Get an object by its objectGUID using ldapsearch

This script worked for me; I'm posting it here in case it might help someone else

#!/bin/bash

# specify as first parameter the object ID as received by an LDAP query; it's base-64 encoded.
OBJECT_ID="${1}"

# we decode it, we hex-dump it and store it in an array to
# re-order it in the format expected by LDAP
BASE64_DECODED=$(echo $OBJECT_ID | base64 -d -i)
G=($(echo ${BASE64_DECODED} | hexdump -e '1/1 " %02X"'))
    OBJECTGUID="${G[3]}${G[2]}${G[1]}${G[0]}-${G[5]}${G[4]}-${G[7]}${G[6]}-${G[8]}${G[9]}-${G[10]}${G[11]}${G[12]}${G[13]}${G[14]}${G[15]}"

BIND_DN="CN=..."

# Note that we use the GUID as the search base
SEARCH_BASE="<GUID=${OBJECTGUID}>"

# we query for any object (the important point here is the search base)
QUERY="(cn=*)"

ATTRIBUTES="objectGUID userPrincipalName sAMAccountName"

ldapsearch -x -D "${BIND_DN}" -W -h x.y.com -b "${SEARCH_BASE}" "${QUERY}" ${ATTRIBUTES}

# we decode it, we hex-dump it and store it in an array to
# re-order it in the format expected by LDAP
BASE64_DECODED=$(echo $OBJECT_ID | base64 -d -i)
G=($(echo ${BASE64_DECODED} | hexdump -e '1/1 " %02X"'))

OBJECTGUID="${G[3]}${G[2]}${G[1]}${G[0]}-${G[5]}${G[4]}-${G[7]}${G[6]}-${G[8]}${G[9]}-${G[10]}${G[11]}${G[12]}${G[13]}${G[14]}${G[15]}"

I used the above answer and ran into a couple of subtle errors during testing.

1. BASE64_DECODED is set to binary data which can contain any possible byte value. echoing that without quotes causes some byte values to be interpreted by the shell. tabs and newlines (maybe more) will be converted to spaces, which corrupts your output data.

2. hexdump by default will suppress duplicate characters and replace them with an asterisk and newline. So if your GUID ever has two consecutive bytes the same you will get some strange looking output:

   OBJECT_ID = Qdicy5qc3kOqtrZ3dYswgw==
   OBJECTGUID = CB9CD841-9C9A-43DE-AAB6*-77758B30830A
   

Here is the corrected code that fixes these problems:

# we decode it, hex-dump it and store it in an array
G=($(echo -n $object_id | base64 -d -i | hexdump -v -e '1/1 " %02X"'))

OBJECTGUID="${G[3]}${G[2]}${G[1]}${G[0]}-${G[5]}${G[4]}-${G[7]}${G[6]}-${G[8]}${G[9]}-${G[10]}${G[11]}${G[12]}${G[13]}${G[14]}${G[15]}"

The main problem is that objectGUID is a binary field, and certain ldapsearch builds don't have an ability to directly query that kind of field. As the output of searching for objectGUID shows, it's presuming the data is base64 and that's what you're seeing when searching for objectGUID. The actual data on one object in my tree is 32 bytes long, but linux ldapsearch gave me a 22 byte return value.

It looks like the Sun build of ldapsearch has the ability to handle binary data, but the Linux version does not.