DSInternals
DSInternals copied to clipboard
MichaelGrafnetter
Refactor schema loading to follow ATTRTYP documentation
Do you think it is possible to load the schema (and especially the list of OID Prefix) from AD remotely (without reading directly the file ntsd.dit)?
You can load the schema through regular LDAP. AFAIK the prefix table is only exposed through MS-DRSR. The schema can also be replicated through this protocol. I use a simple static schema when doing replication instead of loading it from DC, because it would be an overkill in situations when you want to replicate a single account. BTW if you are interested in prefix table parsing, look at the source code of mimikatz.
I'm now loading the Prefix Table from the DRS_MSG_GETCHGREPLY_V6 object (it is pretty simple to do it). But, my issue is the same as I have before, I don't get the prefixes for extended attributes in my AD. e.g. I add the attribute in the AD Schema: "ssn" with the OID: 1.2.840.113556.1.4.7000.142 but I don't get the prefix in the response object. Because of that, AD returns the ID: 2292510558 and I can't translate it to an OID. Any idea?
Yep, as I understand it, the prefix of that particular OID is hardcoded into ntdsa.dll (as are 30+ other prefixes) and is physically not present in the ntds.dit file. Take a look at my PrefixMap code. I first load the hardcoded prefixes and then load the rest of them from the DB.
Specifically, prefix 1.2.840.113556.1.4 is added using this call:
this.AddBuiltinPrefix(9, "2A864886F7140104");
Actually, I have the prefix in properly loaded from the MS-DRSR request: {[18467, 1.2.840.113556.1.4.7000]} Now, I need to find a way to map the ID 2292510558 to the prefix 18467 and the "value" 142. BTW, I can send a pull request with the hardcoded prefix 0 to 38 if you think it would be useful.
That would be nice of you. Also, if you could please add string representations of OIDs as comments.