-
Notifications
You must be signed in to change notification settings - Fork 453
Support unicode DN #957
Comments
The string is correct. The spec only allows ASCII characters. Any other characters must be escaped. See #860 (comment). |
Sorry for opening this issue without founding this comment... base1='cn=проба,ou=пера,dc=example,dc=com'
base2=String(ldapjs.parseDN(base1))
base3='ou=пера,dc=example,dc=com'
base4=String(ldapjs.parseDN(base3))
// check1
ldap.search(base1,{scope:'base'},cb)
// check2
ldap.search(base2,{scope:'base'},cb)
// check3
ldap.search(base3,{scope:'sub'},cb)
// check4
ldap.search(base4,{scope:'sub'},cb) All searches got # ldapsearch $ldap_auth_args -b 'cn=проба,ou=пера,dc=example,dc=com' -s base -LLL '' dn
dn:: Y2490L/RgNC+0LHQsCxvdT3Qv9C10YDQsCxkYz1leGFtcGxlLGRjPWNvbQ==
# ldapsearch $ldap_auth_args -b 'cn=\d0\bf\d1\80\d0\be\d0\b1\d0\b0,ou=\d0\bf\d0\b5\d1\80\d0\b0,dc=example,dc=com' -s base -LLL '' dn
No such object (32)
Matched DN: dc=example,dc=com
Additional information: 0000208D: NameErr: DSID-0310028D, problem 2001 (NO_OBJECT), data 0, best match of:
'dc=example,dc=com' And same for OU/sub search — raw unicode argument works, but "escaped" version doesn't. In PS: Obviously I've replaced real DNs in examples, but sense is kept intact. |
What version of |
$ npm ls --depth=2|grep ldap
@...
└─┬ [email protected]
├─┬ @types/[email protected]
└─┬ [email protected]
├── @ldapjs/[email protected]
├── @ldapjs/[email protected]
├── @ldapjs/[email protected]
├── @ldapjs/[email protected]
├── @ldapjs/[email protected]
├── @ldapjs/[email protected]
├── @ldapjs/[email protected]
├── @ldapjs/[email protected] |
This is the same error I have been seeing for quite some time. We have not moved to 3.x because of it. It does not reproduce with the openLDAP container. But it does with 2 production MSAD servers. I am trying to get some logs from the servers. I have a theory, but I need logs to be able to support it. |
Here is what I am seeing. I cannot reproduce this with the openldap server. But let me see if I can explain what I am seeing to see if it helps. I really want to see if I can provide some assistance. I have 2 production MS AD Servers. Using ldapsearch, both servers behave the same when searching for a DN. The second gives Object Not Found. However, both of those commands work fine with the OpenLDAP server used for the unit tests. I have that running in a docker container and have the same user configured. I can search either with the escaped version and without the escaped version. One interesting thing is the logs for the container seem to show non-escaped for both but I am skeptical of the log formatting.
I did some tests on the DN itself. This code will dump the parsed DN, then do thorough the DN popping the RDNs and dumping them using toString.
The output looks like:
However, if I add the
When I look at the search code, the baseDN that is passed in is converted to a DN if a string is passed in (via the parseDN method) or just set if it is a DN object already. My theory is that when the search is formatted to be sent to the server, a call is made on the DN using toString. And that results in the escaped value being sent to the server. That is fine for the test OpenLDAP server (as far as my testing goes) but that fails for both of my production MS AD servers as they do not like the escaped value. There is no I wish I could generate a test that fails, but I cannot using the container. |
Thank you for the detailed diagnosis. It is appreciated. I am convinced this is the same problem under discussion in ldapjs/filter#9 (comment). I need to find some time to re-learn a lot of this stuff and determine how to properly solve it. Basically, we need to replace |
Actual result
Expected result
In wild life
At least microsoft AD supports (and returns) utf8 DNs.
The text was updated successfully, but these errors were encountered: