LDAP ObjectSID - Convert Base64 string to ObjectSID string

Go to solution
Johnny Chong1
Tera Contributor

‎12-13-2020 04:12 PM

As part of an SAP SSO integration project, our customer has a requirement to create an SAP user through ServiceNow automation where the Active Directory "ObjectSID" string needs to be sent across to uniquely identify an AD user.

As you are probably aware that ServiceNow LDAP import brings in ObjectSID into base64 string. This script converts it into Hexadecimal and followed by objectSID formation.

We have been searching for the community, but no luck with this. We have therefore spent a few hours on this and sharing this with you all for improvement or perhaps saving some of your precious time. We are sure the script can be improved and I hope you can share it with us in this forum for future reference.  Also, feel free to convert it to Script Includes.

We would like to thank the authors at the following 2 links as they help us a lot to understand how they are converted or formed.
http://www.selfadsi.org/deep-inside/microsoft-sid-attributes.htm
https://stackoverflow.com/questions/57803/how-to-convert-decimal-to-hexadecimal-in-javascript

//======================================================================================

//To randomly generate some base64 string from random Hexadecimal, you can generate it from https://cryptii.com/pipes/base64-to-binary.  Here are some same base64 string generated randomly.

var source = "AQUAAAAAAAUVAAAAWUwLi17c7L1aBsrNrgQAAA=="; 
var hexaArrayString = base64ToHexa(source);
//Print out -> 01 05 00 00 00 00 00 05 15 00 00 00 59 4C 0B 8B 5E DC EC BD 5A 06 CA CD AE 04 00 00
gs.print(hexaArrayString.replace(/,/g," "));

var SIDArray = hexaArrayString.split(",");
var SID = hexaArrayToSID(SIDArray);
//Print out -> S-1-5-21-2332773465-3186416734-3452569178-1198
gs.print(SID);

function base64ToHexa (str){
    var decoded = GlideStringUtil.base64DecodeAsBytes(str);
    var n = decoded.length;
    if (n<16){
          return '';
    }
    var hexaArray = [];
    for (var i=0; i<n; i++) {
         var hexaStr = decimal2Hexadecimal(decoded[i]);
         hexaArray.push(hexaStr);
     }
     return hexaArray.toString();
}

function decimal2Hexadecimal (decimal) {
     var hexaStr = decToHex(decimal);

     if (hexaStr.length==3) {
          hexaStr = '0' + hexaStr.charAt(2);
     }
     else if (hexaStr.length==4) { // e.g. 0X42->42 or 0x5C->5C
          hexaStr = hexaStr.charAt(2) + hexaStr.charAt(3);
      }
     else {
          hexaStr = hexaStr.charAt(hexaStr.length-2) + hexaStr.charAt(hexaStr.length-1);
     }
     return hexaStr + '';
}

//Thanks to the author at
//http://www.selfadsi.org/deep-inside/microsoft-sid-attributes.htm
function hexaArrayToSID (arr){
     var revision = arr[0].toLowerCase();
     var subIDCount = arr[1].toLowerCase();
     var identifierAuthority = hexaToDecimal(arr.slice(2, 8).join('').toLowerCase()); //Not Required for NT, always 5
     var subID1 = hexaToDecimal(arr.slice(8, 11).reverse().join('').toLowerCase());
     var subID2 = hexaToDecimal(arr.slice(12, 16).reverse().join('').toLowerCase());
     var subID3 = hexaToDecimal(arr.slice(16, 20).reverse().join('').toLowerCase());
     var subID4 = hexaToDecimal(arr.slice(20, 24).reverse().join('').toLowerCase());
     //Relative ID - RID
     var subID5 = hexaToDecimal(arr.slice(24, 28).reverse().join('').toLowerCase());

     return "S-" + parseInt(revision) + "-" + parseInt(subIDCount) + "-" + subID1 + "-" + subID2 + "-" + subID3 + "-" + subID4 + "-" + subID5;
}


//Thanks to the author at
//https://stackoverflow.com/questions/57803/how-to-convert-decimal-to-hexadecimal-in-javascript
function decToHex(decimal) { // Data (decimal)
     length = -1; // Base string length
     string = ''; // Source 'string'

     characters = [ '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' ]; // character array

     do { // Grab each nibble in reverse order because JavaScript has no unsigned left shift
           string += characters[decimal & 0xF]; // Mask byte, get that character
           ++length; // Increment to length of string

     } while (decimal >>>= 4); // For next character shift right 4 bits, or break on 0

     decimal += 'x'; // Convert that 0 into a hex prefix string -> '0x'

     do {
          decimal += string[length];
     } while (length--); // Flip string forwards, with the prefixed '0x'

     return (decimal); // return (hexadecimal);
}

function hexaToDecimal (_hexaString) {
     return parseInt(_hexaString, 16);
}

 

  • 6,566 Views
1 ACCEPTED SOLUTION

Go to solution
Priyank Joshi2
Giga Contributor

‎05-16-2021 04:11 PM

Hi Phil,

I have worked with @Johnny Chong on this solution. Please find below information on how you can setup.

1. Setup the attached Script Include. ActiveDirectoryUtil.xml

2. For our solution we created a new field on sys_user table. You can use the existing field if available. 

  • Type: String
  • Label: ObjectSid
  • Name: u_objectsid
  • Max Lenght: 255

3. In your LDAP Transform Map add new Field Map and set the field Use source script to True.

    Add below code. Target field set to ObjectSid [u_objectsid]created in Step 2.

    I have attached the screenshot of the field map.

 

 

 

    

 

 

View solution in original post

Preview file
6 KB
Preview file
29 KB
8 REPLIES 8

Go to solution
Anton6
Tera Contributor

‎04-29-2021 11:21 PM

THANK YOU!

 

This solved our issue exactly as we wanted it.

0 Helpfuls

Go to solution
phil34
Tera Expert

‎05-15-2021 04:47 AM

Hello Johnny,

I am new to service now and a bit of a novice when it comes to scripting but this solution sounds like what I am looking for.

Can you please provide a few steps on how to apply this script in service now, I assume it forms part of the transform map and is a script in the field map after that I am lost. A few screenshots on where is goes and what key areas need to be adjusted to import the ms-ds-consistencyguid from AD into the employee number in the User(sys_user) table would be great?

Thanks in advance.

0 Helpfuls

Go to solution
Priyank Joshi2
Giga Contributor

‎05-16-2021 04:11 PM

Hi Phil,

I have worked with @Johnny Chong on this solution. Please find below information on how you can setup.

1. Setup the attached Script Include. ActiveDirectoryUtil.xml

2. For our solution we created a new field on sys_user table. You can use the existing field if available. 

  • Type: String
  • Label: ObjectSid
  • Name: u_objectsid
  • Max Lenght: 255

3. In your LDAP Transform Map add new Field Map and set the field Use source script to True.

    Add below code. Target field set to ObjectSid [u_objectsid]created in Step 2.

    I have attached the screenshot of the field map.

 

 

 

    

 

 

Preview file
6 KB
Preview file
29 KB

Go to solution
phil34
Tera Expert
In response to Priyank Joshi2

‎05-16-2021 07:36 PM

Thank you Priyank,

As we are using the employee number field in the sys_user table I just extended the length to 255. We want to populate the employee number (String) with the value in the AD attribute "u_ms_ds_consistencyguid" which 

I tried the recommendations but ended up with values like this. Have I missed something?

here are screenshots of what I did

find_real_file.png

 

find_real_file.png

Converted to below in ServiceNow sys-user table employee number field

S-NaN-NaN-9743258-3271864181-NaN-NaN-NaN

If you have any additional advice that would be great.

Cheers

Phil

Preview file
3 KB
Preview file
30 KB
Preview file
31 KB
0 Helpfuls