.NET LDAP client library for .NET Standard >= 2.0, .NET Core >=1.0, NET5/NET6/NET7/NET8 - works with any LDAP protocol compatible directory server (including Microsoft Active Directory).
MIT License
559
stars
153
forks
source link
Query returns a DN containing escaped characters which when used in a subsequent query causes a FilterError #175
Thanks for providing this library, I've used it in a few projects now :+1:
I just wanted to clarify behaviour around escaped characters in DNs with something we've run into today where a group name contained a character that requires escaping.
The environment is Microsoft AD and a testuser exists, who is a member of a group that is named My # Group (ie, containing a # character that would need to be escaped in a DN)
We make a simple query to find all groups the testuser is a member of:
var results = context.LdapConnection.Search(
"cn=Users,dc=corp,dc=contoso,dc=com",
LdapConnection.ScopeSub,
"(&(objectClass=person)(sAMAccountName=testuser))",
new[]
{
"cn",
displayName,
memberOf
},
false
);
var searchResult = results.FirstOrDefault();
var groups = searchResult.TryGetAttribute("memberOf")?.StringValueArray;
At this point groups contains an entry for CN=My \# Group,OU=Groups,DC=corp,DC=contoso,DC=com (note the # character is automatically escaped as \# as returned from the library)
Now if we want to do another search using this group DN, for example to find out what parent groups contain THIS group as a member:
Invalid value in escape sequence "#" (87) Filter Error
And the following stack trace:
at Novell.Directory.Ldap.Rfc2251.RfcFilter.UnescapeString(String stringRenamed)
at Novell.Directory.Ldap.Rfc2251.RfcFilter.ParseFilterComp()
at Novell.Directory.Ldap.Rfc2251.RfcFilter.ParseFilterList()
at Novell.Directory.Ldap.Rfc2251.RfcFilter.ParseFilterComp()
at Novell.Directory.Ldap.Rfc2251.RfcFilter.ParseFilter()
at Novell.Directory.Ldap.Rfc2251.RfcFilter..ctor(String filter)
at Novell.Directory.Ldap.LdapSearchRequest..ctor(String baseRenamed, Int32 scope, String filter, String[] attrs, Int32 dereference, Int32 maxResults, Int32 serverTimeLimit, Boolean typesOnly, LdapControl[] cont)
at Novell.Directory.Ldap.LdapConnection.Search(String base, Int32 scope, String filter, String[] attrs, Boolean typesOnly, LdapSearchQueue queue, LdapSearchConstraints cons)
at Novell.Directory.Ldap.LdapConnection.Search(String base, Int32 scope, String filter, String[] attrs, Boolean typesOnly, LdapSearchConstraints cons)
at Novell.Directory.Ldap.LdapConnection.Search(String base, Int32 scope, String filter, String[] attrs, Boolean typesOnly)
at Ldap.Integration.Tests.IExternalGroupRetrieverTests.TheReadMethod.TestFilters() in D:\repos\LdapAuthenticationProvider\source\Ldap.Integration.Tests\IExternalGroupRetrieverTests.cs:line 24
If the value is not escaped, ie (&(objectClass=group)(member=CN=My # Group,OU=Groups,DC=corp,DC=contoso,DC=com)) - the 2nd query works as expected.
The fact the stacktrace mentions an UnescapeString() method seems like this library is trying to unescape the value but something is going wrong?
So I just wanted to understand:
Is this library trying to unescape any escaped values when necessary, but something is failing somehow? Is a fix needed here?
OR
Are consumers of this library meant to unescape the value returned from the 1st query before using it in the 2nd query? If so why does the 1st query provide the escaped value (or why does the 2nd one not handle unescaping)? If we do need to do our own unescaping, are there any methods in the library to help do this or do we just .Replace("\\x", "x") for each of the 10 chars that are required to be escaped?
+1 to this issue - for us however the issue is with comma's in a user's Dn. If we un-escape the comma in the dn then the query no longer works - currently we have no solution
Hi,
Thanks for providing this library, I've used it in a few projects now :+1:
I just wanted to clarify behaviour around escaped characters in DNs with something we've run into today where a group name contained a character that requires escaping.
The environment is Microsoft AD and a
testuser
exists, who is a member of a group that is namedMy # Group
(ie, containing a#
character that would need to be escaped in a DN)We make a simple query to find all groups the testuser is a member of:
At this point
groups
contains an entry forCN=My \# Group,OU=Groups,DC=corp,DC=contoso,DC=com
(note the#
character is automatically escaped as\#
as returned from the library)Now if we want to do another search using this group DN, for example to find out what parent groups contain THIS group as a member:
We get an exception:
And the following stack trace:
If the value is not escaped, ie
(&(objectClass=group)(member=CN=My # Group,OU=Groups,DC=corp,DC=contoso,DC=com))
- the 2nd query works as expected.The fact the stacktrace mentions an
UnescapeString()
method seems like this library is trying to unescape the value but something is going wrong?So I just wanted to understand:
.Replace("\\x", "x")
for each of the 10 chars that are required to be escaped?Thanks!