Comments (13)
I tested your scenario:
- I created a group "group\ba-*" in AD
In the people picker: - If I type "group\b": LDAPCP searches "group\b*" and AD does not find the result
- If I type "group\ba": LDAPCP searches "group\ba*" and AD finds the result, but LDAPCP excludes it
So there is a problem in both AD and LDAPCP side with this characters, but I don't know if there is an easy solution to fix this...
from ldapcp.
Thank you for the reply.
The behaviour of the AD when sending the "\b" search is a bit strange, but possibly a deviation from the RFC.
To our understanding it should work, if the query string sent to the LDAP escapes the "" to "\5C". This should suffice for all LDAP-Server, not only AD.
from ldapcp.
Do you have the opportunity to check the proposed change?
from ldapcp.
To be honest, no, sorry.
Can you please give clear example(s) of how LDAPCP should change the input (before/after)?
Can you also test your proposed change using the PowerShell script here and confirm if it works?
from ldapcp.
We got to test the changes with the script:
We are using the admindisplayname for filtering, but the problem is independent from it. As soon as a "" followed by a hexadecimal character is in the searched string, the search fails. Replacing of "" to "\5c" solves the issue.
Therefore we recommend a general replacement of the "" character in the searched strings for attributes with "\5c".
from ldapcp.
Is the provided information sufficient and clear?
from ldapcp.
I created a group with the name "group\specialchar":
In AD it was created with following properties:
- LDAP attribute "name" = group\specialchar
- LDAP attribute "sAMAccountName" = group_specialchar
I made following tests using this PowerShell script:
$filter = "(&(objectClass=group)(name=group\special*))"
=> Returns the group as expected
$filter = "(&(objectClass=group)(name=group\5cspecial*))"
=> Returns the group as expected
So it's still not clear to me what scenario is not working, and if you could provide text examples instead of screenshots, it will be far more easier for me to understand.
from ldapcp.
As mentioned earlier, the problem only occurs, when after the \ the group starts with a hexadecimal character (0-9a-f). So "group\specialchar" works fine (even though according the standard this should not work either, because all \ have to be encoded).
A better example would be: "group\acharacter". Searching "group\achar*" will yield nothing and "group\5cachar*" will yield the group.
The encoding of special characters can be found for example in
https://ldap.com/ldap-dns-and-rdns/
If someone wants to go crazy, the other characters would be nice to, to be encoded too. But \ should cover most of the cases.
from ldapcp.
I just realized all my "\" got replaced to "" after sending. Sorry if that made earlier text a bit confusing.
from ldapcp.
Ok, now I can reproduce your scenario.
I made some changes in LDAPCP and fix this scenario if the corresponding ClaimTypeConfig doesn't have property ClaimValuePrefix set with dynamic tokens {domain} or {fqdn}. Are you using them?
from ldapcp.
The person who has configurated the settings is on vaccation and we currently can't find the corresponding settings. But a colleague thinks we use the {domain} token.
from ldapcp.
I just fixed this bug in commit 57d6397, which actually handles all special LDAP characters, not only '\'
from ldapcp.
Hello,
thanks for fixing - we tested the fix and search result now is working fine.
But now we have issue that there is \ as prefix before domain - useraccount is written in SharePoint in form \fqdn\groupname
from ldapcp.
Related Issues (20)
- Augmentation and workflow permissions HOT 4
- Unable to remove email address from people picker popup without breaking quickedit on 2019/SE. HOT 9
- Default logging level triggers Health Analyzer rule HOT 2
- In Central Administration can't see ADFS users in people picker HOT 12
- Augmentation uses SimpleBind regardless of LDAPConnectionsProp.AuthenticationSettings HOT 5
- Additional LDAP filter for user attributes applies to group HOT 2
- Confusion by using LDAPCP with SharePoint Subscription Edition HOT 2
- "Check Permissions" token cache HOT 2
- Claims matching in ULS Logs HOT 6
- People picker is showing another domain users which is not configured in LDAP Connection HOT 10
- LDAPCP and securitytoken.svc timeout when .Net Helper is enabled under augmentation HOT 8
- Claims provider for ADFS: Resolving user thats belongs to a nested group HOT 6
- Filtering on Custom ldapcp HOT 3
- Set Custom LDAP filter by powershell HOT 5
- LDAPCP not being queried when assigning targeted audiences (navigation, list items, etc) HOT 3
- Customization in LDAP solution HOT 3
- Replay LDAP query test returned user account result but people picker doesn't return this user account HOT 8
- Target Audience not working for LDAPCP groups added to sharepoint groups HOT 6
- LDAPCP on a non-ADFS federated setup HOT 2
- Domain groups can't be added after resolving it in people picker HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ldapcp.