search

ldapjs / node-ldapjs

LDAP Client and Server API for node.js
http://ldapjs.org
MIT License
1.61k stars 448 forks source link

Attributes with upper case letters requested in search on server are filtered out #900

Open schoel-bis opened 1 year ago

schoel-bis commented 1 year ago

When making a request to an ldapjs based server that includes a selection of attributes, and any of these attributes contain upper case letters, these attributes will not be included in the response. For example, the response to this request:

ldapsearch -D '<rootDN>' -b '<mount path>' -H '<hostname>' '(objectclass=*)' sn mail memberOf

if provided through:

server.search('<mount path>', (req, res, next) => {
  res.send({ dn: 'cn=foo', attributes: { sn: 'Me', mail: 'me@home.com', memberOf: 'ou=Everyone' } });
  res.end();
  next();
});

will return

dn: cn=foo
sn: Me
mail: me@home.com

i.e. memberOf is filtered out. This happens in this part of SearchResponse.js:

Object.keys(entry.attributes).forEach(function (a) {
  const _a = a.toLowerCase()
  if (!nofiltering && _a.length && _a[0] === '_') {
    …
  } else if (self.attributes.length && self.attributes.indexOf(_a) === -1) {
    savedAttrs[a] = entry.attributes[a]
    delete entry.attributes[a]
  }
})

where the entry's attribute name is cast to lower case, but the response's ones (i.e. self.attributes) are not, so that search attributes with upper case letters will never match anything at all.

I am currently working around that by patching the attributes in the response object and converting them to lower case from my search functions. I imagine something like that should be done in SearchResponse.send instead.

jsumners commented 1 year ago

Can you please provide a link to the source code in question? https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-a-permanent-link-to-a-code-snippet

What version of of ldapjs are you using?

schoel-bis commented 1 year ago

Sure. Here's the link to that bit of code I am quoting above: https://github.com/ldapjs/node-ldapjs/blob/f2890088e49c0c7b7b880998d73d6e4a448d7b4e/lib/messages/search_response.js#L57-L71C1

I am using 3.0.2.

jsumners commented 1 year ago

Thank you. I wanted to verify that I was looking at the same block of code because of your reduction in the original post.

At least this code is old 🤣

We're going to need to draft a test, probably similar to https://github.com/ldapjs/node-ldapjs/blob/f2890088e49c0c7b7b880998d73d6e4a448d7b4e/test/issue-845.test.js, that exhibits the problem and work backward from there. I think that instead of patching SearchResponse.send, we should fix the linked algorithm to compare objects correctly.

x-way commented 10 months ago

Did run into the same problem (using 3.0.7). My (hacky) workaround is to force the allow-all-attributes mode by manually setting the * attribute on the SearchResponse object before calling send():

    res.attributes = ['*'];
    res.send(myResponse);
dsl101 commented 9 months ago

Just hit this using Apache Guacamole LDAP extension. It requests attributes using camelcase, and so they are filtered out. I think the problem is this test in search_response.js:

      } else if (self.attributes.length && self.attributes.indexOf(_a) === -1) {

That line is comparing the incoming (self.attributes) with the lowercased versions of those specified in the search response.

@x-way your workaround solved my issue, so thanks!