search

dsbenghe / Novell.Directory.Ldap.NETStandard

.NET LDAP client library for .NET Standard >= 2.0, .NET Core >=1.0, NET5/NET6/NET7/NET8 - works with any LDAP protocol compatible directory server (including Microsoft Active Directory).
MIT License
559 stars 153 forks source link

Query returns a DN containing escaped characters which when used in a subsequent query causes a FilterError #175

Open ryangribble opened 3 years ago

ryangribble commented 3 years ago

Hi,

Thanks for providing this library, I've used it in a few projects now :+1:

I just wanted to clarify behaviour around escaped characters in DNs with something we've run into today where a group name contained a character that requires escaping.

The environment is Microsoft AD and a testuser exists, who is a member of a group that is named My # Group (ie, containing a # character that would need to be escaped in a DN)

We make a simple query to find all groups the testuser is a member of:

var results = context.LdapConnection.Search(
                "cn=Users,dc=corp,dc=contoso,dc=com",
                LdapConnection.ScopeSub,
                "(&(objectClass=person)(sAMAccountName=testuser))",
                new[]
                {
                    "cn",
                    displayName,
                    memberOf
                },
                false
                );

var searchResult = results.FirstOrDefault();

var groups = searchResult.TryGetAttribute("memberOf")?.StringValueArray;

At this point groups contains an entry for CN=My \# Group,OU=Groups,DC=corp,DC=contoso,DC=com (note the # character is automatically escaped as \# as returned from the library)

Now if we want to do another search using this group DN, for example to find out what parent groups contain THIS group as a member:

var results = context.LdapConnection.Search(
                "ou=Groups,dc=corp,dc=contoso,dc=com",
                LdapConnection.ScopeSub,
                "(&(objectClass=group)(member=CN=My \\# Group,OU=Groups,DC=corp,DC=contoso,DC=com))",
                new[]
                {
                    "cn"
                },
                false
                );

We get an exception:

Invalid value in escape sequence "#" (87) Filter Error

And the following stack trace:

   at Novell.Directory.Ldap.Rfc2251.RfcFilter.UnescapeString(String stringRenamed)
   at Novell.Directory.Ldap.Rfc2251.RfcFilter.ParseFilterComp()
   at Novell.Directory.Ldap.Rfc2251.RfcFilter.ParseFilterList()
   at Novell.Directory.Ldap.Rfc2251.RfcFilter.ParseFilterComp()
   at Novell.Directory.Ldap.Rfc2251.RfcFilter.ParseFilter()
   at Novell.Directory.Ldap.Rfc2251.RfcFilter..ctor(String filter)
   at Novell.Directory.Ldap.LdapSearchRequest..ctor(String baseRenamed, Int32 scope, String filter, String[] attrs, Int32 dereference, Int32 maxResults, Int32 serverTimeLimit, Boolean typesOnly, LdapControl[] cont)
   at Novell.Directory.Ldap.LdapConnection.Search(String base, Int32 scope, String filter, String[] attrs, Boolean typesOnly, LdapSearchQueue queue, LdapSearchConstraints cons)
   at Novell.Directory.Ldap.LdapConnection.Search(String base, Int32 scope, String filter, String[] attrs, Boolean typesOnly, LdapSearchConstraints cons)
   at Novell.Directory.Ldap.LdapConnection.Search(String base, Int32 scope, String filter, String[] attrs, Boolean typesOnly)
   at Ldap.Integration.Tests.IExternalGroupRetrieverTests.TheReadMethod.TestFilters() in D:\repos\LdapAuthenticationProvider\source\Ldap.Integration.Tests\IExternalGroupRetrieverTests.cs:line 24

If the value is not escaped, ie (&(objectClass=group)(member=CN=My # Group,OU=Groups,DC=corp,DC=contoso,DC=com)) - the 2nd query works as expected.

The fact the stacktrace mentions an UnescapeString() method seems like this library is trying to unescape the value but something is going wrong?

So I just wanted to understand:

Thanks!

RyanGaudion commented 2 years ago

+1 to this issue - for us however the issue is with comma's in a user's Dn. If we un-escape the comma in the dn then the query no longer works - currently we have no solution