search

LDAPAccountManager / lam

LDAP Account Manager
Other
420 stars 66 forks source link

"objectClass" option sent even when not needed #341

Closed paschulke closed 3 weeks ago

paschulke commented 3 weeks ago

Issue Summary

When modifying a property of a user account in an MS Active Directory environment, LAM sends an LDAP modifyRequest with the objectClass attribute and securityPrincipal value even though the original account is not directly associated with this class.

This results in issues for users who have permissions to edit basic LDAP properties (such as telephone or address) but are not allowed to add the objectClass, thereby preventing any modification of such AD accounts.

The default objectClasses for users created (via PowerShell New-ADUser or GUI) in our environment are:

top
person
user
organizationalPerson

The securityPrincipal is an auxiliary class and therefore not included.

Steps to Reproduce

  1. Create a new user in an AD environment.
  2. Verify that the objectClass does not contain securityPrincipal (PowerShell Get-ADUser -LDAPFilter "(objectClass=securityPrincipal)").
  3. Edit the user account.
  4. Save the changes.
  5. Observe that an LDAP modifyRequest is sent with the objectClass attribute and securityPrincipal value.

This behavior can be confirmed by observing the request in a running Wireshark session. Screenshot 2024-06-20 141214

Affected Versions

gruberroland commented 3 weeks ago

Thanks a lot for your detailed report. This will be fixed in the next release.