how to get AD DirectoryEntry from SID?

Aug 17, 2011 at 10:25 AM
Edited Aug 17, 2011 at 12:51 PM

I got a user's SID as byte[] using windowsPrincipal.getIdentity().getSidString() using WAFFLE.

How to get a DirectoryEntry with the SID-value? 

It should look like: DirectoryEntry userDE = new DirectoryEntry(some_ldap_query). Does anybody know?

(Actually I'm interesting in any solution how can I retrieve user details from AD using WAFFLE)

Aug 17, 2011 at 1:42 PM

LDAP supports SID-based search I believe, so something like LDAP://<SID={...}> should work. I also found this that might be helpful.

Aug 17, 2011 at 4:22 PM
Edited Aug 17, 2011 at 4:34 PM

Hallo dblock, thanks a lot for your answer.

Yes indeed it supports such search, a filter like (&(objectClass=person)(objecSid={...})) works fine if I apply this directly in the database (..more precisely: using  Apache Directory Studio).

The code (your link) is exactly what I try to implement. Only this code (your link) is in C++, and I try to do it in Java using WAFFLE-based Authentification.

I got the SID in this way: I opened a waffle sample (waffle-filter) and used the object "windowsPrincipal" like byte[] sid = windowsPrincipal.getIdentity().getSid();

Now, I do not manage to create an Object like "DirectoryEntry". Do you know how to do it?

Aug 23, 2011 at 4:52 PM

I solved the problem. 

Firstly I tried to use java JNDI, but it did not work properly, so I used Spring Ldap to query the user It works fine.


Aug 24, 2011 at 2:48 AM

Post some code!

Aug 29, 2011 at 2:46 PM

1) make sure, that all of necessary spring libraries are attached. To achieve this, I installed a maven plugin for my eclipse helios, and added dependencies as it described at

2) write, that will connect to the ldap-database. ( see the attachment below). Mostly interesting here are the ldap query mask (see the string filter in the method "this.getUserByAttribute"), and the constructor itself.

3) write like the carrier of ldap info. ( see below)

4) get the byte[] sid from WindowsPrincipal 

Principal principal = (Principal) session.getAttribute(PRINCIPAL_SESSION_KEY);
    	logger.debug("Principal: " + principal);
    	if (principal instanceof WindowsPrincipal) {
"Windows User: " + principal.getName());
   		 	return ((WindowsPrincipal) principal).getSid();	

5) use the sid from the step 4 to obtain the ldapdao:

       byte sid[] = getCurrentUserSid(httpRequest, httpResponse, chain);     		   
       if (sid != null)  
    	  LDAPDAOImpl ldapdao;
		try {
			ldapdao = new LDAPDAOImpl("ldap://", "MUSTERFIRMA\\hansm", "superpass", "CN=HANS MUSTERMANN,OU=Users,OU=MUSTERFIRMA,DC=MUSTERDC,DC=MUSTERGROUP");
			LDAPUser user = ldapdao.getUserBySID(sid);		  		 
	 	    httpRequest.getSession().setAttribute(CURRENT_LDAP_USER, user);
		} catch (Exception e) {
			logger.debug("cannot find ldap user with sid: "+Arrays.toString(sid));


6) The attachment with

public class LDAPDAOImpl {
	private LdapTemplate ldapTemplate;
    public LDAPDAOImpl(String url, String user, String pass, String base) throws Exception {
	 LdapContextSource ctxs = new LdapContextSource();
	 setLdapTemplate(new LdapTemplate(ctxs));
	 this.base = base;

	 public LDAPUser getUserBySID(byte[] sid) throws Exception{
		 if (sid == null) return null;
		 List users =  this.getUsersByAttribute("objectSid", byteArray2LdapHex(sid)); 
		 return (users.size()==1)?users.get(0):null;		 

 public String byteArray2LdapHex(byte[] array){
		 if (array == null) return null;
		 String s ="";
		 for (int i = 0; i < array.length; ++i) {
			 s += "\\"+Integer.toString (( array[i] & 0xff ) + 0x100, 16).substring(1);
		return s;

public List getUsersByAttribute(String attribute, String value) throws Exception {
		    if ((attribute == null)||(value == null)) return null;
			String filter = "(&(objectClass=user)("+attribute+"="+value+"))";
			return (List), filter, new LDAPUserAttributesMapper());	

public class LDAPUser {

	private String dn;
	private String company;
	private String displayName;
	// here all the setter/getter