping.

How can I configure the perl App::Cmd module to complain about incorrect options

I'm attempting to use the perl App::Cmd module and a simple test program works fine.
However, if I run the program with an --option that I haven't configured in the opt_spec
function (of the sub command I'm invoking), it doesn't complain about an invalid option. I would expect it to do so. Instead it just quietly ignores that option.
I can't see anyway of configuring App::Cmd to complain about invalid options.
Is this possible, or is each sub-command expected to do the checking itself?
Thanks

As per App::Cmd tutorial https://metacpan.org/dist/App-Cmd/view/lib/App/Cmd/Tutorial.pod Arguments are processed by Getopt::Long::Descriptive (GLD) (check Arguments and Options section https://metacpan.org/dist/App-Cmd/view/lib/App/Cmd/Tutorial.pod#Arguments-and-Options)
For example, jobstatus is a command required job id as parameter
mycli jobstatus -j 1111 or mycli jobstatus --jobid 1111 # valid command options
sub opt_spec {
# check https://metacpan.org/pod/Getopt::Long#Summary-of-Option-Specifications
return (
[ "jobid|j=i", "specify job id" ],
);
}
sub validate_args {
my ($self, $opt, $args) = #_;
# The $opt object will be a dynamically-generated subclass of Getopt::Long::Descriptive::Opts. In brief, each of the options in #opt_spec becomes an accessor method on the object, using the first-given name, with dashes converted to underscores.
# So object $opt->jobid parameter value is 1111 (jobid 1111 consider as option) and -k consider as argument
$self->usage_error("Please verify given arguments #$args \n") if #$args;
}
Output
> perl mycli jobstatus -j 1111 -k
> Error: Please verify given arguments -k
Usage: mycli <command> [-?h] [long options...]
-? -h --help show help
mycli jobstatus [-j] [long options...]
-j INT --jobid INT specify job id

how to improve this perl/bash one-liner to deserialize json data

I have a little bash program that calls a webservice that returns JSON data.
I have written the webservice program myself, I have complete control over its data sources, and thus I can trust the data that is returned.
Now I want to do something with the data.
The data is a simple, short key-value structure without nesting, and looks like this:
{
"asciifile" : "../tmp/data_20120720_105746-01580.txt",
"excelfile" : "../tmp/data_01580-20120720_105746.xlsx",
"from" : "Jun 19, 2012",
"msg" : "some info message, for the admin",
"outfile" : "data--recent.txt",
"outfile_excel" : "data--recent.txt.xlsx",
"resolution" : "std"
"to" : "Jul 20, 2012",
"url_comment" : "another info message, for the screen/user",
"url_outfile" : "http://www.example.com/path/tmp_cached_files/data--recent.txt",
"url_outfile_excel" : "http://www.example.com/path/tmp_cached_files/data--recent.txt.xlsx",
}
Now I am using this one-liner to deserialize the json structure returned to perl code. See last line of this snippet:
#!/bin/bash
cmd=$(curl_or_wget_call_to_webservice)
output=$(eval $cmd)
outfile_excel=$(echo "$output"| json_xs -f json -t dumper | tee | perl -n0777 -E 'eval "%h=%{$_}"; warn $# if $#; say $h{outfile_excel}')
For example, I'm not sure why I came up with the %{$_} construct. Is there a better way to do this? Is there a shorter way or a safer way to write the last line?
SE Editors: if you wish, you may move this post to the codereview stackexchange site, but I don't have an account there.
Edit: After revisiting the post after 8 months, I'd like to add that these days I use this one liner for getting the name of my github repos:
wget --quiet --auth-no-challenge --user knbknb --password secret -O -
https://api.github.com/user/repos |
perl -MJSON -n0777 -E '$r = decode_json($_); map {say $_->{name}} #$r' -

Perl can decode JSON itself, so the next should give some idea, using LWP::Simple to get some json data.
perl -MLWP::Simple -MJSON \
-e '$ref = decode_json(get("http://your.url/to/webservice")); print $ref->{outfile_excel}'
The $ref contains a perl structure of all JSON data, print out as you want it..

There is jshon. You could simply call something like
curl http://somehere.tld/data.json | jshon -e url_outfile_excel
Which would print the value for the given key.
By the way. Having control over the webservice doesn't make the input trustworthy. Be careful when calling eval.