Reading LDAP Object-Sid using the Query LDAP Assertion.

Document ID : KB000009916
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

The Microsoft Active Directory attribute LDAP Object-Sid is returned in a none readable format by the "Query LDAP" Assertion.

The right configuration of the "Query LDAP" Assertion and the "Encode/Decode Data" Assertion within a Policy allows to return a applicable LDAP Object-Sid output value.

Instructions:

The following configuration of the "Query LDAP Assertion" returns a base64 value from the Object-Sid.

You have to configure the LDAP binary field with additional "binary" entry.

 

kb.png

The returned base64 value can then be encoded with an "Encode/Decode Data" Assertion by using the "Base64 Encode".

ecmldap.png

 

Additional Information:

In the current design, the CA API Gateway can't decode the binary LDAP Object-Sid into a string value.

This mean the LDAP Object-Sid cannot be viewed in its original format within the CA API Gateway because it would require to render the SID as a text value, which is not a CA API Gateway feature yet.