search

jlguenego / node-expose-sspi

Expose Microsoft Windows SSPI to Node for SSO authentication.
ISC License
128 stars 19 forks source link

getUsers() only return user with the surname * #107

Open viyaha opened 3 years ago

viyaha commented 3 years ago

Describe the bug I just started to "play around" with your library for now (my first time using Active Directory, so maybe I just did something wrong). I just created a simple Windows-Hyper-V-AD-Setup (1 VM DomainController and 1 Client and 1 Server-VM to test SSO authentication). Everything works perfectly (=> Setup seems to be correct). I just found "getUsers" in "src\sso\userdb.ts" and tried it to get all users that are registered in the AD.

Result: Empty Array

==> Looking at the code it the culprit seems to be: https://github.com/jlguenego/node-expose-sspi/blob/aa53a41f6fbbf58e38cdd8d1643203c093274bcb/src/sso/userdb.ts#L106

In my Understanding "(sn=*)" means to return only user with the surname as "*". Updating a users surname to "*" results in returning the user in "getUsers"

To Reproduce AD Setup and call getUsers. :)

Expected behavior Should return users of domain.

Please indicates also:

anotherCoward commented 3 years ago

Normal users (humans...) have a first name and surname in AD. Most service accounts don't. I wouldn't call it a bug.

On a medium size business:

A lot of them are deactivated too, but that could be checked with other filter-options.

You compare a testing env with 3 or 4 accounts to a business with lots of users, services and groups that have all different values set in their OU.

The (sn=*) search is fine in my opinion, but if you want to be more specific use (&(!(objectClass=computer))(objectClass=person)(objectClass=organizationalPerson)(objectClass=user)) this will match all users including service accounts but no computers.

I would suggest an override option of the default filter to fit your needs.