jsumners
commented
2 years ago What is the problem? The error is stating that no entry found. Have you searched the Internet for error code 0000208D?
Closed SRYBA closed 2 years ago
jsumners
commented
2 years ago What is the problem? The error is stating that no entry found. Have you searched the Internet for error code 0000208D?
SRYBA
commented
2 years ago There is ecual user in AD
In this thread I found typical error https://github.com/RocketChat/Rocket.Chat/issues/8462 about missing fields in query. I had tested that any string in sAMAccountName returns erorr 0000208D
jsumners
commented
2 years ago That is an error from your server indicating a bad search. Please review your query. It is likely you are not scoping the query correctly.
srybak2022
commented
2 years ago I see var query = 'cn=*Exchange*'; but it doesn't use in var config = { url: 'ldap://dc.domain.com', or ad.getGroupMembershipForUser(sAMAccountName, function (err, groups) { . Can you type example for usage or citation from documentation? (May be I missed something)
jsumners
commented
2 years ago SRYBA
commented
2 years ago I added to 'config'
attributes: {
user: ['userPrincipalName', 'mail', 'givenName', 'initials', 'cn', 'displayName']
},
group: ['objectCategory']added query of search
var query = 'cn=test.t@bss.in';
...
ad1.getGroupMembershipForUser(query, function (err, groups) {but result still 0000208D . Please help.
jurjendijkstra
commented
2 years ago Are LDAP queries case-sensitive? I think they are.
You are searching for 'admrybak' but the screenshot shows 'AdmRybak". If LDAP is case-sensitive then NO_OBJECT is true.
jurjendijkstra
commented
2 years ago Well, LDAP attributes are by default case-sensitive but AD queries are supposed to be not case-sensitive, but Javascript is case-sensitive, so I would still suggest to experiment with case to get it right.
SRYBA
commented
2 years ago Yes, by default AD is not case-sensitive in CN fields:
powershell> Get-ADUser test.T ... SamAccountName : test.t
I have been tried other variants of variables. When trying to find enything with filter AD returns:
powershell> dsquery user cn=Users
dsquery failed:No superior reference has been configured for the directory service. The directory service is therefore unable to issue referrals to objects outside this forest. But these command works correctly:
powershell> dsquery user -name *test*
...
"CN=test1,CN=Users,DC=bss,DC=in"Again, set your search scope.
jurjendijkstra
commented
2 years ago So powershell shows there is no user "test.t" but there is only a "test1" and your powershell experiment proves nothing about case sensitivity in nodejs.
Can you please post your complete experiment, not just these two statements? And point out at which line you get the 0000208D error? Because in the opening post there are two identical console.log statements and it is not clear to me at which one you got the error. If you use admrybak anywhere in your sample please replace it by AdmRybak.
I added to 'config'
attributes: { user: ['userPrincipalName', 'mail', 'givenName', 'initials', 'cn', 'displayName'] }, group: ['objectCategory']added query of search
var query = 'cn=test.t@bss.in'; ... ad1.getGroupMembershipForUser(query, function (err, groups) {but result still 0000208D . Please help.
SRYBA
commented
2 years ago index.txt Code with scope and output: ERROR: {"lde_message":"0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT ), data 0, best match of:\n\t''\n\u0000","lde_dn":null} Authenticated!
jurjendijkstra
commented
2 years ago The program lists two tests and they both run at the same time. Since there is an "Authenticated!" output, I will assume that the 208D error comes from the getGroupMembershipForUser test.
According to documentation, the parameters for getGroupMembershipForUser are (opts, username, callback). opts is optional. You did give an opts parameter but no username parameter.
So instead of
ad1.getGroupMembershipForUser(opt, function (err, groups)
you should do
ad1.getGroupMembershipForUser(opt, username, function (err, groups)
and I bet you'd better skip the optional opt parameter.
So what goes in the username parameter? You tried 'cn=test.t'. but that does not look like a DN, only a part of a DN. Powershell gave you the DN, it is 'CN=test1,CN=Users,DC=bss,DC=in'
SRYBA
commented
2 years ago There is user in AD:
powershel> Get-ADUser test1
DistinguishedName : CN=test1,CN=Users,DC=bss,DC=in
Enabled : True
GivenName : Test
Name : test1
ObjectClass : user
ObjectGUID : 00608bd5-da5e-4187-9cd7-f4b5a12783e9
SamAccountName : test1
SID : S-1-5-21-117487918-2166526996-3672335082-7118
Surname : Testov
UserPrincipalName : test1@bss.inHe can be found by search:
powershel> dsquery user "CN=test1,CN=users,DC=Bss,DC=In"
"CN=test1,CN=Users,DC=bss,DC=in"I rewied code as your said, but it didn't work for same trouble:
var SamAccountName = 'test1';
var opt = {
includeMembership: ['group', 'user'],
includeDeleted: false,
scope: 'sub',
filter: 'CN=users,DC=Bss,DC=In'
};
var ad1 = new ActiveDirectory(config);
ad1.getGroupMembershipForUser(opt, SamAccountName, function (err, groups) {
if (err) {
console.log('ERROR: ' + JSON.stringify(err));
return;
}
if (!groups) console.log('User: ' + sAMAccountName + ' not found.');
else console.log(JSON.stringify(groups));
});Pay attention pls, that construction if (!groups) console.log('User: ' + sAMAccountName + ' not found.'); doesn't return message.
jurjendijkstra
commented
2 years ago I have doubts about that opt parameter, especially the opt.filter attribute. It looks like a base dn, not like a filter.
Have you tried without the opt parameter?
ad1.getGroupMembershipForUser( 'test1', function (err, groups) {
jsumners
commented
2 years ago It looks like a base dn, not like a filter.
That's because it is not a filter. The filter syntax is defined by https://tools.ietf.org/search/rfc4515
SRYBA
commented
2 years ago Can you write example for CN=users,DC=Bss,DC=In ? Yes, I tried early
jurjendijkstra
commented
2 years ago I did not notice before but the config object has wrong property names. You send us this:
var config = {
url: 'ldap://bss.in',
base: 'dc=bss,dc=in',
bindDN: 'test.t@bss.in',
bindCredentials: 'xxxxxxxxxx',
attributes: {
user: ['userPrincipalName', 'mail', 'givenName', 'initials', 'cn', 'displayName']
},
group: ['objectCategory']
}try
var config = {
url: 'ldap://bss.in',
baseDN: 'dc=bss,dc=in',
username: 'test.t@bss.in',
password: 'xxxxxxxxxx',
attributes: {
user: ['dn', 'distinguishedName',
'userPrincipalName', 'sAMAccountName', 'mail',
'lockoutTime', 'pwdLastSet', 'userAccountControl',
'sn', 'givenName', 'cn', 'displayName',
'accountExpires'],
group: ['dn', 'cn', 'description', 'distinguishedName', 'objectCategory']
}
}This is my last comment, I have to go now. Good luck!
SRYBA
commented
2 years ago Output changed to
jsumners
commented
2 years ago Please set scope: 'sub' and define a filter. See https://github.com/jsumners/node-activedirectory/tree/8ff17bdf366a2d6926879ba06fbe84ba0171c01f#example
SRYBA
commented
2 years ago I copied
scope: 'sub',
filter: 'objectClass=User',Now ad1.getGroupMembershipForUser(opt, SamAccountName, function (err, groups) { returns new1.txt (not full list of all groups from AD?) but ignores SamAccountName parametr.
jsumners
commented
2 years ago So, as originally stated, this is not a library issue. It is one of usage. The LDAP server is returning the original error due to a bad query. The result set is also dependent on a correct query. Please review documentation on how LDAP queries are crafted and work.
Copied code
Output in console _[nodemon] starting
node index.jsRunnning on 3001 ERROR: {"lde_message":"0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:\n\t''\n\u0000","ldedn":null} Authenticated!My stack Windows\Nodejs 16 - Windows AD 2008 R2